Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PAYMENT FOR INV-N102.exe

  • Size

    569KB

  • Sample

    230206-h2phaace57

  • MD5

    be1645867fa6422fc02f52fd1a9b91e2

  • SHA1

    98673b3df49489e144da5f457515cfba84873b75

  • SHA256

    c4be26f16b500a69a26c344c7840ac5aee9fa4f32cca050924a848019ed29bbd

  • SHA512

    605e5db25959b15de67f7ce5a70c062258c0d17a0e7de932e488bad214b4c6b9b3c60e9219b36185df351baa469c100822c2a296ab8bc0a494950f00f1e9d911

  • SSDEEP

    12288:y8OG0deh2Q1IhJs3tm4lAy4Xpzzx9avGhctKr8z9i7+pvFCWtO:Zv07h+tmsTcpiv3Ar8zw6Rkh

Malware Config

Targets

    • Target

      PAYMENT FOR INV-N102.exe

    • Size

      569KB

    • MD5

      be1645867fa6422fc02f52fd1a9b91e2

    • SHA1

      98673b3df49489e144da5f457515cfba84873b75

    • SHA256

      c4be26f16b500a69a26c344c7840ac5aee9fa4f32cca050924a848019ed29bbd

    • SHA512

      605e5db25959b15de67f7ce5a70c062258c0d17a0e7de932e488bad214b4c6b9b3c60e9219b36185df351baa469c100822c2a296ab8bc0a494950f00f1e9d911

    • SSDEEP

      12288:y8OG0deh2Q1IhJs3tm4lAy4Xpzzx9avGhctKr8z9i7+pvFCWtO:Zv07h+tmsTcpiv3Ar8zw6Rkh

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks