Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fZURDihz.txt

  • Size

    3KB

  • Sample

    230311-3tv1baca23

  • MD5

    1ddb4a1e46115e4996059f165ea62467

  • SHA1

    56e21e491a8dddbf48d3f704d1ce03260008221f

  • SHA256

    3b234bcbd34396cab8761fd7c197936b08a2da6d30c75736f2e8fb680d7eb073

  • SHA512

    22f37358a253e9d4e3e8bf03bde0e526131fce8276971091dfa8504bc032c08c4a4be8245ebeccae288b33fc19f8b48f6833a9f1a0fcb6a03a72eb47ab200dfe

Malware Config

Targets

    • Target

      fZURDihz.txt

    • Size

      3KB

    • MD5

      1ddb4a1e46115e4996059f165ea62467

    • SHA1

      56e21e491a8dddbf48d3f704d1ce03260008221f

    • SHA256

      3b234bcbd34396cab8761fd7c197936b08a2da6d30c75736f2e8fb680d7eb073

    • SHA512

      22f37358a253e9d4e3e8bf03bde0e526131fce8276971091dfa8504bc032c08c4a4be8245ebeccae288b33fc19f8b48f6833a9f1a0fcb6a03a72eb47ab200dfe

    • Blocklisted process makes network request

    • Contacts a large (509) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks