Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
Size
180KB
-
Sample
231002-ffgjfafd4w
-
MD5
9fa0492f671ae03b7785f7ada9a5ba8b
-
SHA1
abb13c61df1b4304e35f97a250b3a0a36ea833c8
-
SHA256
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
SHA512
4f8f9f268af21f303199856cc125daa6eefccf85b2c117fb918c7b7823fb5bcddde2d7d7ce571b8a8c79c204f1a28e09e20140e7bb965f4e27650a80fe28b5ec
-
SSDEEP
3072:tdcnjefohKpFKK1OHg6MQ6hR66R4idQe4hhT8UW33kAqlZ0g4qqXZvYQavwNB95V:HEjKCKpFNEdN6HzRQFQUkkAhg4pZzB
Static task
static1
Behavioral task
behavioral1
Sample
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Resource
win7-20230831-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
fabookie
http://app.nnnaajjjgc.com/check/safe
Targets
-
-
Target
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
Size
180KB
-
MD5
9fa0492f671ae03b7785f7ada9a5ba8b
-
SHA1
abb13c61df1b4304e35f97a250b3a0a36ea833c8
-
SHA256
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
SHA512
4f8f9f268af21f303199856cc125daa6eefccf85b2c117fb918c7b7823fb5bcddde2d7d7ce571b8a8c79c204f1a28e09e20140e7bb965f4e27650a80fe28b5ec
-
SSDEEP
3072:tdcnjefohKpFKK1OHg6MQ6hR66R4idQe4hhT8UW33kAqlZ0g4qqXZvYQavwNB95V:HEjKCKpFNEdN6HzRQFQUkkAhg4pZzB
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload
-
Glupteba payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
6Disable or Modify Tools
4Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1