Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Creal.exe

  • Size

    259KB

  • Sample

    231030-ll8srsdh73

  • MD5

    95bc946291c97f0115b02ef2e5fae30b

  • SHA1

    288a2bde9f36304092e4057e5c1da84c0b59e5bf

  • SHA256

    60019b1582f57361cfb8fe0a80478de8f7a6e2f6fb07d11d85427d32be964437

  • SHA512

    d5f67d3582585960ade1205f4a020ba90a0631516d569ea03c9632fa5c99d0dac63b768ee7af6e8d4f2eba64a8c3fcb3e2ddfc204f02a8cf94ef0c3a4a21fc40

  • SSDEEP

    6144:4uAF3sVGWlmU14h0p6wGUY3c+qmxgynWgwsj9:4uAFyVlmo4h0pRGUKOpm9

Malware Config

Targets

    • Target

      Creal.exe

    • Size

      259KB

    • MD5

      95bc946291c97f0115b02ef2e5fae30b

    • SHA1

      288a2bde9f36304092e4057e5c1da84c0b59e5bf

    • SHA256

      60019b1582f57361cfb8fe0a80478de8f7a6e2f6fb07d11d85427d32be964437

    • SHA512

      d5f67d3582585960ade1205f4a020ba90a0631516d569ea03c9632fa5c99d0dac63b768ee7af6e8d4f2eba64a8c3fcb3e2ddfc204f02a8cf94ef0c3a4a21fc40

    • SSDEEP

      6144:4uAF3sVGWlmU14h0p6wGUY3c+qmxgynWgwsj9:4uAFyVlmo4h0pRGUKOpm9

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks