Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

  • Size

    82KB

  • Sample

    231102-d5nypsff9w

  • MD5

    e3571a16f67482e4614ea047b9d7f1e7

  • SHA1

    27692eafcf957721e1935f52d23e4a92ff3ebc92

  • SHA256

    ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

  • SHA512

    24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370

  • SSDEEP

    1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://101.34.222.38:8081/JsFY

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://101.34.222.38:8081/load

Attributes
  • access_type

    512

  • host

    101.34.222.38,/load

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8081

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3NwQWsqvq+XSFe/EjAzMJhY8xqwi14YBYjK+/ja1RTMe1mfTBtCoTyS8zstORfS172w4dWmA+KR7xxEqz1J0ZtIXjGjWtRlQiCIIqPHPAu0mbPckYHwu1xJkKqEaH9XqA5t5ZWgK93jZzFZkNLu7BKusiC9xxspe/QhRY4BvuZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)

  • watermark

    391144938

Targets

    • Target

      ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

    • Size

      82KB

    • MD5

      e3571a16f67482e4614ea047b9d7f1e7

    • SHA1

      27692eafcf957721e1935f52d23e4a92ff3ebc92

    • SHA256

      ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

    • SHA512

      24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370

    • SSDEEP

      1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks