Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/02/2024, 04:27

240214-e28z5sac24 7

14/02/2024, 04:11

240214-erxjcsgf8z 10

14/02/2024, 04:02

240214-els9rahf93 10

General

  • Target

    240214-ej2s4shf39_pw_infected.zip

  • Size

    192KB

  • Sample

    240214-erxjcsgf8z

  • MD5

    216b05a02283bcad19054588e6c5e067

  • SHA1

    9b07b765543a016159330d3c46fa780860cb4638

  • SHA256

    a0f267ce25b8317beea96b42dd1d0b4e211a873cac9b2e3bcfff89f8d1c514e0

  • SHA512

    4b3ea98a3148f1badb8c93c7ba0d464b0c4c1bfd663ab765190cab246cd85fce85335682521b3f13ff71afa6d8bdec77e09d4a36c1fa374043b24027f7c49a8d

  • SSDEEP

    3072:5D6wDnWgK1YOfMVWVWyCV7qFKF5B439+qLSyWIn6N/JVvcyOUwzz0ttSAeDcymMc:5HLw8WxCVW+5BxNyWIi/T9OJoP72a

Malware Config

Targets

    • Target

      Keygen.exe

    • Size

      200KB

    • MD5

      9718045f5002b741172a6c659e3b97fd

    • SHA1

      101403393b50c9de54efc4370d078922ba5f7c47

    • SHA256

      2a8eea400ff4d71f70d7d3b5d5ff6e636a98c84fbcb6217d5ac705a10a3b1fa7

    • SHA512

      2a68394fba1c7585d8c37fd5811285d064579a411e7d7b0616a17164f3ddccc15557e35062b03f3c5a4634b00913dad71d1756d94683571dedab8423372a9a88

    • SSDEEP

      3072:9EbmpgY+Iu0VSdVe4DOprtjG+URYEPZL4jAoI0PRy2XDZd+p6ewDejhqrY5S/+9T:O93Iwe4qDjGR/y0oDdNd+E2qrvWIMk

    • Modifies firewall policy service

    • Downloads MZ/PE file

    • Modifies AppInit DLL entries

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks