Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    thunder.exe

  • Size

    789KB

  • Sample

    240224-xxcegsca84

  • MD5

    cc51616cd326b6e3d32aa6efea1458cc

  • SHA1

    c1d3825c8aec02784d62bf3ddb7b7205be0f91a0

  • SHA256

    66a0cd7e450467aac94e6af624096f01e8b8df211c9bd0d77f4a90be385d8673

  • SHA512

    64f094a671cad8bd955e9f0413fd557a40b50bd9a1d0080a49125aae382e66a5752cce67f13b16d4ad0190065f255592e4c3400e4e6a92c49dc7fcc531d980f2

  • SSDEEP

    12288:DFUNDaSxK20cBcUyPBHQE6dIIykOHXGVd6TR49SQmVOw:DFOayKGBcUCHFgykOHXE8l4qVOw

Malware Config

Targets

    • Target

      thunder.exe

    • Size

      789KB

    • MD5

      cc51616cd326b6e3d32aa6efea1458cc

    • SHA1

      c1d3825c8aec02784d62bf3ddb7b7205be0f91a0

    • SHA256

      66a0cd7e450467aac94e6af624096f01e8b8df211c9bd0d77f4a90be385d8673

    • SHA512

      64f094a671cad8bd955e9f0413fd557a40b50bd9a1d0080a49125aae382e66a5752cce67f13b16d4ad0190065f255592e4c3400e4e6a92c49dc7fcc531d980f2

    • SSDEEP

      12288:DFUNDaSxK20cBcUyPBHQE6dIIykOHXGVd6TR49SQmVOw:DFOayKGBcUCHFgykOHXE8l4qVOw

    • Modifies visiblity of hidden/system files in Explorer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks