Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b244e513afdb92c5560568c5affc2d9c

  • Size

    300KB

  • Sample

    240304-qy748acf75

  • MD5

    b244e513afdb92c5560568c5affc2d9c

  • SHA1

    c615c65bab397636f5b6690a4266cda53ca874a0

  • SHA256

    9f56df3329f89948da8c36c53e1a21dad138963e7dba5b4de03759cb8f5bb1c9

  • SHA512

    6018cb8a7218e3b1bd412f050901e6dc1493294daa5bd46576fe74d728e4fbc68a9c94f84fd922bad3a4d020b06e28cacbeea6757c3115aefa23e1b1ccdd7f9f

  • SSDEEP

    3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioYa7DzroG2sKqqw:p3lOYoaja8xzx/0wsxzSiBa77oNsKqq

Malware Config

Targets

    • Target

      b244e513afdb92c5560568c5affc2d9c

    • Size

      300KB

    • MD5

      b244e513afdb92c5560568c5affc2d9c

    • SHA1

      c615c65bab397636f5b6690a4266cda53ca874a0

    • SHA256

      9f56df3329f89948da8c36c53e1a21dad138963e7dba5b4de03759cb8f5bb1c9

    • SHA512

      6018cb8a7218e3b1bd412f050901e6dc1493294daa5bd46576fe74d728e4fbc68a9c94f84fd922bad3a4d020b06e28cacbeea6757c3115aefa23e1b1ccdd7f9f

    • SSDEEP

      3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioYa7DzroG2sKqqw:p3lOYoaja8xzx/0wsxzSiBa77oNsKqq

    • Contacts a large (6609) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks