Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b62ef270df2cb46fb862130d270e5d84

  • Size

    164KB

  • Sample

    240306-bzlv2sfc2y

  • MD5

    b62ef270df2cb46fb862130d270e5d84

  • SHA1

    d298c1fd29a775989290e5b43ed5c9be3779eac6

  • SHA256

    6a9f18f06cff43ca4a84231ec05cd0f13b72fc250bb75ccda4ace60c2c2dcb75

  • SHA512

    6bec24e4a1faee4c9b1b79571004633b0d2d3c5d4570b7fdc85825be348ec84d9d2bda877c6ebd99aecfef42ecd2d38493d2764f6344e3bb5f3c777b0c2e73a3

  • SSDEEP

    3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioiaabEtnwKSDP99w:p3lOYoaja8xzx/0wsxzSigabE5wKSDPo

Malware Config

Targets

    • Target

      b62ef270df2cb46fb862130d270e5d84

    • Size

      164KB

    • MD5

      b62ef270df2cb46fb862130d270e5d84

    • SHA1

      d298c1fd29a775989290e5b43ed5c9be3779eac6

    • SHA256

      6a9f18f06cff43ca4a84231ec05cd0f13b72fc250bb75ccda4ace60c2c2dcb75

    • SHA512

      6bec24e4a1faee4c9b1b79571004633b0d2d3c5d4570b7fdc85825be348ec84d9d2bda877c6ebd99aecfef42ecd2d38493d2764f6344e3bb5f3c777b0c2e73a3

    • SSDEEP

      3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioiaabEtnwKSDP99w:p3lOYoaja8xzx/0wsxzSigabE5wKSDPo

    • Contacts a large (5984) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks