Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe

  • Size

    2.4MB

  • Sample

    240406-bc7t1age63

  • MD5

    f5ae4fdb7579db408cc119c7df5ba699

  • SHA1

    7119c29754409ab879eae0548c3c24395c27e16e

  • SHA256

    026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608

  • SHA512

    445d2a66100af7a1b7f85e8cb0f6c06af0ae436d514d818c102f81ffa4e92984353f0635d1aa7121e832efda642d4843e0d87e84819144dd356c9ffe99bcfb5f

  • SSDEEP

    49152:MajGm3M0mm2dUE5qMsS5SeBtvGz68gNR0T3vRs+1FXclTbVzi:Maj1vmm0fsSQm8OA3vRLbclTbVW

Malware Config

Targets

    • Target

      026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608.exe

    • Size

      2.4MB

    • MD5

      f5ae4fdb7579db408cc119c7df5ba699

    • SHA1

      7119c29754409ab879eae0548c3c24395c27e16e

    • SHA256

      026855ec0e8786cfb946a1c5f858190afc566b6f14d310fe37780c0ebe1e8608

    • SHA512

      445d2a66100af7a1b7f85e8cb0f6c06af0ae436d514d818c102f81ffa4e92984353f0635d1aa7121e832efda642d4843e0d87e84819144dd356c9ffe99bcfb5f

    • SSDEEP

      49152:MajGm3M0mm2dUE5qMsS5SeBtvGz68gNR0T3vRs+1FXclTbVzi:Maj1vmm0fsSQm8OA3vRLbclTbVW

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Detects executables manipulated with Fody

    • Detects executables packed with unregistered version of .NET Reactor

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks