Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SSCosmetics (2).exe

  • Size

    252KB

  • Sample

    240407-wzdjwsah2s

  • MD5

    f278e2fb4010c8403c00cf988354a0fd

  • SHA1

    3c1c63f2f6678cc55deda531413674c9f4b090cf

  • SHA256

    1fd1e3eceac872dffbc901adfba60312f30068884c2ef3ae8f15d6ce6f7aa474

  • SHA512

    85257af5832cb33de94d80544720ae91f2060b63513ddfac9698637531a5c1049dd37c22416fd0d624e6430be2f0c03d436ef4009cb2cab91c087169723da0b9

  • SSDEEP

    6144:ZHU8VKT4OTtspISTvlnJjG02iyGE31i9bqKTaucqW:e8VlO5oISblnJjGjiyGSZkau8

Score
10/10

Malware Config

Targets

    • Target

      SSCosmetics (2).exe

    • Size

      252KB

    • MD5

      f278e2fb4010c8403c00cf988354a0fd

    • SHA1

      3c1c63f2f6678cc55deda531413674c9f4b090cf

    • SHA256

      1fd1e3eceac872dffbc901adfba60312f30068884c2ef3ae8f15d6ce6f7aa474

    • SHA512

      85257af5832cb33de94d80544720ae91f2060b63513ddfac9698637531a5c1049dd37c22416fd0d624e6430be2f0c03d436ef4009cb2cab91c087169723da0b9

    • SSDEEP

      6144:ZHU8VKT4OTtspISTvlnJjG02iyGE31i9bqKTaucqW:e8VlO5oISblnJjGjiyGSZkau8

    Score
    10/10
    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks