Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Winhost.exe

windows10-2004-x64

1

Winhost.exe

windows11-21h2-x64

1

Winhost.exe

windows10-2004-x64

10

Winhost.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Winhost.zip

  • Size

    1.1MB

  • Sample

    240429-rhheasch31

  • MD5

    988840294ac21239351ceacb7a01c680

  • SHA1

    f7390cda074155f43447357eb6de66483b18e119

  • SHA256

    13a74aca20ecf49679abd3c49265b931f9ae422a0c9fd76ca18dd7997f1c9871

  • SHA512

    5375df4eddc2bc03efd5400b73237dc16a82537216e0fc0bf428d330b7e58f0a0998265779506eab4cafa23f897b771a4cb36cd2306f4fd07669a70e275b3b89

  • SSDEEP

    24576:j4fiOigMi/TP3cHGEjV/lquTOlqyreIjUyC3cpP4/GlmOj:j45ZP3aGEHfTOlqyqIwyfdz

Score
10/10
evasionransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      Winhost.dll

    • Size

      1.0MB

    • MD5

      95a23a0b51922fb8df0d48b3a41b807f

    • SHA1

      23e3c80540e00bc1fae0fec17e2879b0c68bb0cc

    • SHA256

      bb9491ed516e306ed5bc1399961545f18b79a3b6ad4414f7ec230e98826ad460

    • SHA512

      ba1dfed05e74613a9a15442d8d92ff9f0703290567f7181b116bf1d514b2ab925908fb4fd5bff777273ef6832f56ecd0f5d1f760bcc7363ec947c95ad50c9850

    • SSDEEP

      24576:E5A5tpc4ij533WbiEjVLl2uHYlUCreGjA8EPKpbc7:EIE333iiEXbHYlUCqGs8pV

    Score
    1/10
    behavioral1behavioral2

    • Target

      Winhost.exe

    • Size

      139KB

    • MD5

      b046a025e8e53fbd316629125c687c3d

    • SHA1

      5fc76dc221a4287b706ecc57834e7ed848d41a46

    • SHA256

      bc18713902edd2f64cae8d04bf37b8545a10c7882e3d3b1fb6f26a677f27434c

    • SHA512

      be05f7f721d11733172f91d9aad622a86917ccac0e28817ab54d28d13510654755f40a986300d3b823d91fa041ee806823704e3537b2e31dd9de144ac25f7895

    • SSDEEP

      3072:uiS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJA8ltE:uiS4ompB9S3BZi0a1G78IVhcSct

    Score
    10/10
    evasionspywarestealertrojanransomware

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables cmd.exe use via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Tasks