Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
23/01/2025, 23:01
250123-2znbzsxmgt 915/12/2024, 21:47
241215-1nhfxsykcs 311/12/2024, 15:28
241211-swgklasqdj 821/09/2024, 16:31
240921-t1qvhasdmk 612/08/2024, 10:22
240812-mebp5awhkn 625/07/2024, 11:21
240725-nge11ayeqg 713/07/2024, 10:18
240713-mcdfyaxajp 911/07/2024, 20:03
240711-ysrjaa1hnj 708/06/2024, 18:41
240608-xb31baee6w 3General
-
Target
AutoIt-Extractor-net40-x64.exe
-
Size
1.2MB
-
Sample
240523-ycws3adf7v
-
MD5
205792ce0da5273baffa6aa5b87d3a88
-
SHA1
50439afe5c2bd328f68206d06d6c31190b3946c6
-
SHA256
d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
-
SHA512
186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
-
SSDEEP
24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu
Malware Config
Targets
-
-
Target
AutoIt-Extractor-net40-x64.exe
-
Size
1.2MB
-
MD5
205792ce0da5273baffa6aa5b87d3a88
-
SHA1
50439afe5c2bd328f68206d06d6c31190b3946c6
-
SHA256
d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
-
SHA512
186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
-
SSDEEP
24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1