Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

a3e4a7c4f3...8c.exe

windows7-x64

8

a3e4a7c4f3...8c.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a3e4a7c4f37f185ccd7696eece42348c.exe

  • Size

    117KB

  • Sample

    240528-sy7jssbe77

  • MD5

    a3e4a7c4f37f185ccd7696eece42348c

  • SHA1

    f9cbc1d00796fe5a8debaef74d59c567277bfd60

  • SHA256

    7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f

  • SHA512

    0f8396c64ec0bd8d9c97ea75811269e7e9cc4c388b770343b59f54c89663f51bce9df4aabda0095e1a37c801e01badbb1c8976479d6aa430fccff8dfea431353

  • SSDEEP

    384:Gmjw/SoQzbZlKp6yTcKnwYQFITaxV+avOUrIL+330jaYtL5oNEASAFxG/yD494JI:G+LbqpHwmMREo0jaf6sFSyD5rh2T

Score
9/10
evasionexecutionpersistenceupx

Malware Config

Targets

    • Target

      a3e4a7c4f37f185ccd7696eece42348c.exe

    • Size

      117KB

    • MD5

      a3e4a7c4f37f185ccd7696eece42348c

    • SHA1

      f9cbc1d00796fe5a8debaef74d59c567277bfd60

    • SHA256

      7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f

    • SHA512

      0f8396c64ec0bd8d9c97ea75811269e7e9cc4c388b770343b59f54c89663f51bce9df4aabda0095e1a37c801e01badbb1c8976479d6aa430fccff8dfea431353

    • SSDEEP

      384:Gmjw/SoQzbZlKp6yTcKnwYQFITaxV+avOUrIL+330jaYtL5oNEASAFxG/yD494JI:G+LbqpHwmMREo0jaf6sFSyD5rh2T

    Score
    9/10
    executionpersistenceevasionupx

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Remote Services

2
T1021

Remote Desktop Protocol

2
T1021.001

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks