Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a3e4a7c4f37f185ccd7696eece42348c.exe

  • Size

    117KB

  • Sample

    240528-sy7jssbe77

  • MD5

    a3e4a7c4f37f185ccd7696eece42348c

  • SHA1

    f9cbc1d00796fe5a8debaef74d59c567277bfd60

  • SHA256

    7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f

  • SHA512

    0f8396c64ec0bd8d9c97ea75811269e7e9cc4c388b770343b59f54c89663f51bce9df4aabda0095e1a37c801e01badbb1c8976479d6aa430fccff8dfea431353

  • SSDEEP

    384:Gmjw/SoQzbZlKp6yTcKnwYQFITaxV+avOUrIL+330jaYtL5oNEASAFxG/yD494JI:G+LbqpHwmMREo0jaf6sFSyD5rh2T

Malware Config

Targets

    • Target

      a3e4a7c4f37f185ccd7696eece42348c.exe

    • Size

      117KB

    • MD5

      a3e4a7c4f37f185ccd7696eece42348c

    • SHA1

      f9cbc1d00796fe5a8debaef74d59c567277bfd60

    • SHA256

      7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f

    • SHA512

      0f8396c64ec0bd8d9c97ea75811269e7e9cc4c388b770343b59f54c89663f51bce9df4aabda0095e1a37c801e01badbb1c8976479d6aa430fccff8dfea431353

    • SSDEEP

      384:Gmjw/SoQzbZlKp6yTcKnwYQFITaxV+avOUrIL+330jaYtL5oNEASAFxG/yD494JI:G+LbqpHwmMREo0jaf6sFSyD5rh2T

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks