Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/05/2024, 20:32

240530-zblgdahd7x 10

General

  • Target

    tthyperRuntimedhcpSvc.exe

  • Size

    1.5MB

  • Sample

    240530-zblgdahd7x

  • MD5

    7a4073a468cf2d6ae2836893f467c81d

  • SHA1

    ff54a200d4f6a1a696182f2cfde6e735b2580f37

  • SHA256

    af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5

  • SHA512

    8df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5

  • SSDEEP

    24576:6Rcf6gYLRV8nJ4BMFvJw184tEAXQKQq6i0c:6cyloWgvJw1Zsi

Malware Config

Targets

    • Target

      tthyperRuntimedhcpSvc.exe

    • Size

      1.5MB

    • MD5

      7a4073a468cf2d6ae2836893f467c81d

    • SHA1

      ff54a200d4f6a1a696182f2cfde6e735b2580f37

    • SHA256

      af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5

    • SHA512

      8df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5

    • SSDEEP

      24576:6Rcf6gYLRV8nJ4BMFvJw184tEAXQKQq6i0c:6cyloWgvJw1Zsi

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks