Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

  • Size

    11.8MB

  • Sample

    240608-qx4emsca8t

  • MD5

    44d806942d0bbc5f4302867243b66a18

  • SHA1

    4405cd3f84680d4888ef7f9fb0a651c82b3573b9

  • SHA256

    758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

  • SHA512

    661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9

  • SSDEEP

    98304:5pmhaWByjQAidj9ZMDvcpOnUxBEtg71fnhfagct8zaqz/8:5d+yjQLKvcpPxCa1VT8

Malware Config

Targets

    • Target

      758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

    • Size

      11.8MB

    • MD5

      44d806942d0bbc5f4302867243b66a18

    • SHA1

      4405cd3f84680d4888ef7f9fb0a651c82b3573b9

    • SHA256

      758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

    • SHA512

      661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9

    • SSDEEP

      98304:5pmhaWByjQAidj9ZMDvcpOnUxBEtg71fnhfagct8zaqz/8:5d+yjQLKvcpPxCa1VT8

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks