a6b3c831e2ec1107992848070d0b8100f3bab8ba576b7f7629ebbae951867fd5 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

fc6a3bcff7...ll.jpg

windows10-1703-x64

3

fc6a3bcff7...ll.jpg

windows10-2004-x64

8

fc6a3bcff7...ll.jpg

windows11-21h2-x64

3

Sharing

General

Target

fc6a3bcff7342c84897e51eea16cf2c9bc2db3f1_full.jpg
Size

16KB
Sample

240609-11ntgagb96
MD5

62998e35cf8c9b271f4daf8ac0ddfb1e
SHA1

db740b683ed625a346268876f89e72e9a24d5fdf
SHA256

a6b3c831e2ec1107992848070d0b8100f3bab8ba576b7f7629ebbae951867fd5
SHA512

24b873447134fdd08041842f36a73774fa6a6c8a640358dc9788af9ef56e0a3d1690dbf3c3c13210e26c5c3ac57aae2b8c10dd50df9fe3fe62b2e3d9c6404dd1
SSDEEP

384:FvkvGM8sMtmp9vwlB+53iNO6CG51qXHKn7wdrkv:WXJMtmp9Ilu3iM6FKqn7skv

Score

8^/10

discovery execution persistence

Static task

static1

Behavioral task

behavioral1

Sample

fc6a3bcff7342c84897e51eea16cf2c9bc2db3f1_full.jpg

Resource

win10-20240404-en

windows10-1703-x64

1 signatures

1200 seconds

Behavioral task

behavioral2

Sample

fc6a3bcff7342c84897e51eea16cf2c9bc2db3f1_full.jpg

Resource

win10v2004-20240508-en

discovery execution persistence

windows10-2004-x64

28 signatures

1200 seconds

Behavioral task

behavioral3

Sample

fc6a3bcff7342c84897e51eea16cf2c9bc2db3f1_full.jpg

Resource

win11-20240508-en

windows11-21h2-x64

1 signatures

1200 seconds

Malware Config

Targets

- Target
  
  fc6a3bcff7342c84897e51eea16cf2c9bc2db3f1_full.jpg
- Size
  
  16KB
- MD5
  
  62998e35cf8c9b271f4daf8ac0ddfb1e
- SHA1
  
  db740b683ed625a346268876f89e72e9a24d5fdf
- SHA256
  
  a6b3c831e2ec1107992848070d0b8100f3bab8ba576b7f7629ebbae951867fd5
- SHA512
  
  24b873447134fdd08041842f36a73774fa6a6c8a640358dc9788af9ef56e0a3d1690dbf3c3c13210e26c5c3ac57aae2b8c10dd50df9fe3fe62b2e3d9c6404dd1
- SSDEEP
  
  384:FvkvGM8sMtmp9vwlB+53iNO6CG51qXHKn7wdrkv:WXJMtmp9Ilu3iM6FKqn7skv
Score

8^/10

discovery execution persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoveryexecutionpersistence

behavioral3

© 2018-2025

Terms | Privacy