Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

readme2.txt.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    readme2.txt.exe

  • Size

    25KB

  • Sample

    240705-wcwf7asdqq

  • MD5

    9f3d97d7cad1f049d92a5e0520004a91

  • SHA1

    6a69fd2813e16e036bba5261375e285244e2a361

  • SHA256

    296e2583c5d91e1c5c4c9f36cdd54ada7ee5e95585a9549799bba6b89f5d4d15

  • SHA512

    ecbadae5a1254bad3851462198454059100b8b78f770e7f8455f6fb80fee3dec586380832a76b1bc0fecd5ee8ad0a62268d8269ab9e555f83bd9a279951d0b69

  • SSDEEP

    768:tEHP8+xiXHShdO28nM41v18bVb/gm3Hrdn:tEHP8+x4SqgZ/X3x

Score
10/10
dharmadefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Targets

    • Target

      readme2.txt.exe

    • Size

      25KB

    • MD5

      9f3d97d7cad1f049d92a5e0520004a91

    • SHA1

      6a69fd2813e16e036bba5261375e285244e2a361

    • SHA256

      296e2583c5d91e1c5c4c9f36cdd54ada7ee5e95585a9549799bba6b89f5d4d15

    • SHA512

      ecbadae5a1254bad3851462198454059100b8b78f770e7f8455f6fb80fee3dec586380832a76b1bc0fecd5ee8ad0a62268d8269ab9e555f83bd9a279951d0b69

    • SSDEEP

      768:tEHP8+xiXHShdO28nM41v18bVb/gm3Hrdn:tEHP8+x4SqgZ/X3x

    Score
    10/10
    dharmadefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Renames multiple (557) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Accessibility Features

1
T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Accessibility Features

1
T1546.008

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

5
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

9
T1012

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

5
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.