Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

REGFuck-master.zip

windows10-1703-x64

10

Resubmissions

12/10/2024, 12:46

241012-pzt4ba1dmf 3

12/10/2024, 12:45

241012-pzd24avhqp 3

12/10/2024, 12:44

241012-pyyeca1dja 1

12/10/2024, 12:42

241012-pxr6ya1cme 1

05/08/2024, 23:13

240805-27gt6s1hln 6

08/07/2024, 16:42

240708-t71chsybln 3

07/07/2024, 23:47

240707-3svcdssckm 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    REGFuck-master.exe

  • Size

    12.0MB

  • Sample

    240707-3svcdssckm

  • MD5

    722617cdd98e194d4f563982f6aba31b

  • SHA1

    6e3015e27f5a0c6f8291138264d91495a6fdd251

  • SHA256

    ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

  • SHA512

    359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7

  • SSDEEP

    196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationransomwaretrojan

Malware Config

Targets

    • Target

      REGFuck-master.exe

    • Size

      12.0MB

    • MD5

      722617cdd98e194d4f563982f6aba31b

    • SHA1

      6e3015e27f5a0c6f8291138264d91495a6fdd251

    • SHA256

      ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

    • SHA512

      359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7

    • SSDEEP

      196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2

    Score
    10/10
    defense_evasiondiscoveryevasionpersistenceprivilege_escalationransomwaretrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies RDP port number used by Windows

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

      persistence

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Modifies system executable filetype association

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

      persistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

7
T1547

Active Setup

1
T1547.014

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

4
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

7
T1547

Active Setup

1
T1547.014

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

4
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

19
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

9
T1012

System Information Discovery

8
T1082

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks