Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
REGFuck-master.exe
-
Size
12.0MB
-
Sample
240707-3svcdssckm
-
MD5
722617cdd98e194d4f563982f6aba31b
-
SHA1
6e3015e27f5a0c6f8291138264d91495a6fdd251
-
SHA256
ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4
-
SHA512
359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7
-
SSDEEP
196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2
Static task
static1
Behavioral task
behavioral1
Sample
REGFuck-master.zip
Resource
win10-20240404-en
Malware Config
Targets
-
-
Target
REGFuck-master.exe
-
Size
12.0MB
-
MD5
722617cdd98e194d4f563982f6aba31b
-
SHA1
6e3015e27f5a0c6f8291138264d91495a6fdd251
-
SHA256
ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4
-
SHA512
359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7
-
SSDEEP
196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies RDP port number used by Windows
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Safe Mode Boot
1Modify Registry
19Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1