Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/10/2024, 12:46

241012-pzt4ba1dmf 3

12/10/2024, 12:45

241012-pzd24avhqp 3

12/10/2024, 12:44

241012-pyyeca1dja 1

12/10/2024, 12:42

241012-pxr6ya1cme 1

05/08/2024, 23:13

240805-27gt6s1hln 6

08/07/2024, 16:42

240708-t71chsybln 3

07/07/2024, 23:47

240707-3svcdssckm 10

General

  • Target

    REGFuck-master.exe

  • Size

    12.0MB

  • Sample

    240707-3svcdssckm

  • MD5

    722617cdd98e194d4f563982f6aba31b

  • SHA1

    6e3015e27f5a0c6f8291138264d91495a6fdd251

  • SHA256

    ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

  • SHA512

    359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7

  • SSDEEP

    196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2

Malware Config

Targets

    • Target

      REGFuck-master.exe

    • Size

      12.0MB

    • MD5

      722617cdd98e194d4f563982f6aba31b

    • SHA1

      6e3015e27f5a0c6f8291138264d91495a6fdd251

    • SHA256

      ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

    • SHA512

      359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7

    • SSDEEP

      196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies RDP port number used by Windows

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Modifies system executable filetype association

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks