Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

SteelSerie...up.exe

windows10-1703-x64

8

$_45_/driver/$R0.dll

windows10-1703-x64

5

apps/engin...64.dll

windows10-1703-x64

5

apps/engin...64.dll

windows10-1703-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SteelSeriesGG66.0.0Setup.exe

  • Size

    365.0MB

  • Sample

    240711-mlm2qsvflb

  • MD5

    b339f39200e9b0c91d4c25a1df165e68

  • SHA1

    01e9f826e9752b496511a337fdce4cad94afdb45

  • SHA256

    b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

  • SHA512

    9a80f45e5e60fb12043a9e6ef878142579eba503f534ffc66250eec3443906d7efc07c71046d2fa10d8a0de5e7c2c45d96d6df11afd42f41d6d93fe3d2e38eaf

  • SSDEEP

    6291456:A7bqNm881Aa0+oMmConAckfKlP7hOSlnqN3AK4ildp6OvBn/tlPzaDHr:AqaShlMmCrckiBhRna3nldtB/PPUL

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      SteelSeriesGG66.0.0Setup.exe

    • Size

      365.0MB

    • MD5

      b339f39200e9b0c91d4c25a1df165e68

    • SHA1

      01e9f826e9752b496511a337fdce4cad94afdb45

    • SHA256

      b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

    • SHA512

      9a80f45e5e60fb12043a9e6ef878142579eba503f534ffc66250eec3443906d7efc07c71046d2fa10d8a0de5e7c2c45d96d6df11afd42f41d6d93fe3d2e38eaf

    • SSDEEP

      6291456:A7bqNm881Aa0+oMmConAckfKlP7hOSlnqN3AK4ildp6OvBn/tlPzaDHr:AqaShlMmCrckiBhRna3nldtB/PPUL

    Score
    8/10
    discoveryevasionexecutionpersistenceprivilege_escalationupx

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral1

    • Target

      $_45_/driver/$R0

    • Size

      223KB

    • MD5

      5b3896272ddd7f58fcbfbe0b4212e67a

    • SHA1

      cdf2ab2a56b9dd8473d01f68780fd190531dc013

    • SHA256

      675224ec12c25e0c8792fd736bca8589da7311ad801b7f307b37a6f3105071a9

    • SHA512

      566a496ad0fcf9cfd41cc6745a246821a7154cb4cf3fe53c98321871a0365d2b4d84ee075093255f794110988e0504b435005e1c009fc286557771079d77c7f3

    • SSDEEP

      3072:ExMi9XRe4X2fRlHwdr/TAAkghhnEudvTNV3R+fTrl9fUZz2fIbkDjCRsn8NA/:563X2fjErLTjnEudX3R+XlhjIUc1C/

    Score
    5/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral2

    • Target

      apps/engine/AudioDeviceFXPluginAPI.x64.dll

    • Size

      223KB

    • MD5

      5b3896272ddd7f58fcbfbe0b4212e67a

    • SHA1

      cdf2ab2a56b9dd8473d01f68780fd190531dc013

    • SHA256

      675224ec12c25e0c8792fd736bca8589da7311ad801b7f307b37a6f3105071a9

    • SHA512

      566a496ad0fcf9cfd41cc6745a246821a7154cb4cf3fe53c98321871a0365d2b4d84ee075093255f794110988e0504b435005e1c009fc286557771079d77c7f3

    • SSDEEP

      3072:ExMi9XRe4X2fRlHwdr/TAAkghhnEudvTNV3R+fTrl9fUZz2fIbkDjCRsn8NA/:563X2fjErLTjnEudX3R+XlhjIUc1C/

    Score
    5/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral3

    • Target

      apps/engine/AudioDeviceManagerAPI.x64.dll

    • Size

      170KB

    • MD5

      53891f0fe36fdce6e48fa5269a015737

    • SHA1

      b54e9b6d0c1c07195224c416e533996235649d13

    • SHA256

      8d09810cbbf355a81ecc1c379c5d1bd0e379df37205bbc8eb5aea8dbf7ae2d55

    • SHA512

      08634e567f12c72761bfda57c2c2c7af769b25b39933c32fd389fdfd33a3c5e3b4625662304acf9dc3e93f97200d7a37b9655d9b7786d75e50f418cf74459bd3

    • SSDEEP

      3072:nyfK22ggquZgLyQLg4McJcVURKrhNK0rrsquaP:yy22bgOQXJczIqZP

    Score
    5/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks