Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SteelSeriesGG66.0.0Setup.exe

  • Size

    365.0MB

  • Sample

    240711-mlm2qsvflb

  • MD5

    b339f39200e9b0c91d4c25a1df165e68

  • SHA1

    01e9f826e9752b496511a337fdce4cad94afdb45

  • SHA256

    b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

  • SHA512

    9a80f45e5e60fb12043a9e6ef878142579eba503f534ffc66250eec3443906d7efc07c71046d2fa10d8a0de5e7c2c45d96d6df11afd42f41d6d93fe3d2e38eaf

  • SSDEEP

    6291456:A7bqNm881Aa0+oMmConAckfKlP7hOSlnqN3AK4ildp6OvBn/tlPzaDHr:AqaShlMmCrckiBhRna3nldtB/PPUL

Malware Config

Targets

    • Target

      SteelSeriesGG66.0.0Setup.exe

    • Size

      365.0MB

    • MD5

      b339f39200e9b0c91d4c25a1df165e68

    • SHA1

      01e9f826e9752b496511a337fdce4cad94afdb45

    • SHA256

      b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

    • SHA512

      9a80f45e5e60fb12043a9e6ef878142579eba503f534ffc66250eec3443906d7efc07c71046d2fa10d8a0de5e7c2c45d96d6df11afd42f41d6d93fe3d2e38eaf

    • SSDEEP

      6291456:A7bqNm881Aa0+oMmConAckfKlP7hOSlnqN3AK4ildp6OvBn/tlPzaDHr:AqaShlMmCrckiBhRna3nldtB/PPUL

    • Drops file in Drivers directory

    • Stops running service(s)

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      $_45_/driver/$R0

    • Size

      223KB

    • MD5

      5b3896272ddd7f58fcbfbe0b4212e67a

    • SHA1

      cdf2ab2a56b9dd8473d01f68780fd190531dc013

    • SHA256

      675224ec12c25e0c8792fd736bca8589da7311ad801b7f307b37a6f3105071a9

    • SHA512

      566a496ad0fcf9cfd41cc6745a246821a7154cb4cf3fe53c98321871a0365d2b4d84ee075093255f794110988e0504b435005e1c009fc286557771079d77c7f3

    • SSDEEP

      3072:ExMi9XRe4X2fRlHwdr/TAAkghhnEudvTNV3R+fTrl9fUZz2fIbkDjCRsn8NA/:563X2fjErLTjnEudX3R+XlhjIUc1C/

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      apps/engine/AudioDeviceFXPluginAPI.x64.dll

    • Size

      223KB

    • MD5

      5b3896272ddd7f58fcbfbe0b4212e67a

    • SHA1

      cdf2ab2a56b9dd8473d01f68780fd190531dc013

    • SHA256

      675224ec12c25e0c8792fd736bca8589da7311ad801b7f307b37a6f3105071a9

    • SHA512

      566a496ad0fcf9cfd41cc6745a246821a7154cb4cf3fe53c98321871a0365d2b4d84ee075093255f794110988e0504b435005e1c009fc286557771079d77c7f3

    • SSDEEP

      3072:ExMi9XRe4X2fRlHwdr/TAAkghhnEudvTNV3R+fTrl9fUZz2fIbkDjCRsn8NA/:563X2fjErLTjnEudX3R+XlhjIUc1C/

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      apps/engine/AudioDeviceManagerAPI.x64.dll

    • Size

      170KB

    • MD5

      53891f0fe36fdce6e48fa5269a015737

    • SHA1

      b54e9b6d0c1c07195224c416e533996235649d13

    • SHA256

      8d09810cbbf355a81ecc1c379c5d1bd0e379df37205bbc8eb5aea8dbf7ae2d55

    • SHA512

      08634e567f12c72761bfda57c2c2c7af769b25b39933c32fd389fdfd33a3c5e3b4625662304acf9dc3e93f97200d7a37b9655d9b7786d75e50f418cf74459bd3

    • SSDEEP

      3072:nyfK22ggquZgLyQLg4McJcVURKrhNK0rrsquaP:yy22bgOQXJczIqZP

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks