Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
hentai_and_nudes.exe
-
Size
8.4MB
-
Sample
240711-wrsnvazhng
-
MD5
e3ffdd51eee6c10338d01f5101deaa15
-
SHA1
3146e8075fe05e6747890b5a70a725d4481801ce
-
SHA256
5f04be7f8b2d882931ab4d8ae975c74c9a02f30dbf5b3d728d32d23bb257fd7b
-
SHA512
6d98ec5d4a2574547f4fe871369c5e0e32f463c6342f14b8ece001883ba76610daecd6316b691787a11c7506549b4216d8cb7816035771a3add6d8ee9c06d5ab
-
SSDEEP
196608:uINGefFRHvUWvogWOxu9kXwvdbD64uLnH0W8/LaSzy8s+5BZN/:BGCFRHd3bAlbiUW83zLZN
Behavioral task
behavioral1
Sample
hentai_and_nudes.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
hentai_and_nudes.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
ttinsta.ps1
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
ttinsta.ps1
Resource
win10v2004-20240709-en
Malware Config
Extracted
https://text.is/QW7R/raw
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
hentai_and_nudes.exe
-
Size
8.4MB
-
MD5
e3ffdd51eee6c10338d01f5101deaa15
-
SHA1
3146e8075fe05e6747890b5a70a725d4481801ce
-
SHA256
5f04be7f8b2d882931ab4d8ae975c74c9a02f30dbf5b3d728d32d23bb257fd7b
-
SHA512
6d98ec5d4a2574547f4fe871369c5e0e32f463c6342f14b8ece001883ba76610daecd6316b691787a11c7506549b4216d8cb7816035771a3add6d8ee9c06d5ab
-
SSDEEP
196608:uINGefFRHvUWvogWOxu9kXwvdbD64uLnH0W8/LaSzy8s+5BZN/:BGCFRHd3bAlbiUW83zLZN
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
ttinsta.pyc
-
Size
1KB
-
MD5
3f0f4450419e5f4e46467f551cf503d0
-
SHA1
f3b6b0df743a939c6d57bca03d1c9ad9889b84b0
-
SHA256
c63bfaccb23c08a8960f666e665954184eb9a9126442ecfb1d4a5209ca458222
-
SHA512
06cba8d3605e64a570dfa680dc0f6c9efa7bf5a50c7c11a3b45d6feb23a06db463deeef30e7f54a184c38bb582d5affc0f3f8e13d38f4e80bc10217197bfb816
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
9Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1