Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Cydex Loader.zip

  • Size

    9.8MB

  • Sample

    240712-cf4r7awgkg

  • MD5

    7db3b3ddd79eb5915c8088e96563093d

  • SHA1

    bbca655e6d5de158755331eaa099604d4e1336d8

  • SHA256

    eaa1ca722cc0cb891d0ebd0cc74af29e7184e58a1656e54d858d19367401e350

  • SHA512

    a640517958fe097847734b06cca81fb4a94ce6ef93bba43772bcf54e630fb7b8fc038389b644044a1786127dd1f51fd1bcdc1085e8feb255441476c270031901

  • SSDEEP

    196608:VXJrptYPhfNNwfiRBJy/dJXNVUgNhg16hK8DdNJB00/wLoxPU5JpMYGl/qtqNunq:R8hf8myFZRNhgAPXTDIAs5fMYq7r

Malware Config

Targets

    • Target

      Cydex Loader.bat

    • Size

      13.0MB

    • MD5

      fd5e34bb3be950c5d99328d838c90fec

    • SHA1

      4ae0bf222014e8ddd1b897f2196b535c5d5aabcb

    • SHA256

      d8f5a306f726f64899ff24c1fbd7be438093ef89bed6ef8cec9fa0494f1b90d7

    • SHA512

      da68361bf220bc719920c9162e7295fff5fcbd3daa5e16bf36fb50ebc8cfa81747e016455f2ab4941f2527d06cc169991ef9f3ba036a7a62a3a27c8534730e28

    • SSDEEP

      49152:YuUvQg4JoDocb7J+qkGyye2opfp+xtvwP6Tb2QSBn+3nSJRa7d5oj2vO2Y4yUiiF:Y1

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in Drivers directory

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks