Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/07/2024, 23:50
240721-3vvqyatcqq 10General
-
Target
release.rar
-
Size
15.1MB
-
Sample
240721-3vvqyatcqq
-
MD5
30e4aa74a4d5b420484e01f0a20b760d
-
SHA1
5fd92d351334ad35ff3c0aa2514f2563a0aa1ed1
-
SHA256
a3198464998b05b72bfd3833a7daa407f01eb27e60bc5320ce61914909bf2c71
-
SHA512
b6e96a55cd375af0ece8ca112e98ca2b68aee20874d745aa78fc18452e0b1d43bcb2271b61f0e94321a9153bcf792d723a92af220662def9cf8bfb3548e89756
-
SSDEEP
393216:Q4+J9ljdReUTMJ91AI9o3IBiyYEkfg7ClINIpB+d:QBDljdlyAI9oInFNBIpBq
Behavioral task
behavioral1
Sample
release/main/cheat.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
release/main/cheat.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
release/main/loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
release/main/loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
release/map/map.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
release/map/map.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
release/main/cheat.exe
-
Size
4.1MB
-
MD5
a20e247d5dbab2a84b718801dec0025e
-
SHA1
04d6c781da09b237068b1ed7054003a14833ea3b
-
SHA256
74c5383e22aa8ae4e9941fd5d431c80b617f583e4158647c807d5d6188d7cced
-
SHA512
ec9728e9344563a74c2a906f3b289c6383bc2f564cf722170f3d3fdbfd433790b4811c7f3e8d3e9de5b16b4618ed8244eb055bf01e1ffc49fd5ad477af73011c
-
SSDEEP
98304:IdlAOJ6MIcGcPJt4IEKNILJpCHFBPmjE2K/pu9mfhVlNNFQ:yqOYJcBP/4TKNItpCTmjERRu9enNI
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
release/main/loader.exe
-
Size
7.8MB
-
MD5
9630770c3cfa8b168b88d5ce51158212
-
SHA1
7acd08a4209d52e9c468196190433e8860e043de
-
SHA256
57829b537dd08471fd186965d9fbb5b0d6a82dd0fd3fe31613482376d379d4b2
-
SHA512
623b71a9eb2e92dca3f45c8e7038998bc98eae889085007e5c01fdc4a56f0c545308c35b0e9c04019b8183d613fe8c506f91fd65da41595c32896d994789ae4b
-
SSDEEP
196608:bHQsv5LEbT/9bvLz3S1bA3zwX/O20n97v+:dv5wbTlj3S1bOzkN0Zv+
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
release/map/map.exe
-
Size
3.3MB
-
MD5
a5a681b19458d693464f24f0d22d7b32
-
SHA1
10b9edb6e510ee582815b3779064698ed9e90db8
-
SHA256
04a72e5f734b6d97c78477d82b1bd24d45e47769b98d908920265a01bbde2d37
-
SHA512
e27f08721444474d7f37e45b6636f71cd5e9823ab197b6665f5c48106f8f84ec57bd5f1e953a3c2d0200ae0f9e80b72a261444bea6e828a62cd0b44bf128ab31
-
SSDEEP
98304:GyVbJ5frOxTN0fAptwDUB+psfprlsg/zG3lC:f2JN0fG6wgsxrqQzGVC
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1