Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3a8a7f8b1268cc6cf7bf7b97a2126cad2f3fa13516ebbf89936c2d146328f94a

  • Size

    7.5MB

  • Sample

    240721-n2jvpa1hlp

  • MD5

    08439cf3032ec94989f5378ebfb0dd91

  • SHA1

    a80fa9d705b7de672e6adf62720656d1f530668e

  • SHA256

    3a8a7f8b1268cc6cf7bf7b97a2126cad2f3fa13516ebbf89936c2d146328f94a

  • SHA512

    751ff0a4fda0439d6db823e76b98e609c3cf29cd317db74c1c54d06e28bfdae081b324076ec3f3627729c057eca82171afa302da6c0e8bf6e7802d4737d7e805

  • SSDEEP

    196608:GZUGTLGBxY/geHxp6AQBENd1xeSQ1iK23TaHb7ORD49p:GZUGTLGrY/5HNQBEN5LQ1l23gvODap

Malware Config

Targets

    • Target

      rc7/SciLexer.dll

    • Size

      70KB

    • MD5

      d0aed298460a16c1b587875d411b0b4a

    • SHA1

      f542c3c3bd06c27c70c469bcced845863b10114d

    • SHA256

      e4e19790be03a782497d9ca11f74010b6a016127de984c7cb67a9ac2d04bdfb6

    • SHA512

      d73bbbe77b3caf43696c1685fc89c4d0ac2f0d6e11e6d0161943a2116073cd510f5349c369e51b748ce32c07047a0308960073e5d368acc882a7397398260c92

    • SSDEEP

      1536:pWAlQqfkspI8SZ/b61s0onHsgQXKZsW9QrcdKNZhn6YGxHu:pWypI8w/b6OpMgaKpQ6Kjhn6lO

    Score
    3/10
    • Target

      rc7/lua5.1.dll

    • Size

      164KB

    • MD5

      ee3043c17751c763e26d03f6eebb1b8b

    • SHA1

      91d52c619c561db7f678b43456a2bd500064bfb1

    • SHA256

      26384c6ee7d50863e3fb65fdc1bad452d9311f34d782390401de9bb130eecc4a

    • SHA512

      1ee1aefef0ace1d5fe4a5fac06d1e46e55c9a2180b98cbda540cdf4a15e5e6f17c99c473276524b10485be574032a66c34ce08a9c973e9a46c59249307dead41

    • SSDEEP

      3072:PUvMMlibAYKY4rg4ODk2nCZdNcbjNXMga9j6n9aWBn:MvflibAYK/rFdwNcFI9aW

    Score
    3/10
    • Target

      rc7/memcheck.CETRAINER

    • Size

      164KB

    • MD5

      ee3043c17751c763e26d03f6eebb1b8b

    • SHA1

      91d52c619c561db7f678b43456a2bd500064bfb1

    • SHA256

      26384c6ee7d50863e3fb65fdc1bad452d9311f34d782390401de9bb130eecc4a

    • SHA512

      1ee1aefef0ace1d5fe4a5fac06d1e46e55c9a2180b98cbda540cdf4a15e5e6f17c99c473276524b10485be574032a66c34ce08a9c973e9a46c59249307dead41

    • SSDEEP

      3072:PUvMMlibAYKY4rg4ODk2nCZdNcbjNXMga9j6n9aWBn:MvflibAYK/rFdwNcFI9aW

    Score
    3/10
    • Target

      rc7/memcheck_.CEA

    • Size

      164KB

    • MD5

      ee3043c17751c763e26d03f6eebb1b8b

    • SHA1

      91d52c619c561db7f678b43456a2bd500064bfb1

    • SHA256

      26384c6ee7d50863e3fb65fdc1bad452d9311f34d782390401de9bb130eecc4a

    • SHA512

      1ee1aefef0ace1d5fe4a5fac06d1e46e55c9a2180b98cbda540cdf4a15e5e6f17c99c473276524b10485be574032a66c34ce08a9c973e9a46c59249307dead41

    • SSDEEP

      3072:PUvMMlibAYKY4rg4ODk2nCZdNcbjNXMga9j6n9aWBn:MvflibAYK/rFdwNcFI9aW

    Score
    3/10
    • Target

      rc7/memchecka.CETRAINER

    • Size

      164KB

    • MD5

      ee3043c17751c763e26d03f6eebb1b8b

    • SHA1

      91d52c619c561db7f678b43456a2bd500064bfb1

    • SHA256

      26384c6ee7d50863e3fb65fdc1bad452d9311f34d782390401de9bb130eecc4a

    • SHA512

      1ee1aefef0ace1d5fe4a5fac06d1e46e55c9a2180b98cbda540cdf4a15e5e6f17c99c473276524b10485be574032a66c34ce08a9c973e9a46c59249307dead41

    • SSDEEP

      3072:PUvMMlibAYKY4rg4ODk2nCZdNcbjNXMga9j6n9aWBn:MvflibAYK/rFdwNcFI9aW

    Score
    3/10
    • Target

      rc7/rc7.exe

    • Size

      7.3MB

    • MD5

      7d585fca62401d87f593a2ea996163ad

    • SHA1

      2e140791eb076af3b7f0624b250bcb3ad602eee0

    • SHA256

      896e89326155661d897a5f78e847648673aa77542c284e5876b49315dfbc8573

    • SHA512

      1cad3866366608a98d18e29478cf538f61b277b6333c38ff9f1bfe2cbfd364ac92e2728a45808e1d9847413496a0fceb09453eedc4cc6c8e857927578360c610

    • SSDEEP

      196608:bOYS6yOshoKMuIkhVastRL5Di3uh1D7J5:SYSDOshouIkPftRL54YRJ5

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks