Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbVBRbG1oT1pEenhHWVVjUGF5bFh0a2cyLW80QXxBQ3Jtc0trUWFNYTA4OUs4OFBjTTNVVnFidVBvY3BOOUtSZ3gtWEhSRXE4UW9ydnlzaWxmRUxrZHNGTWVHWUJFbVhvbkswRF9BSzdDRzE4RDU0VG5zY2FFZ2NoeE1XU0xGQzhRUjBneWpOLTN5ckhhUl9JOXZfRQ&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1Shm-HYd0t9jmxPbpECqzXm8ws4Z2VjZI%2Fview%3Fusp%3Ddrive_link%2F
-
Sample
240808-rhe9yavbkj
Malware Config
Targets
-
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbVBRbG1oT1pEenhHWVVjUGF5bFh0a2cyLW80QXxBQ3Jtc0trUWFNYTA4OUs4OFBjTTNVVnFidVBvY3BOOUtSZ3gtWEhSRXE4UW9ydnlzaWxmRUxrZHNGTWVHWUJFbVhvbkswRF9BSzdDRzE4RDU0VG5zY2FFZ2NoeE1XU0xGQzhRUjBneWpOLTN5ckhhUl9JOXZfRQ&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1Shm-HYd0t9jmxPbpECqzXm8ws4Z2VjZI%2Fview%3Fusp%3Ddrive_link%2F
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1