Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&

  • Sample

    240811-bgrzcaxfkp

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Disables taskbar notifications via registry modification

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks