Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    45923c5e0fa75d8265252dcdaa59b90db697db59e1badc8e474ac804ddeb41fd.exe

  • Size

    2.2MB

  • Sample

    240820-bmpq6szfnn

  • MD5

    be668da17ea459ecdba38cb333a98a07

  • SHA1

    fc44edf6715f685e7ad26b22b4b2695f45586146

  • SHA256

    45923c5e0fa75d8265252dcdaa59b90db697db59e1badc8e474ac804ddeb41fd

  • SHA512

    6e285e8398dc131a3085578184714b88ac34fc12f5f014ce66c63b6b43e0473c650c0a9eb51972d1b1a106d44df2f04478c2d895c6551f39a45d3c860f27f39a

  • SSDEEP

    49152:PI/0Xh92X3FAOkoQgcK1beVBOHpwIf0bOtW1sLjS/g3:0O2X33Dfp98bObL+0

Malware Config

Targets

    • Target

      45923c5e0fa75d8265252dcdaa59b90db697db59e1badc8e474ac804ddeb41fd.exe

    • Size

      2.2MB

    • MD5

      be668da17ea459ecdba38cb333a98a07

    • SHA1

      fc44edf6715f685e7ad26b22b4b2695f45586146

    • SHA256

      45923c5e0fa75d8265252dcdaa59b90db697db59e1badc8e474ac804ddeb41fd

    • SHA512

      6e285e8398dc131a3085578184714b88ac34fc12f5f014ce66c63b6b43e0473c650c0a9eb51972d1b1a106d44df2f04478c2d895c6551f39a45d3c860f27f39a

    • SSDEEP

      49152:PI/0Xh92X3FAOkoQgcK1beVBOHpwIf0bOtW1sLjS/g3:0O2X33Dfp98bObL+0

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks