Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    22082024110122082024waybilloriginalinvoiceblpackinglistshipment2208202400000pdf.7z

  • Size

    66KB

  • Sample

    240822-pcwcvswdqb

  • MD5

    eba9f676eb9e59df0ae484e5e247f04d

  • SHA1

    9e52454ed4aebcfd543fad33f4abdd55e6f61327

  • SHA256

    d7d478e5d58684d5842ac05e5ca9f094266d5583aafc7ba280124d114943af89

  • SHA512

    b2149b3210d455987dfcd532e8405548eb8dbc86f1f05958d5c2f3faf0decaf7cccea42dac090d1208abf99471c8b8612ded44fe9a8f63288fa2474ef6353379

  • SSDEEP

    1536:eS94LxNAlwsRtUuq2eHSSEK/tthddjiugGetCDTj06ixhhKSW9ubKY8:IxsRO/HX/ttDd8CDTjrixm9OB8

Malware Config

Targets

    • Target

      waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs

    • Size

      134KB

    • MD5

      597c7745de1949be25d9c4849aa11cb7

    • SHA1

      e2001dadfe1233b12c11b8cc1954f9183633a4fb

    • SHA256

      31fc0e3296a248e9957c62e4060c92b895ca6ebb0a828e00ab7ef3608c498fb4

    • SHA512

      7bb22bc64793ec32363fc409f38830fc101222239a4ee58a97cbfcc00d19a06a5da5a18c3eead92f04f5a3c52505bdb2883f542479858dc2b84653d96d28c2ce

    • SSDEEP

      3072:FjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29Ojmplsz:NGO63WSdYB51Gy/quNHwaHdHqHb0bIko

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks