Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/08/2024, 01:29

240825-bwbwnssemq 10

25/08/2024, 00:08

240825-ae1b9sxcre 6

General

  • Target

    VisualStudioSetup.exe

  • Size

    4.2MB

  • Sample

    240825-bwbwnssemq

  • MD5

    e62b3d678739012ff21131b393e6eb6a

  • SHA1

    406a98376777e0366d7aeeea635e3bea2155006b

  • SHA256

    99a1e6a5c33d6ca8d7b308002a10d729bd8926afdf771a6b2c7a6f2e1c6af905

  • SHA512

    81ae566ee82fdce6700049923da4cfe5886d9c9ca82293744db1ed7cca5232a265cf620dbc03821f9f970a03318ccc867533489209f14647e916c1aa262ec733

  • SSDEEP

    98304:HEbiyM/1hbHw48psbOgCkrhZg7wKhaaKabT:AqhbQtC7rAwXy

Malware Config

Targets

    • Target

      VisualStudioSetup.exe

    • Size

      4.2MB

    • MD5

      e62b3d678739012ff21131b393e6eb6a

    • SHA1

      406a98376777e0366d7aeeea635e3bea2155006b

    • SHA256

      99a1e6a5c33d6ca8d7b308002a10d729bd8926afdf771a6b2c7a6f2e1c6af905

    • SHA512

      81ae566ee82fdce6700049923da4cfe5886d9c9ca82293744db1ed7cca5232a265cf620dbc03821f9f970a03318ccc867533489209f14647e916c1aa262ec733

    • SSDEEP

      98304:HEbiyM/1hbHw48psbOgCkrhZg7wKhaaKabT:AqhbQtC7rAwXy

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Impair Defenses: Safe Mode Boot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks whether UAC is enabled

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Event Triggered Execution: Image File Execution Options Injection

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies Windows Firewall

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Modifies WinLogon for persistence

MITRE ATT&CK Enterprise v15

Tasks