Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3e275e8febf...37.exe
windows7-x64
7e275e8febf...37.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$SYSDIR/CEA_Crypt.dll
windows7-x64
3$SYSDIR/CEA_Crypt.dll
windows10-2004-x64
3$SYSDIR/FT...nk.dll
windows7-x64
3$SYSDIR/FT...nk.dll
windows10-2004-x64
3$SYSDIR/In...11.dll
windows7-x64
3$SYSDIR/In...11.dll
windows10-2004-x64
3$SYSDIR/In..._s.dll
windows7-x64
3$SYSDIR/In..._s.dll
windows10-2004-x64
3$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/Pa...64.dll
windows7-x64
7$SYSDIR/Pa...64.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/pa...ns.exe
windows7-x64
3$SYSDIR/pa...ns.exe
windows10-2004-x64
3$SYSDIR/pr...RA.dll
windows7-x64
3$SYSDIR/pr...RA.dll
windows10-2004-x64
3$SYSDIR/stwebdll.dll
windows7-x64
3$SYSDIR/stwebdll.dll
windows10-2004-x64
3$TEMP/EsWe...it.exe
windows7-x64
7$TEMP/EsWe...it.exe
windows10-2004-x64
7General
-
Target
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37
-
Size
6.3MB
-
Sample
240825-g8g64s1ekm
-
MD5
9190aaff6a444edb896ed5c228c26276
-
SHA1
e7a1745c17b141159e87a6d8ade23ac7815c74d9
-
SHA256
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37
-
SHA512
aa75ce03ef8594f066ffc2d16e0658637a6d9544c81555b8199a4d17fd42e35980e8a676f9f5b700ba966f3563cdd4816714014bcf5533e42b16379540c9a6b8
-
SSDEEP
196608:z6xePNL9ONBrYuU7yBCiAYPnGjzJIerhV5Q:zAA99ONuC5AYPnYJIe1V5
Static task
static1
Behavioral task
behavioral1
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$SYSDIR/printCtl4RA.dll
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
$SYSDIR/printCtl4RA.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$SYSDIR/stwebdll.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
$SYSDIR/stwebdll.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$TEMP/EsWebSocketKit.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
$TEMP/EsWebSocketKit.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37
-
Size
6.3MB
-
MD5
9190aaff6a444edb896ed5c228c26276
-
SHA1
e7a1745c17b141159e87a6d8ade23ac7815c74d9
-
SHA256
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37
-
SHA512
aa75ce03ef8594f066ffc2d16e0658637a6d9544c81555b8199a4d17fd42e35980e8a676f9f5b700ba966f3563cdd4816714014bcf5533e42b16379540c9a6b8
-
SSDEEP
196608:z6xePNL9ONBrYuU7yBCiAYPnGjzJIerhV5Q:zAA99ONuC5AYPnYJIe1V5
-
Adds Run key to start application
-
Modifies Windows Firewall
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
959ea64598b9a3e494c00e8fa793be7e
-
SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0
-
SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
-
SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
SSDEEP
192:sRer7uivwq1XpKs4FVWSjMd8tIg2cREbyCsZ8q2R4Sy+Xe:s67Xws4FVWig86/5eCBqSy+Xe
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
d16e06c5de8fb8213a0464568ed9852f
-
SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03
-
SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531
-
SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a
Score3/10 -
-
-
Target
$SYSDIR/CEA_Crypt.dll
-
Size
60KB
-
MD5
b57da4ef6c923514de0efe4d4f409ca2
-
SHA1
638ef69da94f513955db4e5349b69c1ecbf4b9d8
-
SHA256
1161c3fac4a43485640a80336dd0edbc5569f332b3f36839dcebc8663ab8761b
-
SHA512
ad755429be4ac006354cd8d4bf8877baef093418d6b3e20af6c7da8fb8e441314c3dc37544510c2462abc4204013da12c1747fa974242ebbc6f8484858a1496e
-
SSDEEP
768:EkpSRkT6Zwg4TcYFsF3TaDvwHpVJOdKB67GrYxw/l+MSpL0Gt:EbDh4TcR3ODQzoK6GrYi+2Gt
Score3/10 -
-
-
Target
$SYSDIR/FTInitlize_bank.ocx
-
Size
50KB
-
MD5
f4641328913d7c18982cce4c99f580e0
-
SHA1
4250757a8455d59fdfdbff67d2b6b12939c83673
-
SHA256
09f584a625ea2f6b6c26a609c12457763504b4d0ee55cff4c2d9417f5a787fd8
-
SHA512
f3de30d3cd4312529c5706a1c377b3086987617dc9901c7e051c3c578d3f38c6888bc6898708f653962f832cf4ac5388f21ace66aadf15421686a139f55cb438
-
SSDEEP
768:EM7eEsCWff3DpjTKRbcvWnnqJJwZYi8pqAMxkEI1:1e4C3NjTKG8nIJe70IxQ
Score3/10 -
-
-
Target
$SYSDIR/InterPass2000P11.dll
-
Size
892KB
-
MD5
809f63601ef78a3cbcbdfab1f4816f73
-
SHA1
6122e2108502b7e52c8a07e8953daf2dfd54c6dd
-
SHA256
806b77200f87f245a39da02bb7548654ce11cf7ebbbc123c72a93f93c74ca7f0
-
SHA512
6496887b99a271c06d6bc59b54c99e3fe6108bed199d86c07b5b3945dcd362a396a925a9579f8fe16239a3d794347504d63f031d51d70624e06021bcad3b1434
-
SSDEEP
24576:5Z5Sl7ZaOE7tiGJhDlqAony9OK+TdLO4og8CDtjYM42q4S:fA0QdLOQ8O5x42q4S
Score3/10 -
-
-
Target
$SYSDIR/InterPass2000P11_s.dll
-
Size
10KB
-
MD5
6b27956ba886ee230281d205e09e91a9
-
SHA1
d5c7d9297df241b52573d03185a66528a84f5488
-
SHA256
3df383f4b0195620badc0bb9f5e1d86ebdb4975b60da4b910a26fee9b4af474f
-
SHA512
e7b9d770ef04dda2c2cf144c218851b2b933d59395caff6594e70d0d71db4a78319a51bcbd3479668ab7dad56acee4a24cc3c4206186ad6cc91f5314a498212a
-
SSDEEP
96:Dpn00KCDOVnXB+im0KcOqW/PLZISj0epuVuw6YQCcTvka9IN80KIbWUksykajqq1:PAXBRQC3a9C8nZUadXe/09OFH
Score3/10 -
-
-
Target
$SYSDIR/PassGuardCtrl.dll
-
Size
2.0MB
-
MD5
174a19cd3a960100dbeb43fb9428bf02
-
SHA1
5bb0fa68ee4ec2a74b7c7ceb9ff1f42e42da54cb
-
SHA256
15333c63027b7e91c3298e566ee8bd1abcf61fb2699570280e66a84136ae7fba
-
SHA512
20f698d8651f61c370c840b9bbfbef8ee5b53c655c0d1b0dd704f2670bdaeb9366279e3182ff99a36b43f4d664dde1bbfeef9dc3032b0b5c769c3c81faf57aab
-
SSDEEP
49152:Tm4ggt/EcTPjh5e8uSdORm6ivr4qFFfS2bn1MF+7x/d3X16sUVE:Dg6zuS8m6ivr7SqFx/9XdUS
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
-
Size
2.0MB
-
MD5
174a19cd3a960100dbeb43fb9428bf02
-
SHA1
5bb0fa68ee4ec2a74b7c7ceb9ff1f42e42da54cb
-
SHA256
15333c63027b7e91c3298e566ee8bd1abcf61fb2699570280e66a84136ae7fba
-
SHA512
20f698d8651f61c370c840b9bbfbef8ee5b53c655c0d1b0dd704f2670bdaeb9366279e3182ff99a36b43f4d664dde1bbfeef9dc3032b0b5c769c3c81faf57aab
-
SSDEEP
49152:Tm4ggt/EcTPjh5e8uSdORm6ivr4qFFfS2bn1MF+7x/d3X16sUVE:Dg6zuS8m6ivr7SqFx/9XdUS
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
-
Size
524KB
-
MD5
b40dc2b850c541138161080e8349a9fb
-
SHA1
8e9c77b96baa956c1c9ca8887f29ae92bfb1173d
-
SHA256
287d8914e42ade8139f23a93fc3c1bfe8e82bfce57acc2219ef9d4b7f7bf303e
-
SHA512
6165c4660f60977abe05cdc8bdb87d2ae5b4a424e6ce19e2d5829af3135e735e26ca17887cf5be319e85861c2d656cc9f4fd8847ace8c8a81b621b464f8d34a4
-
SSDEEP
12288:3XeT29v49ZFqjw6/SIojaiGXa5NUFoFh3UvhnmIBzGxDqIbYX:3XdA9ZySX2i2aIFoknmwYE
Score3/10 -
-
-
Target
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
-
Size
3.3MB
-
MD5
c51656b26119aacd1a46c0e0a595a39c
-
SHA1
b75d8b77297d2fd7f6f7763a3d50ea06beb396e6
-
SHA256
665e7de614a196741af1a52b48f91453136d0bce3e0048699b3b115e3c7078b9
-
SHA512
a2a3747dc518249599097bec700cb09b1551b6d9052d0225f5e4abf2d458acff6edd4867db81685bb94c71c6dc5302f868be8de170ca6804ab79288c5a5afaf7
-
SSDEEP
49152:WYbgS0xNu63rtrgwNAOa1qXEeaenHgJEomipl4LgziNXfzEurRnKtAGeXbyg10:WYS5aG7onlw75fzE+RKtALLyy0
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
-
Size
176KB
-
MD5
feeebfd24b6e6b490dae219d0db511ac
-
SHA1
851be598f328916c72efdc01e97908d3717bc24c
-
SHA256
2cff7d0b83c051a4677d9313976aaefc328c53c6851ab30a1524221ef571acd2
-
SHA512
28d3099930f4073bf40c301109a0494767a2eb4fd2d09d6e729a82f41e0ce63edac65d69b5047120490b5598907db19d21a182736dc793b0e193b64e5b4d0532
-
SSDEEP
3072:V3Gmsh8wZitP7uTpj6h/cTU6uD+OUicVTMBzGxKzmqktXbhaczc:Imsh80zp2h/cT5u31oIBzGxKzmq2XbK
Score3/10 -
-
-
Target
$SYSDIR/passguardwin7ins.exe
-
Size
524KB
-
MD5
b40dc2b850c541138161080e8349a9fb
-
SHA1
8e9c77b96baa956c1c9ca8887f29ae92bfb1173d
-
SHA256
287d8914e42ade8139f23a93fc3c1bfe8e82bfce57acc2219ef9d4b7f7bf303e
-
SHA512
6165c4660f60977abe05cdc8bdb87d2ae5b4a424e6ce19e2d5829af3135e735e26ca17887cf5be319e85861c2d656cc9f4fd8847ace8c8a81b621b464f8d34a4
-
SSDEEP
12288:3XeT29v49ZFqjw6/SIojaiGXa5NUFoFh3UvhnmIBzGxDqIbYX:3XdA9ZySX2i2aIFoknmwYE
Score3/10 -
-
-
Target
$SYSDIR/printCtl4RA.dll
-
Size
124KB
-
MD5
a89ea3892bfe94be61231dedc9263cd8
-
SHA1
768a8e6a08621f22447567dd96fde590071696ef
-
SHA256
12d5a0d88d72b088face2209427d1d9f116179eb48a90da27902f5712590d86c
-
SHA512
d3bc89d4fdd2de9b6cd2ea11cc3c12f6a524c7f07164590bdc8f12f36cc59432ff0dd8cb63bcbf40fa18cc064ba5646fa2c0c931439c6f8d39579676e0d16761
-
SSDEEP
3072:H5mgucQOCStrFrfaRqUgLRy2J0kGAqb9icB/KLY:xCSrtLZJ0OC5/1
Score3/10 -
-
-
Target
$SYSDIR/stwebdll.dll
-
Size
104KB
-
MD5
92119ff7a175e5635b87726306d82635
-
SHA1
6125103765180006ff3923ab03bf32d33dd491cc
-
SHA256
89cf6ae4df753095e06b2237e1127c8d0cc6cb879d877287355de47b59d08f28
-
SHA512
2130595f4a2be6ede12ff65084cbb90ffcb898fb5eb379cffaee5a4967305b6aa3c2b04e1a954b9d84000eee4d76447ceaf6031d3d0b0b09d7adf8330a750622
-
SSDEEP
1536:weCN8rpRhbxfocQBfH/0B0sxOtTvAWsTNjF1A+OWDlSuHnZQsoQnz8NZWYK+2GA:b1RhKcQBffc0sQAxjFSYlRH6sokz8HbK
Score3/10 -
-
-
Target
$TEMP/EsWebSocketKit.exe
-
Size
2.0MB
-
MD5
03608817f4280e182fe17dcc532b78af
-
SHA1
3810abd4bab3e9b962c96019a2e73422c90fbc31
-
SHA256
211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3
-
SHA512
aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f
-
SSDEEP
49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg
-
Adds Run key to start application
-
Modifies Windows Firewall
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1