Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
galaxyskinswapper.ps1
-
Size
3KB
-
Sample
240901-qm4bws1hlq
-
MD5
a4b38fa93c168beff3ec2fb7c5ada641
-
SHA1
ad9ee01cbd84e96e599a8182ab5f61c501a24742
-
SHA256
dc4e3c07f436ff0c8af59ce1818c6397ce63d7b9f9b17aee03816ad019a5127a
-
SHA512
6d55a51402c32bbd471fad065675d761f42d81e73df5d48a0977eb0bb90e6b8dbcab635a595d96126f48aff5394ee6da0e57e9b1d212975568c95cabbb433094
Static task
static1
Behavioral task
behavioral1
Sample
galaxyskinswapper.ps1
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
galaxyskinswapper.ps1
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://deb.debian.org/debian/dists/bookworm/main/installer-amd64/current/images/netboot/mini.iso
Targets
-
-
Target
galaxyskinswapper.ps1
-
Size
3KB
-
MD5
a4b38fa93c168beff3ec2fb7c5ada641
-
SHA1
ad9ee01cbd84e96e599a8182ab5f61c501a24742
-
SHA256
dc4e3c07f436ff0c8af59ce1818c6397ce63d7b9f9b17aee03816ad019a5127a
-
SHA512
6d55a51402c32bbd471fad065675d761f42d81e73df5d48a0977eb0bb90e6b8dbcab635a595d96126f48aff5394ee6da0e57e9b1d212975568c95cabbb433094
-
Modifies visibility of file extensions in Explorer
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Loads dropped DLL
-
System Binary Proxy Execution: Rundll32
Abuse Rundll32 to proxy execution of malicious code.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Print Processors
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Print Processors
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1System Binary Proxy Execution
1Rundll32
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1