Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

decc924c5d...a6.exe

windows7-x64

7

decc924c5d...a6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff727df62c764a2e45c2aa054a169487436d55fcf2d87a9176ecb88b8a11f169

  • Size

    21.4MB

  • Sample

    240902-qhl7ta1cjk

  • MD5

    e659b0b4bfe3c94d56aba89a3ba13469

  • SHA1

    04ed5d58fdcf4ef990c3926bdcf7a8ec80488e87

  • SHA256

    ff727df62c764a2e45c2aa054a169487436d55fcf2d87a9176ecb88b8a11f169

  • SHA512

    ac78777198a3d1dd0e2ce4b201f37b657f0f93501c2fb65f6a789d6171a73c5c4a68a1bb1508439d919293dcb8d48265051f91934dafdae2cced4d7c4cca00ed

  • SSDEEP

    393216:niYrtEllu3jb7aEjYxo+Blp/4H8XxJmOpFhAse77XL52T7VXWO4yE9Yusdw:nvr5yv9/hJmQQsCMTRmkE9YfW

Score
10/10
discoveryevasionexecutionpersistenceprivilege_escalationpyinstallerransomwarespywarestealer

Malware Config

Targets

    • Target

      decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

    • Size

      21.6MB

    • MD5

      f627f381233039bae67494833c9c034e

    • SHA1

      a70f577fef3a7bd4c59d7c52a273e5a9444c0a3a

    • SHA256

      decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6

    • SHA512

      597b7c6c3b8486f2bdab7d8447be87d861dc0fc918615b061bb8888f4b69d5732eea2b8b682e32c67fcb264cee88829a222e75d4e42e542090ab9613ccb90a25

    • SSDEEP

      393216:yt1aJNdbPmYRQK7+8KobA50pf0P1y1wwZmUh/lbTtJQlM5GB46LY8kX:yfidbrRQOKoXpfU1CwwZmElP0M5GWhrX

    Score
    10/10
    discoveryevasionexecutionpersistenceprivilege_escalationransomwarespywarestealer

    • Disables service(s)

      evasionexecution

    • Renames multiple (212) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

2
T1489

Tasks