Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/09/2024, 08:38

240903-kj4klascln 10

03/09/2024, 08:36

240903-kh1gjsscjm 10

03/09/2024, 06:55

240903-hp2l3s1gkh 10

General

  • Target

    PenlExecutorV5.exe

  • Size

    21.7MB

  • Sample

    240903-kj4klascln

  • MD5

    2ab204ea193000dade28d306de97a101

  • SHA1

    b465e38921a355bd93e3224dacbf330665bc69ab

  • SHA256

    a9206417bf18fbe241927419daaf2ba6bdec71d4c130256a59ca6f2e8f89cf8e

  • SHA512

    57a3b37e3f42a33e98b33afc10fdc28bd3247d2ace85772859a63a80fc71676732320e0bda1b6b77565ad8150f6c38ada7800fab76547ec9ced0363ceda1d5dd

  • SSDEEP

    393216:nLct7WGlx0P7z8P/NR5q+5DbqCrqDlJVy2zOeLM+AA+k6zYVz4TUi2I8:ngtpgYP/N/qUDbqgqDjVy2LhhZzEEI

Malware Config

Targets

    • Target

      PenlExecutorV5.exe

    • Size

      21.7MB

    • MD5

      2ab204ea193000dade28d306de97a101

    • SHA1

      b465e38921a355bd93e3224dacbf330665bc69ab

    • SHA256

      a9206417bf18fbe241927419daaf2ba6bdec71d4c130256a59ca6f2e8f89cf8e

    • SHA512

      57a3b37e3f42a33e98b33afc10fdc28bd3247d2ace85772859a63a80fc71676732320e0bda1b6b77565ad8150f6c38ada7800fab76547ec9ced0363ceda1d5dd

    • SSDEEP

      393216:nLct7WGlx0P7z8P/NR5q+5DbqCrqDlJVy2zOeLM+AA+k6zYVz4TUi2I8:ngtpgYP/N/qUDbqgqDjVy2LhhZzEEI

    • Disables service(s)

    • Renames multiple (215) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks