Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
loader.exe
-
Size
14.4MB
-
Sample
240905-nl78cazhlf
-
MD5
0b36da64b85e5abae7a93017d46dcce1
-
SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5
-
SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
-
SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
-
SSDEEP
196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF
Malware Config
Targets
-
-
Target
loader.exe
-
Size
14.4MB
-
MD5
0b36da64b85e5abae7a93017d46dcce1
-
SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5
-
SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
-
SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
-
SSDEEP
196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4