Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    setup.bat

  • Size

    77.4MB

  • Sample

    240914-c9bcqsshjr

  • MD5

    c5257fcbbdf29f27905a5500ba074fbb

  • SHA1

    83a0381e09edcb9e3fd1f6bec9792c2ea831f728

  • SHA256

    d1d620a61f00160ea1d9688cbd1a9455f5e77a539f456922abb0ba251fd296e8

  • SHA512

    91f9fab707e710760cebf5f3e478b3baf994abfae823dd9364e456d916c8d1a03a03a877adc876cdc4a99a5be6de2ce29f1922c7794be9ecec6bae93ad871d1e

  • SSDEEP

    1572864:L4gPXMorgRZKku2vOmdMdQPjjXzjCKQTtuvC+qTSzPY1rc7:L4AcGgRZ2mCdQLzCHkKn+7

Malware Config

Targets

    • Target

      setup.bat

    • Size

      77.4MB

    • MD5

      c5257fcbbdf29f27905a5500ba074fbb

    • SHA1

      83a0381e09edcb9e3fd1f6bec9792c2ea831f728

    • SHA256

      d1d620a61f00160ea1d9688cbd1a9455f5e77a539f456922abb0ba251fd296e8

    • SHA512

      91f9fab707e710760cebf5f3e478b3baf994abfae823dd9364e456d916c8d1a03a03a877adc876cdc4a99a5be6de2ce29f1922c7794be9ecec6bae93ad871d1e

    • SSDEEP

      1572864:L4gPXMorgRZKku2vOmdMdQPjjXzjCKQTtuvC+qTSzPY1rc7:L4AcGgRZ2mCdQLzCHkKn+7

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      LICENSES.chromium.html

    • Size

      8.8MB

    • MD5

      2675b30d524b6c79b6cee41af86fc619

    • SHA1

      407716c1bb83c211bcb51efbbcb6bf2ef1664e5b

    • SHA256

      6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081

    • SHA512

      3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

    • SSDEEP

      24576:cpD6826x5kSWSsRinoHnmfm646a6N6z68SH4SApTJ:cHSek

    Score
    3/10
    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    1/10
    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      208e7af956a0803900125bdc11a3ecf2

    • SHA1

      1bd84174194485da634bf8b3af0a78e236316a8e

    • SHA256

      d863c8a26744703f2d12c674b45c87d8b34e21efce169d4797b57964d168b077

    • SHA512

      76937999a21391107d9ebcfd66c7a2ca967cc7cac7aeb2b15bbeca6b546423a3d5c83969ef151c95d916d5a9f653573cd59d05110566d52a5c2679059c4d4ec3

    • SSDEEP

      49152:9F5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQUSCu:9FvSkJXv+tiLAD0+DUS5

    Score
    1/10
    • Target

      libEGL.dll

    • Size

      477KB

    • MD5

      1b74f7e2b5d44ac10a89a5cf206630a8

    • SHA1

      dd2e816e315b6a6a271fb01dc12163d9936c77c4

    • SHA256

      662746a02930c151c5cab2b1167a56c6ca78b44028448fda91182147856edfed

    • SHA512

      246814e5fc157cf731e3ec3e1096922864b48a36cc5b1e5259ebd2e673fde5dc741ad600f69cd80e1544ee12438f7cc6f208add894b5e02ac5e2c87d0b3933a8

    • SSDEEP

      6144:38hd1BSjuMmof2SEXVVfgV8hxN7h2NwIEOg51f0FticyQ:38DXSjZmof2SEsmN12NwIE7f0FticyQ

    Score
    1/10
    • Target

      libGLESv2.dll

    • Size

      7.3MB

    • MD5

      596379ba25b32e95b5ec3cd8028b291b

    • SHA1

      af61b5d29db91997e29ffed8a410d09ce74ee51e

    • SHA256

      d5e1d7b8531a0f4ab576ba6f78d4c63b39186a2830d313c6695f0024c9ef627a

    • SHA512

      f8835b455820c77b4ba509c326a185bf65131242161498229c5e3584a0e7789324932b95678556a657440deaf067ead454e85bf8233efa24162e7e4d9eaf417b

    • SSDEEP

      98304:AwY1sQqaLe2Egto8U4r5Pp6TlITQZ38W888888888tb8dii:vNaSgtvroZ8

    Score
    1/10
    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    3/10
    • Target

      vk_swiftshader.dll

    • Size

      4.9MB

    • MD5

      f16c36ae369609497bfd0847889bec63

    • SHA1

      5dca218bf0b2a20d7d027fa10fdb1b8152564fe4

    • SHA256

      4488a958418227fbe6f64898c2f85eefd87fc9e46aea457233b38db8a86e944d

    • SHA512

      9f06f4a318c8a3e2fdccb6d983087184cff37a2b79e0c1e85b3ac8e45695454c4aacb4468593ebbfff64739b0d598ba4d1d9dd94187b1bbd82c1369c62781109

    • SSDEEP

      49152:56h3a0f1ABi1jP9LoS8lne0Zv8EgHI7JXYN3bgFNmEgMYmz2qA0Mr7wsVUsNCOzZ:sh3aMXoSHfPwksHldLiuNr

    Score
    1/10
    • Target

      vulkan-1.dll

    • Size

      931KB

    • MD5

      0a8150e85160ea4311ddbd5b2d1b0b1b

    • SHA1

      a012b8886ec9f305ff4a055ccddd5fc1f6045869

    • SHA256

      0d56a41bead58fd5fee44b2ee60485d4c80a3a639acc42cfc57c8e059078dfe0

    • SHA512

      d2d853d072ae7ac6871c880f164eeaa6300d9f951de3aacb4d65195407aa4a1ef18b9beae14b7eda0936e4fca5fb56b65038370d8e349893f3c8027526415921

    • SSDEEP

      24576:xYWOq/4Kt/Ku8n387ecbFb6Z5WoDYsHY6g3P0zAk7so:xY65/M387R56Z5WoDYsHY6g3P0zAk7s

    Score
    1/10
    • Target

      xxd.exe

    • Size

      164.7MB

    • MD5

      3b8f4adf61f01f882591e9e113d65acf

    • SHA1

      b324ec054ea0e4654a9bfb3d297a49891b50b988

    • SHA256

      5ebe1ef5b37f06a9a11482c424f5d8e5f9a7cc964c857dc7fe7e2cd284182ce5

    • SHA512

      d517db7414c85476f98e26e4a1a99203e8fe74a9b7600d3085a7c28139bb5461a99cf0c8a7e3274429cf16bbfc806c2663b6eb5c3535d71e4bc30a0b1746ca5c

    • SSDEEP

      1572864:63lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:PPvt1x2z5m1ij

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discovery
Score
7/10

behavioral2

collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer
Score
9/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10