Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87

  • Size

    1.1MB

  • Sample

    240914-lhmq5axbnj

  • MD5

    fb684a3f9bbd6b74e432a7ce5fba272b

  • SHA1

    401906ba1767b901c4dfbeca1b786aceece5372a

  • SHA256

    153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87

  • SHA512

    2ba198fb88822d02b9586b847df42f82a58894c3a058bfc0de1b603da52470ec95cd8d37a34e8634bc225d0913891fec9bc498c49a314639768f10044b9192a2

  • SSDEEP

    24576:5j8B3KleK6hPJ06jLEVPeTUlDKqVoNkU2uGp7mDYqwQeQFAtVqK0rU:Nw3KLAPJrjQeADK6oNGuqCvkQitEY

Malware Config

Targets

    • Target

      153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87

    • Size

      1.1MB

    • MD5

      fb684a3f9bbd6b74e432a7ce5fba272b

    • SHA1

      401906ba1767b901c4dfbeca1b786aceece5372a

    • SHA256

      153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87

    • SHA512

      2ba198fb88822d02b9586b847df42f82a58894c3a058bfc0de1b603da52470ec95cd8d37a34e8634bc225d0913891fec9bc498c49a314639768f10044b9192a2

    • SSDEEP

      24576:5j8B3KleK6hPJ06jLEVPeTUlDKqVoNkU2uGp7mDYqwQeQFAtVqK0rU:Nw3KLAPJrjQeADK6oNGuqCvkQitEY

    • Modifies WinLogon for persistence

    • Modifies security service

    • UAC bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Disables taskbar notifications via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks