Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    gpedit-enabler.bat

  • Size

    379B

  • Sample

    240919-aas3dszfja

  • MD5

    ed31a523aac1905a95c1a2fdf9ba6d00

  • SHA1

    3dc0c844bf799cd97d286a8f0961d58648934754

  • SHA256

    5a597c9eea792f7ce5a15c04de07e8e23871cca7d46b0f5dab5027a203820ab2

  • SHA512

    92fd810a6bdf3f98e170f5aed865acf323ce2a14b93981a8b0251727a28eeefd74e846c98d6e6ce3cb9bf3363b350c5310ab7148bb1f8f80c452c700dd23d1f8

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://sdffrssertr12.ucoz.net/av.ps1

Targets

    • Target

      gpedit-enabler.bat

    • Size

      379B

    • MD5

      ed31a523aac1905a95c1a2fdf9ba6d00

    • SHA1

      3dc0c844bf799cd97d286a8f0961d58648934754

    • SHA256

      5a597c9eea792f7ce5a15c04de07e8e23871cca7d46b0f5dab5027a203820ab2

    • SHA512

      92fd810a6bdf3f98e170f5aed865acf323ce2a14b93981a8b0251727a28eeefd74e846c98d6e6ce3cb9bf3363b350c5310ab7148bb1f8f80c452c700dd23d1f8

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks