Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ReasonLabs-EPP-setup.exe

  • Size

    1.9MB

  • Sample

    240922-nr5peaxgmg

  • MD5

    17d90dd2ebe8cafe442930523b2a5cf0

  • SHA1

    9b70bdd6201de3eaf1acfe2316a9efbd755cc815

  • SHA256

    6337dcdb68146a0b3ce69b665c57658a5b734ceb739b094d4808c2a08fbb2b7e

  • SHA512

    fc1c7ab7911c26c2b59f39a68d64b9766b5fdae9a53c15504bf929eddf9b944dec5374d329cf3c1ec96e9e80f9705d7326a498555a0cbbc7f5e3b688d2a72e64

  • SSDEEP

    49152:oTl+Ffl0KCV8rEKbhHJikCz/NqoNcugBhnem0XL:oTl+xLRHAVLVNcpip7

Malware Config

Targets

    • Target

      ReasonLabs-EPP-setup.exe

    • Size

      1.9MB

    • MD5

      17d90dd2ebe8cafe442930523b2a5cf0

    • SHA1

      9b70bdd6201de3eaf1acfe2316a9efbd755cc815

    • SHA256

      6337dcdb68146a0b3ce69b665c57658a5b734ceb739b094d4808c2a08fbb2b7e

    • SHA512

      fc1c7ab7911c26c2b59f39a68d64b9766b5fdae9a53c15504bf929eddf9b944dec5374d329cf3c1ec96e9e80f9705d7326a498555a0cbbc7f5e3b688d2a72e64

    • SSDEEP

      49152:oTl+Ffl0KCV8rEKbhHJikCz/NqoNcugBhnem0XL:oTl+xLRHAVLVNcpip7

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies powershell logging option

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks