Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    libusbK-3.1.0.0-setup-debug.exe

  • Size

    8.1MB

  • Sample

    240928-s886dawepa

  • MD5

    2b633874de9f173c45b4782ce9a30998

  • SHA1

    809a1f303f25bb13866350a55e9e26378f9b2af4

  • SHA256

    5271ca2b083f11fa359740d3c712fda868f90b6becd308a4e89d9ba103a03cc6

  • SHA512

    e2467140d27de5f595bb6bca7dbdd679cf5549f8ef07f080dbe209a48161ecef4a58bc2fd60c043da2da0309fa319bbe17833bdd31dc7f9344807456c8f8090b

  • SSDEEP

    196608:gBnxBt7J7P76jwXzQ+bargIltIAUGU2mrrTl/NC1TdyFlv+9lB:GxJU+lygIIKmPTRgNdyi

Malware Config

Targets

    • Target

      libusbK-3.1.0.0-setup-debug.exe

    • Size

      8.1MB

    • MD5

      2b633874de9f173c45b4782ce9a30998

    • SHA1

      809a1f303f25bb13866350a55e9e26378f9b2af4

    • SHA256

      5271ca2b083f11fa359740d3c712fda868f90b6becd308a4e89d9ba103a03cc6

    • SHA512

      e2467140d27de5f595bb6bca7dbdd679cf5549f8ef07f080dbe209a48161ecef4a58bc2fd60c043da2da0309fa319bbe17833bdd31dc7f9344807456c8f8090b

    • SSDEEP

      196608:gBnxBt7J7P76jwXzQ+bargIltIAUGU2mrrTl/NC1TdyFlv+9lB:GxJU+lygIIKmPTRgNdyi

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks