Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

29/09/2024, 10:34

240929-mmag2azgrk 10

29/09/2024, 10:32

240929-mk4m4azgmp 1

General

  • Target

    Taremi (2).png

  • Size

    272KB

  • Sample

    240929-mmag2azgrk

  • MD5

    3d0612ff94be0a5bf8321555139bada0

  • SHA1

    b2aff7ea2ee83619e8fff45eb4f548197c0af192

  • SHA256

    8e25cd2951ea7e8336eb1fb648c9935c3eab6496b60f4db1b8652e0e3b7e4bcd

  • SHA512

    474e9d11a67146ee901b6ac56bafb1e60cfefe3f3fd4f4f313506d554919cfa5157bb6cc47b549da7949f370afe04fa29bca92c9448150d0981977ab4a319c35

  • SSDEEP

    6144:twva7wqKEU/LNLDtq7dkyKZJqepS5/kucDkwojpqgn75+VhE4veIf:1RKD5LxT1SmucDk3NlSa5If

Malware Config

Targets

    • Target

      Taremi (2).png

    • Size

      272KB

    • MD5

      3d0612ff94be0a5bf8321555139bada0

    • SHA1

      b2aff7ea2ee83619e8fff45eb4f548197c0af192

    • SHA256

      8e25cd2951ea7e8336eb1fb648c9935c3eab6496b60f4db1b8652e0e3b7e4bcd

    • SHA512

      474e9d11a67146ee901b6ac56bafb1e60cfefe3f3fd4f4f313506d554919cfa5157bb6cc47b549da7949f370afe04fa29bca92c9448150d0981977ab4a319c35

    • SSDEEP

      6144:twva7wqKEU/LNLDtq7dkyKZJqepS5/kucDkwojpqgn75+VhE4veIf:1RKD5LxT1SmucDk3NlSa5If

    • Modifies Windows Defender Real-time Protection settings

    • Modifies firewall policy service

    • Modifies security service

    • UAC bypass

    • Windows security bypass

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modify Registry: Disable Windows Driver Blocklist

      Disable Windows Driver Blocklist via Registry.

    • Boot or Logon Autostart Execution: LSASS Driver

      Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

MITRE ATT&CK Enterprise v15

Tasks