Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Taremi (2).png
-
Size
272KB
-
Sample
240929-mmag2azgrk
-
MD5
3d0612ff94be0a5bf8321555139bada0
-
SHA1
b2aff7ea2ee83619e8fff45eb4f548197c0af192
-
SHA256
8e25cd2951ea7e8336eb1fb648c9935c3eab6496b60f4db1b8652e0e3b7e4bcd
-
SHA512
474e9d11a67146ee901b6ac56bafb1e60cfefe3f3fd4f4f313506d554919cfa5157bb6cc47b549da7949f370afe04fa29bca92c9448150d0981977ab4a319c35
-
SSDEEP
6144:twva7wqKEU/LNLDtq7dkyKZJqepS5/kucDkwojpqgn75+VhE4veIf:1RKD5LxT1SmucDk3NlSa5If
Malware Config
Targets
-
-
Target
Taremi (2).png
-
Size
272KB
-
MD5
3d0612ff94be0a5bf8321555139bada0
-
SHA1
b2aff7ea2ee83619e8fff45eb4f548197c0af192
-
SHA256
8e25cd2951ea7e8336eb1fb648c9935c3eab6496b60f4db1b8652e0e3b7e4bcd
-
SHA512
474e9d11a67146ee901b6ac56bafb1e60cfefe3f3fd4f4f313506d554919cfa5157bb6cc47b549da7949f370afe04fa29bca92c9448150d0981977ab4a319c35
-
SSDEEP
6144:twva7wqKEU/LNLDtq7dkyKZJqepS5/kucDkwojpqgn75+VhE4veIf:1RKD5LxT1SmucDk3NlSa5If
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies firewall policy service
-
Modifies security service
-
UAC bypass
-
Windows security bypass
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Modify Registry: Disable Windows Driver Blocklist
Disable Windows Driver Blocklist via Registry.
-
Boot or Logon Autostart Execution: LSASS Driver
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2LSASS Driver
1Print Processors
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2LSASS Driver
1Print Processors
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
6