Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N

  • Size

    1016KB

  • Sample

    241009-hw3sqasapj

  • MD5

    18e163786a650174a88b891fd947c890

  • SHA1

    ca5914aa9b8d04bde6c230dfb3ba12284556a0de

  • SHA256

    20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729

  • SHA512

    f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5

  • SSDEEP

    6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUry:oIXsgtvm1De5YlOx6lzBH46Ury

Malware Config

Targets

    • Target

      20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N

    • Size

      1016KB

    • MD5

      18e163786a650174a88b891fd947c890

    • SHA1

      ca5914aa9b8d04bde6c230dfb3ba12284556a0de

    • SHA256

      20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729

    • SHA512

      f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5

    • SSDEEP

      6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUry:oIXsgtvm1De5YlOx6lzBH46Ury

    • Modifies WinLogon for persistence

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks