Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/10/2024, 18:38

241012-w94h3avfja 10

General

  • Target

    CheatEngine75.exe

  • Size

    28.5MB

  • Sample

    241012-w94h3avfja

  • MD5

    647a2177841aebe2f1bb1b3767f41287

  • SHA1

    446575615e7fcc9c58fb04cad12909a183a2eb15

  • SHA256

    07c1abb57c4498748c4f1344a786c2c136b82651786ed005d999ecbf6054fb2c

  • SHA512

    f3165aec7a4b7adb7e6ffca56812f769b7b085000d50bf235ca1c7e74d76dfb5549de9561e281623c734c2dec9fc37b54af572c3e97fcb9fb1411102ae3da0c0

  • SSDEEP

    786432:5l3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHi6t:5l3LMEXFhV0KAcNjxAItjFt

Malware Config

Targets

    • Target

      CheatEngine75.exe

    • Size

      28.5MB

    • MD5

      647a2177841aebe2f1bb1b3767f41287

    • SHA1

      446575615e7fcc9c58fb04cad12909a183a2eb15

    • SHA256

      07c1abb57c4498748c4f1344a786c2c136b82651786ed005d999ecbf6054fb2c

    • SHA512

      f3165aec7a4b7adb7e6ffca56812f769b7b085000d50bf235ca1c7e74d76dfb5549de9561e281623c734c2dec9fc37b54af572c3e97fcb9fb1411102ae3da0c0

    • SSDEEP

      786432:5l3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHi6t:5l3LMEXFhV0KAcNjxAItjFt

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Drops file in Drivers directory

    • Stops running service(s)

    • Modifies file permissions

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks