Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Optimize_MasterPack (1).zip
-
Size
3.6MB
-
Sample
241015-1f9kfasfjm
-
MD5
089656f2ef4c33055517f63e3b75457d
-
SHA1
c112a5ce4c26150a010aa3d4f391f5176b18e673
-
SHA256
d0c09d6aeb8c991479bc825f9b45a04d9ba75fedf09dc57237e21467af3f31a3
-
SHA512
f898a22531bbe4e3d797fb522edb0c99f69395f480f781829b6648a56b700baabf00dd9d04208d277b48aff89b34b7ded440b49f58ce075484f055dde03a566c
-
SSDEEP
98304:B24OUljZMZzpr2LBNljZMZzpkS+ffHs+ff8T:B2ajCZzpr2hjCZzpkSCfHsCf8T
Static task
static1
Behavioral task
behavioral1
Sample
Optimize_MasterPack (1).zip
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Optimize_MasterPack (1).zip
-
Size
3.6MB
-
MD5
089656f2ef4c33055517f63e3b75457d
-
SHA1
c112a5ce4c26150a010aa3d4f391f5176b18e673
-
SHA256
d0c09d6aeb8c991479bc825f9b45a04d9ba75fedf09dc57237e21467af3f31a3
-
SHA512
f898a22531bbe4e3d797fb522edb0c99f69395f480f781829b6648a56b700baabf00dd9d04208d277b48aff89b34b7ded440b49f58ce075484f055dde03a566c
-
SSDEEP
98304:B24OUljZMZzpr2LBNljZMZzpkS+ffHs+ff8T:B2ajCZzpr2hjCZzpkSCfHsCf8T
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies RDP port number used by Windows
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Remote Services: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Modify Registry
6Discovery
Peripheral Device Discovery
3Query Registry
7Remote System Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1