Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/10/2024, 21:17
241030-z5g12s1fqh 1030/10/2024, 18:58
241030-xmnd1ayjfx 630/10/2024, 18:57
241030-xlx7tayjev 330/10/2024, 18:15
241030-wwdeqaygrk 823/10/2024, 22:30
241023-2e6mtssemd 823/10/2024, 13:57
241023-q9j7jatcra 819/10/2024, 02:00
241019-ceyvjssdnq 815/10/2024, 20:13
241015-yzwrksyfpl 715/10/2024, 19:35
241015-ya3htsshmb 615/10/2024, 19:12
241015-xwhvwa1hrh 6General
-
Target
AnyDesk.exe
-
Size
4.8MB
-
Sample
241019-ceyvjssdnq
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
4.8MB
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Score8/10-
Stops running service(s)
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
6Remote System Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1