Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Discord Hacking Tool.zip
-
Size
82KB
-
Sample
241025-z3pywasnev
-
MD5
08a190b8109b3f06d7eb35f38ece7701
-
SHA1
b700c8a3cb549be3e6455d0463aec0193f73f738
-
SHA256
860d087ed4f842dac47db90889190b96300c4feda853947a2bc0e28a0c4c0489
-
SHA512
3a6847dc2edfc45b41812d64d2e1ec92e37d6259383cae3d593925f0df8c163d77e2f41ce0d02c4bd8b4eb9541b080a6c33d74ad09a4cc11ffc8dcda4e4adbdc
-
SSDEEP
1536:0uAF19jtwPSvvRDfnFXDbEz/NEaI+fjBsDcdmFv:0uy19yPSFh0ma3f+o2
Static task
static1
Behavioral task
behavioral1
Sample
Discord Hacking Tool.zip
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
DoxingTool.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
DoxingTool.exe
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
Discord Hacking Tool.zip
-
Size
82KB
-
MD5
08a190b8109b3f06d7eb35f38ece7701
-
SHA1
b700c8a3cb549be3e6455d0463aec0193f73f738
-
SHA256
860d087ed4f842dac47db90889190b96300c4feda853947a2bc0e28a0c4c0489
-
SHA512
3a6847dc2edfc45b41812d64d2e1ec92e37d6259383cae3d593925f0df8c163d77e2f41ce0d02c4bd8b4eb9541b080a6c33d74ad09a4cc11ffc8dcda4e4adbdc
-
SSDEEP
1536:0uAF19jtwPSvvRDfnFXDbEz/NEaI+fjBsDcdmFv:0uy19yPSFh0ma3f+o2
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
-
-
Target
DoxingTool.dll
-
Size
25KB
-
MD5
e26bdff7f6d0c4fb4606623728e1a558
-
SHA1
5c57ebadce6f3f1270386cce89c0aad582a3c3cc
-
SHA256
ea14f05315fb2995fa1e33444d9d5a4686d7d96e25a46e0f796a082f31a23b17
-
SHA512
f233364e0d4cb1f20b870f90390160656d7ac74a064be5a61957f5912922eee573beb37707be88808a05bfad52abc36c01c99db80a1fd854b5b9ce5804d1e350
-
SSDEEP
384:dP9egjRl2svFBZT+X0PMTJDXJkLD4q9NqzLXaokwhlP3u55eXtvZbbo33Io0r+ox:dPVTNrV9wz1E5EtRbkY7YcxP
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
DoxingTool.exe
-
Size
147KB
-
MD5
86a0ec733f941ef453b58460281c18a4
-
SHA1
2d4aa40933ce66582b579bd80595a895144fd83c
-
SHA256
a6e7a4646d31f26762feae4f43d8a3954d93cced09d763ffc47e2489227f9036
-
SHA512
acb2ec06cbb2e16e3a37fdb81c23885b13da6fabdde2f4fbbcf74f0934299f00ce8948ab03ee69687120123f0056f2a8f12b6aea333816fbafebe364603e7c56
-
SSDEEP
3072:Q8vbzyQ6Y1YXrbNK+3FNxacPEMk60RQAnTWU2P:QszAXNK+3FVQRQsTWV
-
Xmrig family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
2Safe Mode Boot
1Modify Registry
5Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3