Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/10/2024, 21:17
241030-z5g12s1fqh 1030/10/2024, 18:58
241030-xmnd1ayjfx 630/10/2024, 18:57
241030-xlx7tayjev 330/10/2024, 18:15
241030-wwdeqaygrk 823/10/2024, 22:30
241023-2e6mtssemd 823/10/2024, 13:57
241023-q9j7jatcra 819/10/2024, 02:00
241019-ceyvjssdnq 815/10/2024, 20:13
241015-yzwrksyfpl 715/10/2024, 19:35
241015-ya3htsshmb 615/10/2024, 19:12
241015-xwhvwa1hrh 6General
-
Target
AnyDesk.exe
-
Size
4.8MB
-
Sample
241030-z5g12s1fqh
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
4.8MB
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Score10/10-
Modifies firewall policy service
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies Windows Firewall
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
2Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1