Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    08112024_1447_BluetraitAgent381.msi

  • Size

    3.6MB

  • Sample

    241108-r6apcswqcr

  • MD5

    0c7d30468c0d5975866b6f10017330d9

  • SHA1

    0f2d7d1d9fa10d46e8d73c75db7509f950578bc6

  • SHA256

    1cd8f56f9213249e555dedda4380add02cbe74fb81a5806ef1eec3935a7f041a

  • SHA512

    6b42376e6c0b69eb5e005a64c1cf6e92a27938ede43badf599c496a508c7d10e5178109e899de79d4aa01b15d982c748f3e5ece657815916f68dcd3fdb2dfd5e

  • SSDEEP

    98304:7JAqhv+JtUaJRWta/Tbs9JVzlgroDWX9Ha:7Jzhv+MaR/c93BW2S9

Malware Config

Targets

    • Target

      08112024_1447_BluetraitAgent381.msi

    • Size

      3.6MB

    • MD5

      0c7d30468c0d5975866b6f10017330d9

    • SHA1

      0f2d7d1d9fa10d46e8d73c75db7509f950578bc6

    • SHA256

      1cd8f56f9213249e555dedda4380add02cbe74fb81a5806ef1eec3935a7f041a

    • SHA512

      6b42376e6c0b69eb5e005a64c1cf6e92a27938ede43badf599c496a508c7d10e5178109e899de79d4aa01b15d982c748f3e5ece657815916f68dcd3fdb2dfd5e

    • SSDEEP

      98304:7JAqhv+JtUaJRWta/Tbs9JVzlgroDWX9Ha:7Jzhv+MaR/c93BW2S9

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Windows Firewall

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks