Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558
-
Size
502KB
-
Sample
241203-zyjlastra1
-
MD5
3eeeb1f49079f046982efdbb06982a44
-
SHA1
fedc3f54f621cd91d88677371386c7c6c26743c1
-
SHA256
b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558
-
SHA512
829a085c012b8dbcd6c215a48b371b41171b75f3943aaac2dec50c7912f6b85d072eeaf5c6ebb997666dfec0cf3c038f249eb5c0dd516bc7a4c771384d6fee91
-
SSDEEP
12288:PyveQB/fTHIGaPkKEYzURNAwbAg3/iBsNC3v6R/ZL:PuDXTIGaPhEYzUzA0cBf3CNp
Static task
static1
Behavioral task
behavioral1
Sample
b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558.exe
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558
-
Size
502KB
-
MD5
3eeeb1f49079f046982efdbb06982a44
-
SHA1
fedc3f54f621cd91d88677371386c7c6c26743c1
-
SHA256
b605c1dc4ebfc6fa7b93c1c37833114e37cc150f6ea3d1c19696116b44231558
-
SHA512
829a085c012b8dbcd6c215a48b371b41171b75f3943aaac2dec50c7912f6b85d072eeaf5c6ebb997666dfec0cf3c038f249eb5c0dd516bc7a4c771384d6fee91
-
SSDEEP
12288:PyveQB/fTHIGaPkKEYzURNAwbAg3/iBsNC3v6R/ZL:PuDXTIGaPhEYzUzA0cBf3CNp
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-