Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

23/12/2024, 21:21 UTC

241223-z7fwrs1rcr 9

23/12/2024, 21:05 UTC

241223-zw8sea1mfs 9

23/12/2024, 20:57 UTC

241223-zrznya1ldx 9

General

  • Target

    https://cdn.discordapp.com/attachments/1282174183467384855/1282175372150181898/BootstrapperV1.18_4.exe?ex=676ace1e&is=67697c9e&hm=3ccc40795bb30a7897d308a7232b463b0a8c2c518f4deb5cf58eea72254787b3&

  • Sample

    241223-zw8sea1mfs

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/1282174183467384855/1282175372150181898/BootstrapperV1.18_4.exe?ex=676ace1e&is=67697c9e&hm=3ccc40795bb30a7897d308a7232b463b0a8c2c518f4deb5cf58eea72254787b3&

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Blocklisted process makes network request

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.