Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2024-12-24_f964ddfb61ae947de33cfc5d2c3f84d7_spora
-
Size
253KB
-
Sample
241224-qlsh1aymaj
-
MD5
f964ddfb61ae947de33cfc5d2c3f84d7
-
SHA1
2d7cc827c636a9c87d01f32dfe456488e89a5df5
-
SHA256
0304704c54651e18d560ebddc7808e85fc1cae7331d4d2adfbfd4195c2f2e2bf
-
SHA512
b88a805e86afceb5323af714712ac9912f0aa836d3ebaf1afda426f6c395fd37383ae0210d331e2dd77f5dc39048b35c52c6c403f3b04cc17248dd55d4e6bfcd
-
SSDEEP
6144:xSpsZjPwS/DuL8f8aUChN9lCKF6r2UfzA:9jPlRf8aUm6rFfE
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-24_f964ddfb61ae947de33cfc5d2c3f84d7_spora.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-24_f964ddfb61ae947de33cfc5d2c3f84d7_spora.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_READ_THIS_FILE_7SG1L_.txt
http://p27dokhpz2n7nvgr.onion/0503-4668-EEF2-008C-1C84
http://p27dokhpz2n7nvgr.1js3tl.top/0503-4668-EEF2-008C-1C84
http://p27dokhpz2n7nvgr.1ajohk.top/0503-4668-EEF2-008C-1C84
http://p27dokhpz2n7nvgr.16bwhs.top/0503-4668-EEF2-008C-1C84
http://p27dokhpz2n7nvgr.1apkjn.top/0503-4668-EEF2-008C-1C84
http://p27dokhpz2n7nvgr.16qpet.top/0503-4668-EEF2-008C-1C84
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_RGAKQ3CQ_.hta
cerber
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_GPZ2QK_.txt
http://p27dokhpz2n7nvgr.onion/FEB5-F8ED-B50E-008C-19E0
http://p27dokhpz2n7nvgr.1js3tl.top/FEB5-F8ED-B50E-008C-19E0
http://p27dokhpz2n7nvgr.1ajohk.top/FEB5-F8ED-B50E-008C-19E0
http://p27dokhpz2n7nvgr.16bwhs.top/FEB5-F8ED-B50E-008C-19E0
http://p27dokhpz2n7nvgr.1apkjn.top/FEB5-F8ED-B50E-008C-19E0
http://p27dokhpz2n7nvgr.16qpet.top/FEB5-F8ED-B50E-008C-19E0
Targets
-
-
Target
2024-12-24_f964ddfb61ae947de33cfc5d2c3f84d7_spora
-
Size
253KB
-
MD5
f964ddfb61ae947de33cfc5d2c3f84d7
-
SHA1
2d7cc827c636a9c87d01f32dfe456488e89a5df5
-
SHA256
0304704c54651e18d560ebddc7808e85fc1cae7331d4d2adfbfd4195c2f2e2bf
-
SHA512
b88a805e86afceb5323af714712ac9912f0aa836d3ebaf1afda426f6c395fd37383ae0210d331e2dd77f5dc39048b35c52c6c403f3b04cc17248dd55d4e6bfcd
-
SSDEEP
6144:xSpsZjPwS/DuL8f8aUChN9lCKF6r2UfzA:9jPlRf8aUm6rFfE
-
Cerber family
-
Blocklisted process makes network request
-
Contacts a large (1096) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2