Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ChromeSetup.exe

  • Size

    9.9MB

  • Sample

    250105-zakhpavpds

  • MD5

    2cf8f26d595e65bac9e542be0f953728

  • SHA1

    7c1ec0063366c1d096ef9fc86b661d8fd5d3ce99

  • SHA256

    4b6b21336bd6ac294db8355b08c1a68fc6dafc28ebc3894f30ebda160e9f8fbc

  • SHA512

    eab5ebdc39d340dadbd9663eab5a959b1e07df7d0169ff61ad5e6b0d3a4bc7ab125502e5d25931b61bf91a142aa9398e6ad78acb59f8142b804b9e565807d073

  • SSDEEP

    196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyYa:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXB

Malware Config

Targets

    • Target

      ChromeSetup.exe

    • Size

      9.9MB

    • MD5

      2cf8f26d595e65bac9e542be0f953728

    • SHA1

      7c1ec0063366c1d096ef9fc86b661d8fd5d3ce99

    • SHA256

      4b6b21336bd6ac294db8355b08c1a68fc6dafc28ebc3894f30ebda160e9f8fbc

    • SHA512

      eab5ebdc39d340dadbd9663eab5a959b1e07df7d0169ff61ad5e6b0d3a4bc7ab125502e5d25931b61bf91a142aa9398e6ad78acb59f8142b804b9e565807d073

    • SSDEEP

      196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyYa:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXB

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Windows Firewall

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks