Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    freeSpoofer.rar

  • Size

    13.8MB

  • Sample

    250111-tgwxeasqgy

  • MD5

    4de784dcf73d6a71b45f090e999a591b

  • SHA1

    a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf

  • SHA256

    94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2

  • SHA512

    83e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d

  • SSDEEP

    196608:P4t4b2VYuO9EjW+gZ9Lu7XD2jbgMleIJS9tGbDkkxmTsmYm0HKdbFrQzTV2bN9VW:P4tVH2ExgZA7XaQMl1JSabQAKdbF9JK

Malware Config

Targets

    • Target

      freeSpoofer/freeSpoofer.exe

    • Size

      1.4MB

    • MD5

      57749553c159683cf8c646bea1fa7e21

    • SHA1

      414bdd48c6fd752f6d6100ad1c38fdecda8ffece

    • SHA256

      5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13

    • SHA512

      6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41

    • SSDEEP

      24576:wUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7Gq6n9uX5:wUNxvC6FGYJf6yjNQpNONZnTX5PlGPgQ

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Cerber family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      freeSpoofer/tools/AFUWINx64.EXE

    • Size

      1015KB

    • MD5

      59a47fc8e9b4396dddb52907a8a54177

    • SHA1

      d16c0825ea1ce721b00df160d826475fda2bae44

    • SHA256

      03e11400f15251c9bf2d764b1020f32904f9569a426adfbe26b21e04898c8800

    • SHA512

      e857e9627b811d48510e14f0b8e65a12eb4153d0e05ad322cc8b95f6ee5c52cc018a1073acecbed43148de26e5c252ae9a2a6d5fdda1b585dfc41f030bb2f6e3

    • SSDEEP

      24576:xplWGl3HtCFYAQaYe9pwD+yweJUCHHWDa:8Ye9K+5L

    Score
    1/10
    • Target

      freeSpoofer/tools/AMIDEWINx64.EXE

    • Size

      377KB

    • MD5

      8690997c90d94b5a10f2fe39caa0d7a6

    • SHA1

      ad05c719b046da3946e370409b342e3c67946a87

    • SHA256

      157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1

    • SHA512

      39d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0

    • SSDEEP

      6144:u0lLNvLmP/LgoYG5HViOlHH7qKPUcky2FpwhPa24UW3Pl+MnUURgr:lzmP/Lgk5HViOlHH7qKPfky2FpwhyV38

    Score
    1/10
    • Target

      freeSpoofer/tools/LeCrud64.sys

    • Size

      46KB

    • MD5

      3e5c48ee4bdd6229f6bef52e940af600

    • SHA1

      f8dc06c1fda53ee0f64306ad76c070ab2f5b2350

    • SHA256

      f3046cf53ef29e9882918978310680497a1a329076c046697b4a1312f590fc09

    • SHA512

      b9c289c6f301a32bc719cecb8aba99bf32539467f1e3762dacbd529339e0c9d5946235f98dfb9c3d5f9f07a7e4c4714236fe570d71aeb33c091c894576d6b0f8

    • SSDEEP

      768:m1aGDGmA4cTr5efxS4EyRuaCjeLmNGUooNzYieNdVPxWEGg5x9z4cOo:GqeEfeLKo2z7enVPxP5jzgo

    Score
    1/10
    • Target

      freeSpoofer/tools/Volumeid64.exe

    • Size

      165KB

    • MD5

      81a45f1a91448313b76d2e6d5308aa7a

    • SHA1

      0d615343d5de03da03bce52e11b233093b404083

    • SHA256

      fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

    • SHA512

      675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

    • SSDEEP

      3072:PngbfXWm18pX82lOl7NuT7DLM5Weo5UFs5QM8JwDmtFk1glurXEa:/gbfXWVoRNuT7DkbFsKM1glI

    Score
    1/10
    • Target

      freeSpoofer/tools/amigendrv64.sys

    • Size

      36KB

    • MD5

      9accebd928a8926fecf317f53cd1c44e

    • SHA1

      d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

    • SHA256

      811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

    • SHA512

      2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

    • SSDEEP

      768:cBOmh786zi+NqkO8Ouwn3uivOyiRZSFInq1os29zjTUD:cXi+NXwnecOyiaFInq1lCz+

    Score
    1/10
    • Target

      freeSpoofer/tools/applecleaner_2.exe

    • Size

      3.6MB

    • MD5

      f96eb2236970fb3ea97101b923af4228

    • SHA1

      e0eed80f1054acbf5389a7b8860a4503dd3e184a

    • SHA256

      46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    • SHA512

      2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    • SSDEEP

      98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      freeSpoofer/tools/lvafudrv64.sys

    • Size

      35KB

    • MD5

      8d533ae1500f743a177b27c88a241163

    • SHA1

      52c25cf4c903714fa52870a16d143fb6aeb0fa99

    • SHA256

      b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf

    • SHA512

      546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de

    • SSDEEP

      384:mrzqfCQlZluZfnktrQsHGh1jEiI4IHith5kCN88ZGmGovy8ZpHcS8FRJvIsWAR9k:+dCluVG0zuiv1yiR89PL9zIf

    Score
    1/10
    • Target

      freeSpoofer/tools/tmac/Installer.exe

    • Size

      189KB

    • MD5

      34636047a124a3bdb21ff9c2b9402250

    • SHA1

      49ecf948cfd6e85f38007b4267792d75031da015

    • SHA256

      0d3390d29cde2d1f4b147d70fc7008abe2107c5cfdc0d1bfa746a180b70e03fe

    • SHA512

      607d9a123c9b0a3fb74503e78255ac2033177f36903272660f9f650639496662d16177f47e61204e699172ba4233cda23442be538e6a07a2e39632eb709c0e9d

    • SSDEEP

      3072:68dMhw/SymvBpLYDhU6Fh/S1PcU8MsGlUbLB:6I/tmvBpLYDhU6q1PcUnsGubl

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      freeSpoofer/tools/tmac/TMAC.exe

    • Size

      712KB

    • MD5

      230b4c45774e95dd75241068c68aeb0d

    • SHA1

      ef46dd76a8c6d4a7d6882469015a07a9bf660a50

    • SHA256

      6c3d76c9a4d1652ce25ae8c2ba1907167cfaa0054b8e1325f370c52eafa74c97

    • SHA512

      fc08d219e1023d7929250ecab81f640e4114f51b184d9004da0887c93b24a6026931a71da4ef0e95caa2a416d858496b5e174bcd0dd3bd3a76bca6582283e90c

    • SSDEEP

      12288:A3fO0HyZz3H3PrpYMP/KyBAQ+KFBSmbrz6C4QXwmfW/sfH6s7zQcKDsVv/JLSF69:+On5pYyKyBAiFBSmb6CrXwmfW/sfH6sn

    Score
    3/10
    • Target

      freeSpoofer/tools/tmac/help.html

    • Size

      22KB

    • MD5

      8a707156b8ac8760e9de9f2d62c2050e

    • SHA1

      8bd91f7606a7d456bccca513a14ef6583a1815e7

    • SHA256

      c37d369d1f1ee945da67587b530d433b7fa0d16ba09a9ef13d468141a403c09d

    • SHA512

      a092f62a5646150fc5a3891186c297c12488e509d59c73f5095d5ada0fc4b9356406f332e4e5cfc846b909e599bb6f7be6481c471c7d0b7b796974655e66b266

    • SSDEEP

      192:5jU+nCqyZ5picOcYgWeCsKsbVRDEogq0ZWHaDfPhgA+2/eF5stchmai:5FcZzlrZKsbVRDEBq03gZMeFu

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks