Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/01/2025, 05:08

250125-fsmk8axlb1 10

25/01/2025, 04:51

250125-fg8z3sykbk 8

General

  • Target

    consent

  • Size

    1KB

  • Sample

    250125-fsmk8axlb1

  • MD5

    5fe591e38488a4bacbe3777d61f72ad0

  • SHA1

    5b4533087e6544fbb9784b2d0f47a101902fcbc3

  • SHA256

    14c1c40cb4fd42ca927ef64f597ac3cdb44b39d9dde065de9ea8a4bf5afbf16e

  • SHA512

    8b41622a6bb2dc56bb7704bbf12606922652c5336504b037af4d425d7c7877d4626ff8f030c83f542576d3156326f67f7a83c2e8be3a855c7d5d3b8e049da12a

Malware Config

Targets

    • Target

      consent

    • Size

      1KB

    • MD5

      5fe591e38488a4bacbe3777d61f72ad0

    • SHA1

      5b4533087e6544fbb9784b2d0f47a101902fcbc3

    • SHA256

      14c1c40cb4fd42ca927ef64f597ac3cdb44b39d9dde065de9ea8a4bf5afbf16e

    • SHA512

      8b41622a6bb2dc56bb7704bbf12606922652c5336504b037af4d425d7c7877d4626ff8f030c83f542576d3156326f67f7a83c2e8be3a855c7d5d3b8e049da12a

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand STEAM.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks