Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
IMAGE TOKEN GRABBER.rar
-
Size
7.5MB
-
Sample
250125-zdwp5a1lcr
-
MD5
6feccdbc996aa9755093f74d6b067c93
-
SHA1
20d4c3014ce3b5a8a66a563d9e80fe285d616cc1
-
SHA256
d4a7181637fae1d0032bd53f83965c6a4ba4fc309c739ee8b18f99232579b58a
-
SHA512
d711974b44011ae14848adb9b9e2bdb686c692b865b81d7e0a91dc704a0dc94cb888ffa273eadfa5ddef30f7f7a43eb8d4429dfd6d22bc045ea95723f62dfa96
-
SSDEEP
196608:ofKZvN8X7/9M7nJgLcBBV5U8YUMJj1g3TfGhsB:ofK1Nu0J9BT5bqJBg3TfGw
Behavioral task
behavioral1
Sample
IMAGE TOKEN GRABBER.rar
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral2
Sample
Builder/Builder.exe
Resource
win10ltsc2021-20250113-en
Malware Config
Targets
-
-
Target
IMAGE TOKEN GRABBER.rar
-
Size
7.5MB
-
MD5
6feccdbc996aa9755093f74d6b067c93
-
SHA1
20d4c3014ce3b5a8a66a563d9e80fe285d616cc1
-
SHA256
d4a7181637fae1d0032bd53f83965c6a4ba4fc309c739ee8b18f99232579b58a
-
SHA512
d711974b44011ae14848adb9b9e2bdb686c692b865b81d7e0a91dc704a0dc94cb888ffa273eadfa5ddef30f7f7a43eb8d4429dfd6d22bc045ea95723f62dfa96
-
SSDEEP
196608:ofKZvN8X7/9M7nJgLcBBV5U8YUMJj1g3TfGhsB:ofK1Nu0J9BT5bqJBg3TfGw
-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Builder/Builder.bat
-
Size
7.6MB
-
MD5
d14ac81cf4ef57049f5df85cb86a1009
-
SHA1
278ac5f19ab61feebf6bb1cfeea4f79103025692
-
SHA256
a2e85d2d5c5bef45f3607c78d62e8f688d34fc15fc58180a86711ac5b1bf3763
-
SHA512
ac1c39f197df9d7d60684016caed0eebdaffe84b88776969c8ccbd33422eeabaaa6ec8aab24f5bee12bfcfa08034fabaf5b2450765e4af6286b992a8f8251644
-
SSDEEP
196608:qQD+kdFf/wfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNW9:N5nfUIHL7HmBYXrYoaUNq
-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3