Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Photon External.exe
-
Size
448KB
-
Sample
250210-vplxvayqdv
-
MD5
114977c4b8e58661eca598e3e864ccea
-
SHA1
f4cd68a7a9f39252b3d9337f6d4bb1f2b2ba66fb
-
SHA256
de0b828a0c5a7de9ee5cb878bf53c26294106ba05d1cc1d09e34463c6bb37e45
-
SHA512
7e5730e53a6c3b9f444659f81ab582216f54ee36b2d6be59893cd93711ad2dbe125d00ca4107238324321e661a3783cf2b6de6c4f9469fad7677e7a2965bf988
-
SSDEEP
12288:7oZtL+EP8q6BoHdmOhWU9va6vAZQtPgkFDIknaHeELrvajxzp:FI8hBoHdmOhWU9va6vACNF5niecmxz
Behavioral task
behavioral1
Sample
Photon External.exe
Resource
win10ltsc2021-20250207-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1338552904809840722/hsyZwj-uzjCk5GrydtVTJEX9YMA707rvYu9a190S3lPA7pLKiUroXIJhqyfI11yKIMUu
Targets
-
-
Target
Photon External.exe
-
Size
448KB
-
MD5
114977c4b8e58661eca598e3e864ccea
-
SHA1
f4cd68a7a9f39252b3d9337f6d4bb1f2b2ba66fb
-
SHA256
de0b828a0c5a7de9ee5cb878bf53c26294106ba05d1cc1d09e34463c6bb37e45
-
SHA512
7e5730e53a6c3b9f444659f81ab582216f54ee36b2d6be59893cd93711ad2dbe125d00ca4107238324321e661a3783cf2b6de6c4f9469fad7677e7a2965bf988
-
SSDEEP
12288:7oZtL+EP8q6BoHdmOhWU9va6vAZQtPgkFDIknaHeELrvajxzp:FI8hBoHdmOhWU9va6vACNF5niecmxz
-
Detect Umbral payload
-
Umbral family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1