Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

passwd.exe

windows7-x64

7

passwd.exe

windows10-2004-x64

8

szczur.exe

windows7-x64

7

szczur.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    viruses.7z

  • Size

    58.0MB

  • Sample

    250211-hh8rtazjes

  • MD5

    b53cfcb8be406b2e948a7237db455b98

  • SHA1

    cbf66d0120b28690578b02462bf31d2c9eff5d9f

  • SHA256

    6f55f3d21550efb245e1208922f24195f31737591d1c493553a989be80eec0dd

  • SHA512

    4245d32db250c759aefc271864aed9280ba28e52da99f9d630ffb8e8547057829da7052cd2d098645ca129357411e394e5dfc36ddb7b3d1f4f103e323c3c8b0e

  • SSDEEP

    1572864:fpyk0ehdG1JDwT+4iWi82yGDVMAQuYSn3cA1:RF0ehGwT+Qi8HGxMA4mc+

Score
10/10
blankgrabberpysiloncollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      passwd.exe

    • Size

      10.0MB

    • MD5

      6c7345f80de6e0d5b32351be100a2279

    • SHA1

      f5ef6f10a2cab097997fddfa891a728119900549

    • SHA256

      36c3f97c77b6cc7871006ed40962ad8812389ce4d26787579789340820a6a135

    • SHA512

      3823fdeeef994b68bba37b463e383585a455932637f0dd167e9fd018a3bf1445855c34432b90fe5fe32447853ad94a026578da3010c2db4a8b2742acb7fff04b

    • SSDEEP

      196608:zWc0ejQ3SfeNTfm/pf+xk4dWRimrbW3jmyr:uCcy/pWu4kRimrbmy8

    Score
    8/10
    discoveryupxcollectioncredential_accessdefense_evasionexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      szczur.exe

    • Size

      60.0MB

    • MD5

      9b7a4089dbad1e1e2b8a2a148ac3a74d

    • SHA1

      3aec6c418e70a5d2f5addbaa7095ce66e0a40aaf

    • SHA256

      f5a543375778ed6ecd291be0c20651f0b176271cd0d48ccab7506d5a9b1f3f31

    • SHA512

      e88384fbe0c048b35bf78fb6408ed6d9bc44898258a80bb4e417be8bd7c69dc1491f6132919237426b445718dffeec786655ab3a20c3fc049064bf5071c485e2

    • SSDEEP

      1572864:w2GKlEWjAOkiqOv8im2AzJE7Bbli0aVrwO:wnKa9OknOv8i3mSw0apw

    Score
    9/10
    upxdefense_evasiondiscoveryexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks