Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
http://freeminecraft.net
-
Sample
250219-dbdkwavpcr
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://freeminecraft.net
Resource
win10v2004-20250217-en
Malware Config
Targets
-
-
Target
http://freeminecraft.net
-
Creates new service(s)
-
Downloads MZ/PE file
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
2SIP and Trust Provider Hijacking
2