Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

97cb4bf23e...db.exe

windows7-x64

10

97cb4bf23e...db.exe

windows10-2004-x64

10

Resubmissions

26/02/2025, 21:51 UTC

250226-1qzg8at1ay 10

21/02/2025, 10:43 UTC

250221-msm1bazmfw 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample

  • Size

    192KB

  • Sample

    250221-msm1bazmfw

  • MD5

    eb5d46bf72a013bfc7c018169eb1739b

  • SHA1

    f55680a34521ef07c2b8dedd1b74a9927990485a

  • SHA256

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

  • SHA512

    b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

  • SSDEEP

    3072:NqRIVOgLw+7Evuahn9oVpORBqS3h1jHRWbDRaGZKMih4lMVHwz:NUIVOgLw+7Evu2nWsBqS3LjxWHR+Gh

Score
10/10
phoboscredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Targets

    • Target

      97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample

    • Size

      192KB

    • MD5

      eb5d46bf72a013bfc7c018169eb1739b

    • SHA1

      f55680a34521ef07c2b8dedd1b74a9927990485a

    • SHA256

      97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

    • SHA512

      b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

    • SSDEEP

      3072:NqRIVOgLw+7Evuahn9oVpORBqS3h1jHRWbDRaGZKMih4lMVHwz:NUIVOgLw+7Evu2nWsBqS3LjxWHR+Gh

    Score
    10/10
    phoboscredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Phobos family

      phobos

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Renames multiple (321) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.