Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/02/2025, 06:33

250227-hbn4tszmx7 10

26/02/2025, 23:57

250226-3zn4ysxwc1 10

26/02/2025, 23:14

250226-271x2sxmz9 10

14/02/2025, 01:10

250214-bjsnnayne1 10

14/02/2025, 01:00

250214-bc5pmsymhw 10

13/02/2025, 05:01

250213-fnkwtstpgw 10

13/02/2025, 04:24

250213-e1kk6atmaz 10

13/02/2025, 04:08

250213-eqe8patkgx 8

12/02/2025, 23:56

250212-3yzt3azrdx 10

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    250226-3zn4ysxwc1

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

C2

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes
  • encryption_key

    E5250226804167CB0B1B4B0E9667D0C056694DCA

  • install_name

    defenderx64.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Helper

  • subdirectory

    en

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/RpncwxSs

Extracted

Family

redline

Botnet

30072024

C2

185.215.113.67:40960

Extracted

Family

lumma

C2

https://collapimga.fun/api

https://paleboreei.biz/api

Extracted

Family

asyncrat

Version

Esco Private rat

Botnet

Default

C2

196.251.88.53:4449

Mutex

voodynqjploelta

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

vipkeylogger

Credentials

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411

aes.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Domain

C2

jojo.ath.cx:1414

Mutex

AsyncMutex_7SI8OkPne

Attributes
  • delay

    3

  • install

    false

  • install_file

    dllscv.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :8CC62B452790576D8065CE91A4936A4E29162A7F4CE25A64E0D8721C4CAF56643E2940C74829B6C89981D682F322087BD2303482D1650BE405D79D5A15ADC59B6680213CF80D0AC84E1F84EE8F01F3FAF8ABDFCB89A36570FC753F6641F52B239C652C4D819FB3B4DE7B039CD54D55863D5D7A0710477E99C11DA83DEA62EA5E52AA1A05C70FDC407DAB89DC4FABA00B7BC769613952E9DE5A4F44412E36CBD373D03F934373C8B699FB73853B83A73FFB95868D3C2E3DDA856CF94C88186033F1358034AE805EE9E5A6CF7934D9A22AD082D53C53A1BA7010F6499BB43A8A8E79835DBE5A43C958549519F1794B0FCD93E79E7CD9ED2771CB3680AF8CDEA3A95C1C1C73AED3FE0855C6237551EDCDF8E749D348F38EF2CC27CDDABCADEFAB1D0DADEC71BC95FD9529A16FF88A2AAF84C27A58235E89E6A982CFBC254FDE43BF03A8C4466897E28BA86506FBC7B50AC4429C247893CF89E93179ADC028E7E8B3AC714FD83ED1166BD0D3A7EDAFA407B7DE1F4FB4BA9876F511F0D6B27B986DC6EC7D66E87DA4F5E65CBBFE6B14734EBF8A9721AE5D8E46BBDDC06EFC13CF6FA07EB22269ACF50E019E6EFF1ED177CC6EE2AAA8602214BC0E6FF34956048248D2F73AC9EC906E3F6FE66EEF5A1B52519BF2F72BF3651A4BE93E0D7EC07477105BADEE362B6FCF31E1A9C1F4C67DE758BD37B46D93742D406F06D91E57C5CA743EADA7E2920570653768E00586CAE5340B477577169ADE959CB1060D4851CF550678AB778407BF9868950AD26C4529044EDD880CF14519DF7D11931476DF526B15B15C5A32680859106701C8CE462A92DE220B4FB10F24B062A1D18D55B6173BF9A20942357B48807F79B360D385BE0E362D0FFABB8CFCE537CB8EF817109C7C71A6C8AD15A1541CBC672D526916A2D04BF2B256F24A62252EE1B9E2D43A0212FB3429E8C8C5827BDD4F4FD333CDC78429D2AA044894DFE344F2001C1D89B1F47EC9A47735BC7CBC127340A3DC9F437F11659681604E44FBA9D444ADEB7057E7ADF9DB2666C05E6DEEDEEF23426BF87A5BC49E92DC15806D9690A74BB0E2E90CFEC56F26C98D1F720C5C145E7E23E517DEA4BA301FC9DD1EAC2D373F9BB2771267EF319ED35CD365B6BE620C1A59C460FED90DDCDA7D4982F8A087776979DD941951F6BED9B08008707ABB085B26EA0AC8D6A858005106F065E5E287D892DB15855306BAF73455D507FD15D052885083639994627DE99911F0DAF5C65CFCFA33B7F65483E77E5AA237936B9CACD30B63BF492964C569C1DED81F0706FF798585206BE400BB96AB837FEF1C79532E23EA68B6463DE7B13FF7898B6482B241DFD996AA993DF9A49E241A3049B477AA66BF15782DFA7EA1F157D65E66B99C32A3AF313B4484E4556EF734DA8122D98202FF155F0A24C0AD2D76EA33F899CEB9BE50708347EAFA3372EEBD4E667185D5C0724A1320AB0622547B7E47D8E74590349AEE7DFF99D6232F3C9BE9702138BC458D170FA9A498FDDE30C468FB52921D2F763A1E00D322F9FD7216C0E7E1589EFE3F3B8BB76CF0DF22D6BB1CE17D375C3CC15BDB49E8A835F743EC5D9545092C916A7F131F689C1E956A31DE9C4471F24B78DC697C41D491DE9BBC9D7BF91BCCFDCDFA4700E0487934BBA1AF8C10FB4AD1D8ED348C7A94D7B5D2D01A40CE15D86E4F3C44EA7A87E6F2D248EDB63C5FB582E5DBEE7B0ECCEE9859F5C49FB4C7A161395842EE4FEB54F220014F89837E424DF0AD5EB71D491B4465E26D5380636A09272253DC99DD70964D8A5B00448E22D0EAECAA551AD3944A1449DFBD1ED9DE02965B2DAD3AAED14DD43CDA2AD2E8F881B7D9A8BA223A3815A2777FF2E9262B6D2D746DF364BF01BE55616FCFD3F6ABB67AE5C73A27CB831BD71DE5717B349873DE38855DF61DB6FE9578F412158CEB48CBABCCA976500FD305D07DB9DDE0E720B8CEF1B985556A2D4D1790546BE18D2F1197B838472177C04F78E4C9DC9A64AE3D924489438F2DF2292D29F7BE848EBB7F464C1B830C2406718F07B1304A24172E7EBBA1A93831D18BD07FE68C7A747E0F8940D28C91888416B52479C0E4142DA0CB05A86C7870C2EEB0D05C0FAD15AB515F806B8E9820398A946C6FCCE1D2BFB00EE5DBC52781365134819E00CF4701831ECADC26098A5624693CF4FB3C3FD07BBAAF462C5A54447684DAF70D030D7D00E2972BC2C9557447CE63E2BE35EC27596EE07E366FC4D1286B82458CEA01085DF1A84E8C9EE45424DB0988FABD6FC80638ED93EAC05381AD7638F223E6C77065B56F182C6FDCF33029CF8D0EF49B1E28012AFA63CB002C68FD393582E53412BA30F7C68E2A77820587B89EA9

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies WinLogon for persistence

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Mimikatz family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Vipkeylogger family

    • XMRig Miner payload

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Mimikatz family

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Vipkeylogger family

    • XMRig Miner payload

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • mimikatz is an open source tool to dump credentials on Windows

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to execute payload.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks