Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
uDCsrwmOdpPODlPQ_unpack
-
Size
13.1MB
-
Sample
250228-cy1hgsxwfx
-
MD5
0bce090a0f645f82d9d005d533bd9ae7
-
SHA1
f09204f8c25dd2e7d3d477319ce6445fe01a82ed
-
SHA256
d13feadac292d97519947c3eb45e0b89eab15757e9e5a06e29f56457f55af225
-
SHA512
d72d3053b1312652971b07f949505abcdbf5203b0a4a2502bde1fd1883a66e0564e3e4d2ccc9a9d35c9a9c2c3f30467048f5333b53dd399fa87e73168db4fbc7
-
SSDEEP
196608:LTQUD6IYtKG0ig6S8T0M4JQHMtmE2XIjQIfIw:gUD65j0uS8T0MQqMtsX7f
Malware Config
Targets
-
-
Target
uDCsrwmOdpPODlPQ_unpack
-
Size
13.1MB
-
MD5
0bce090a0f645f82d9d005d533bd9ae7
-
SHA1
f09204f8c25dd2e7d3d477319ce6445fe01a82ed
-
SHA256
d13feadac292d97519947c3eb45e0b89eab15757e9e5a06e29f56457f55af225
-
SHA512
d72d3053b1312652971b07f949505abcdbf5203b0a4a2502bde1fd1883a66e0564e3e4d2ccc9a9d35c9a9c2c3f30467048f5333b53dd399fa87e73168db4fbc7
-
SSDEEP
196608:LTQUD6IYtKG0ig6S8T0M4JQHMtmE2XIjQIfIw:gUD65j0uS8T0MQqMtsX7f
Score10/10-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Adds new SSH keys
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Modifies password files for system users/ groups
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
Modifies PAM framework files
Modifies Linux PAM framework files, possibly to intercept credentials.
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Runs EXE from memory
Runs an executable from memory, likely to minimize footprint
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Adds a user to the system
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Checks mountinfo of local process
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
Write file to user bin folder
-
Writes file to system bin folder
-
Reads process memory
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Modify Authentication Process
2Pluggable Authentication Modules
2Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Indicator Removal
1Clear Linux or Mac System Logs
1Modify Authentication Process
2Pluggable Authentication Modules
2Virtualization/Sandbox Evasion
4System Checks
3Credential Access
Modify Authentication Process
2Pluggable Authentication Modules
2OS Credential Dumping
2/etc/passwd and /etc/shadow
1Proc Filesystem
1