Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
CrazyNCS.exe
-
Size
122KB
-
Sample
250304-bqtjjavrx3
-
MD5
d043ba91e42e0d9a68c9866f002e8a21
-
SHA1
e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c
-
SHA256
6820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08
-
SHA512
3e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd
-
SSDEEP
1536:frNvVsJysJYUjwRBRZ+dtf9naYlN4ZqhOn6w92znPIW+M2TlT8KV2enfBA2yYd1:zNv+JyS0DZ+hJlMn6w92zgnMq85f2v
Malware Config
Targets
-
-
Target
CrazyNCS.exe
-
Size
122KB
-
MD5
d043ba91e42e0d9a68c9866f002e8a21
-
SHA1
e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c
-
SHA256
6820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08
-
SHA512
3e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd
-
SSDEEP
1536:frNvVsJysJYUjwRBRZ+dtf9naYlN4ZqhOn6w92znPIW+M2TlT8KV2enfBA2yYd1:zNv+JyS0DZ+hJlMn6w92zgnMq85f2v
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies Windows Defender Real-time Protection settings
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
7Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1