Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
http://temp.sh/whzOx/trash_malware.zip
-
Sample
250306-1br5laxygz
Malware Config
Targets
-
-
Target
http://temp.sh/whzOx/trash_malware.zip
Score10/10-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Jigsaw family
-
UAC bypass
-
Windows security bypass
-
Renames multiple (2014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt
-
Server Software Component: Terminal Services DLL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Accessibility Features
1AppInit DLLs
1Netsh Helper DLL
1Power Settings
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Accessibility Features
1AppInit DLLs
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify Tools
3Safe Mode Boot
1Modify Registry
9Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1