Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://github.com/Pyran1/MalwareDatabase
-
Sample
250306-dek45axjw2
Malware Config
Extracted
cryptbot
nkoopw11.top
moraass08.top
Targets
-
-
Target
https://github.com/Pyran1/MalwareDatabase
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
CryptBot payload
-
Cryptbot family
-
Detection for the Linux version of Sysjoker cross-platform backdoor
-
Detection for the macOS version of Sysjoker cross-platform backdoor
-
Detection for the windows version of Sysjoker cross-platform backdoor
-
Modifies visibility of file extensions in Explorer
-
SysJoker
SysJoker is a cross-platform backdoor first seen in late 2021.
-
Sysjoker family
-
UAC bypass
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Deobfuscate/Decode Files or Information
Payload decoded via CertUtil.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Deobfuscate/Decode Files or Information
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1