Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z
-
Sample
250320-p4kensxjy2
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z
Resource
win10v2004-20250314-en
Malware Config
Targets
-
-
Target
https://mini-01-s3.vx-underground.org/samples/Samples/VirusSign%20Collection/2024.12/Virussign.2024.12.17.7z
-
Detect Neshta payload
-
Floxif family
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
NetWire RAT payload
-
Netwire family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Xmrig family
-
Detects Floxif payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Warzone RAT payload
-
XMRig Miner payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Modify Registry
6Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
3Query Registry
10System Information Discovery
10System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1