Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
AngelTokenGen.zip
-
Size
38.1MB
-
Sample
250328-cmrq7s1sez
-
MD5
0e77645241c0250a3e11106fe6f79dc2
-
SHA1
b4cf8559f5f3a6c3392558e96fd1a3459d75baa5
-
SHA256
95d2103d1135e79fc4bd7944ad9c326d0ec9359f9e2ecb9d4965ac96268142c9
-
SHA512
f3f9ec31af1b4132b5ce9311f7b79ed426ed1fadfd804cb809aa84557585b0a6e68245796f30d0b08068922e277727f32111d13a5b7d701cfba7296dbfa3757f
-
SSDEEP
786432:3bLJLxz2myZFHTPZwJP9mN5a+Iuy5Tt2vIBu+iJy2lKkVKG:ZdilZSPskb5TgABdiU+pwG
Malware Config
Targets
-
-
Target
AngelTokenGen.exe
-
Size
38.5MB
-
MD5
aa97d3815027f5d8c624f9e86f7e2afa
-
SHA1
8d518b5e5472371f301777839939e5b0880736b6
-
SHA256
d9d78168039c7df2320493ac5cb03e6f94a18e92c6230e8371c409eab922ed76
-
SHA512
bb205dd500c8ddb197a424fa235ccb4b58849ff4c52b5f1b1a1ae877cf7f0a31cb9cbc443159f087312a8b0212a2845fc439bd93886f7feb78fe56a62c22c109
-
SSDEEP
786432:++gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBd+yCsKbXMb8wsqAU8A:cXGMK4XR3bLSCU/+6yPl3+KAcMqAU
Score8/10-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads ssh keys stored on the system
Tries to access SSH used by SSH programs.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
1Disable or Modify System Firewall
1Modify Authentication Process
1Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4