Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b7da7b8869...e2.exe

windows7-x64

10

b7da7b8869...e2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b7da7b88697e543da7c734ff276b5fe2.exexx

  • Size

    300KB

  • Sample

    250328-jpc46avqs4

  • MD5

    b7da7b88697e543da7c734ff276b5fe2

  • SHA1

    0f9429137d002162c3cf00df80ff352333a715da

  • SHA256

    09faaeeb52d5c0bdba222478e9787a5232bb88003ea42282bd7edc855a320de3

  • SHA512

    d8a3d397dd6ca84c59b6b55f8d2252e793ab9c152bf3f3102f1eb2df0e2f26765530b5ad6f090c753de086283484eedfadef8b973298be71d19f0bbde12a9335

  • SSDEEP

    1536:ALBZQ0g3ARPHQ+lgURkzY2wmYDuOzdBUdRHVbG9dz:eYMPwIgUscrgRHVbG9dz

Score
10/10
credential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/R4ven1elia/something/refs/heads/main/hacked.png
exe.dropper

https://drive.usercontent.google.com/download?id=15SxZaEWsqN64G-dGDWi5C31f94CpuuZc&export=download&confirm=t&uuid=b75378f6-8f6c-4166-a88d-75319d1472fa

Targets

    • Target

      b7da7b88697e543da7c734ff276b5fe2.exexx

    • Size

      300KB

    • MD5

      b7da7b88697e543da7c734ff276b5fe2

    • SHA1

      0f9429137d002162c3cf00df80ff352333a715da

    • SHA256

      09faaeeb52d5c0bdba222478e9787a5232bb88003ea42282bd7edc855a320de3

    • SHA512

      d8a3d397dd6ca84c59b6b55f8d2252e793ab9c152bf3f3102f1eb2df0e2f26765530b5ad6f090c753de086283484eedfadef8b973298be71d19f0bbde12a9335

    • SSDEEP

      1536:ALBZQ0g3ARPHQ+lgURkzY2wmYDuOzdBUdRHVbG9dz:eYMPwIgUscrgRHVbG9dz

    Score
    10/10
    credential_accessdiscoveryexecutionransomwarespywarestealer

    • Renames multiple (785) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks