Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
PDF Editor/Setup.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PDF Editor/Setup.exe
Resource
win10v2004-20220812-en
General
-
Target
PDF Editor/Setup.exe
-
Size
2.2MB
-
MD5
57eec9f4c439f340671dacfcf681d57e
-
SHA1
d85ce1c62994c82d9c8ffcb91a1853a8c6214826
-
SHA256
140f170d8b83611cb8897164be174495dc51961dc34fbccc9a714917cc341b8f
-
SHA512
e105343b60bcfedd35d2b304f4d28f23e594db3a4f6b2e4ee00ad9240a34653150320514eca62c3336196e27ce2e6b17032818d34686602815aea6caf8a3e842
-
SSDEEP
24576:yEG5HvVgakU0978UD+xESC+j5EJlTQNEux5PvuOEVi9RPXSqvmoh1WX/S4G75wAc:yxyCnUCg+kF+emEOjWuwP
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
resource yara_rule behavioral2/memory/4924-144-0x0000000002330000-0x000000000234D000-memory.dmp family_rhadamanthys behavioral2/memory/4924-145-0x00000000025E0000-0x00000000035E0000-memory.dmp family_rhadamanthys behavioral2/memory/4924-151-0x0000000002330000-0x000000000234D000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 4144 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe -
Loads dropped DLL 1 IoCs
pid Process 4144 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4924 AppLaunch.exe 4924 AppLaunch.exe 4924 AppLaunch.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3444 set thread context of 4924 3444 Setup.exe 81 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4924 3444 Setup.exe 81 PID 3444 wrote to memory of 4924 3444 Setup.exe 81 PID 3444 wrote to memory of 4924 3444 Setup.exe 81 PID 3444 wrote to memory of 4924 3444 Setup.exe 81 PID 3444 wrote to memory of 4924 3444 Setup.exe 81 PID 4924 wrote to memory of 4144 4924 AppLaunch.exe 82 PID 4924 wrote to memory of 4144 4924 AppLaunch.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF Editor\Setup.exe"C:\Users\Admin\AppData\Local\Temp\PDF Editor\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\vcredist_e5683ac.dll",Options_RunDLL 0800cc00-0040-04d0-0e67-2d095d5873283⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4144
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5d4819f34c98e00fcff4f6b77d3b28282
SHA167deabbb185c2b5605957e487802aafe9039f923
SHA256d31a57e03b83291ed81c1d3f054b001b261b103b39b7a8430109c32d8de5d8bd
SHA5123d7c27062b7d3e93d629c7a0eb8dfcdd2d7d2154564d3ab0b4e5d527b177829fcb52ca3c7b5b430d58de22fe27922d7e589c201039c355d7203686a7412f191a
-
Filesize
53KB
MD5d4819f34c98e00fcff4f6b77d3b28282
SHA167deabbb185c2b5605957e487802aafe9039f923
SHA256d31a57e03b83291ed81c1d3f054b001b261b103b39b7a8430109c32d8de5d8bd
SHA5123d7c27062b7d3e93d629c7a0eb8dfcdd2d7d2154564d3ab0b4e5d527b177829fcb52ca3c7b5b430d58de22fe27922d7e589c201039c355d7203686a7412f191a