Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
Audacity lnstallSetup.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Audacity lnstallSetup.exe
Resource
win10v2004-20221111-en
General
-
Target
Audacity lnstallSetup.exe
-
Size
805.0MB
-
MD5
9cc1ace92bdea826528ddf9ed9e6ff15
-
SHA1
29d3d26a7e9f4a42816a78a272ba1b92a7b4f7bb
-
SHA256
c9cb8c7e23a392d404db0530819d76d31c2011110872517226171b9c5441096f
-
SHA512
140e94e1212e1b606163259df5ee0fee9e71db3ed072dcbea196fbde56547e89120fd4330294c633bf22b82265d570c6073178a1685769166c091c2d3bcccd42
-
SSDEEP
6144:jkfcNplrEPyT/BvyhN2YWh5kr355555555555555555555555555555555555554:acNpDdyh61
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 1 IoCs
resource yara_rule behavioral1/memory/848-56-0x0000000000160000-0x0000000000199000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1236 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 848 wrote to memory of 1236 848 Audacity lnstallSetup.exe 28 PID 848 wrote to memory of 1236 848 Audacity lnstallSetup.exe 28 PID 848 wrote to memory of 1236 848 Audacity lnstallSetup.exe 28 PID 848 wrote to memory of 1236 848 Audacity lnstallSetup.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Audacity lnstallSetup.exe"C:\Users\Admin\AppData\Local\Temp\Audacity lnstallSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\rundll32.exe"C:\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll",Options_RunDLL 0900cc00-0040-0495-103a-c82e7dff59152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD58db7f10952736955f22fc2c162fd73b5
SHA164d502c2dcb720a29d102c8f5d568216e52d3893
SHA256d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2
SHA5122168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794
-
Filesize
53KB
MD58db7f10952736955f22fc2c162fd73b5
SHA164d502c2dcb720a29d102c8f5d568216e52d3893
SHA256d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2
SHA5122168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794
-
Filesize
53KB
MD58db7f10952736955f22fc2c162fd73b5
SHA164d502c2dcb720a29d102c8f5d568216e52d3893
SHA256d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2
SHA5122168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794
-
Filesize
53KB
MD58db7f10952736955f22fc2c162fd73b5
SHA164d502c2dcb720a29d102c8f5d568216e52d3893
SHA256d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2
SHA5122168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794
-
Filesize
53KB
MD58db7f10952736955f22fc2c162fd73b5
SHA164d502c2dcb720a29d102c8f5d568216e52d3893
SHA256d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2
SHA5122168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794