Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2023, 13:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip
Resource
win10v2004-20220812-en
General
-
Target
https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip
Malware Config
Extracted
vidar
2.4
764
-
profile_id
764
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
resource yara_rule behavioral2/memory/4688-172-0x0000000002560000-0x000000000257C000-memory.dmp family_rhadamanthys behavioral2/memory/4688-176-0x0000000002560000-0x000000000257C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2212 created 2868 2212 Installer.exe 21 -
Loads dropped DLL 3 IoCs
pid Process 2212 Installer.exe 3476 ngentask.exe 3476 ngentask.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4688 fontview.exe 4688 fontview.exe 4688 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 3476 2212 Installer.exe 92 -
Program crash 3 IoCs
pid pid_target Process procid_target 3976 3476 WerFault.exe 92 1072 2212 WerFault.exe 89 4148 2212 WerFault.exe 89 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ngentask.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ngentask.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 39384a26b9aed801 iexplore.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382544433" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{24D43F10-F6B2-4221-9A35-F807B8005021}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2C26BDF5-A6F2-11ED-89AC-CA2A13AD51D0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 2212 Installer.exe 3476 ngentask.exe 3476 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4688 fontview.exe Token: SeCreatePagefilePrivilege 4688 fontview.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2268 iexplore.exe 2268 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2268 iexplore.exe 2268 iexplore.exe 3844 IEXPLORE.EXE 3844 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3844 2268 iexplore.exe 80 PID 2268 wrote to memory of 3844 2268 iexplore.exe 80 PID 2268 wrote to memory of 3844 2268 iexplore.exe 80 PID 2212 wrote to memory of 3476 2212 Installer.exe 92 PID 2212 wrote to memory of 3476 2212 Installer.exe 92 PID 2212 wrote to memory of 3476 2212 Installer.exe 92 PID 2212 wrote to memory of 3476 2212 Installer.exe 92 PID 2212 wrote to memory of 3476 2212 Installer.exe 92 PID 2212 wrote to memory of 4688 2212 Installer.exe 93 PID 2212 wrote to memory of 4688 2212 Installer.exe 93 PID 2212 wrote to memory of 4688 2212 Installer.exe 93 PID 2212 wrote to memory of 4688 2212 Installer.exe 93
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2868
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\Temp1_appsetup_v11.9.zip\appsetup_v11.9\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_appsetup_v11.9.zip\appsetup_v11.9\Installer.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 18643⤵
- Program crash
PID:3976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 5242⤵
- Program crash
PID:1072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 5282⤵
- Program crash
PID:4148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3476 -ip 34761⤵PID:3328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2212 -ip 22121⤵PID:2068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2212 -ip 22121⤵PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\appsetup_v11.9.zip.6g4yy6w.partial
Filesize5.7MB
MD58c292dab2adc607d597c8e414f157f60
SHA15001b2328f7cfe825fcfad06dcf29f5a2a56bed8
SHA256b042491b5b9ddbf76b59e1c118272def53ec6f7b443601964b03867c68781750
SHA512a857614164b863d344375df78de1a65cc7d444714df63b614df062d22e2864bf90b748e51250ea940462191d01493a8b212e72631783d0a88b4b48e03e3b1231
-
Filesize
334KB
MD52303afbb371daf8ea5b5a4e231773781
SHA1a0956adc94c9cce4a2aeb399328accde1b1326c6
SHA256efdb9aa53580c9f3a8200e1a401d1c63c9e3a29a046857f6b89be0a64c2a1a31
SHA5129aab7c7b55d507f28e688c5b8a41811069efb8d35bfbd92de0ffd86e1ceca2e5e681b5c85d51abd139a19f9c48f7a14c5b7e4b7ed540bd5d4a574c7d34d5857f