Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/12/2023, 21:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
2.9MB
-
MD5
50b5f7c97594361c760ecf27a93f3bd4
-
SHA1
b4347e675b7b5733ee9cccc9fdeda78f68d32fdc
-
SHA256
d20181563c161b0772cfad41069a572fe4c5f4f64d08be9ef99992723cec6c87
-
SHA512
671dbd211fa190482ef69f73440913ccf6cb1cb5b63ffb6177942986554512f76a770ebe801adbef14179eaca26934b9430ddef354007e56423814109eb552c5
-
SSDEEP
49152:pogLnkIaOPQlwORBCEM/97yzWTCiuw7Kz38Q8xTnQbv9+ktdxlISXaaVlKwBopNC:K2nkgKLCEMNBThuw7KzMQ8GF+UdnISXl
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2768 created 1208 2768 tmp.exe 10 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2768 tmp.exe 2768 tmp.exe 2812 dialer.exe 2812 dialer.exe 2812 dialer.exe 2812 dialer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2812 2768 tmp.exe 28 PID 2768 wrote to memory of 2812 2768 tmp.exe 28 PID 2768 wrote to memory of 2812 2768 tmp.exe 28 PID 2768 wrote to memory of 2812 2768 tmp.exe 28 PID 2768 wrote to memory of 2812 2768 tmp.exe 28 PID 2768 wrote to memory of 2812 2768 tmp.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-