Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
287s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
13/03/2024, 04:54
General
-
Target
881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe
-
Size
1.8MB
-
MD5
3057a14ae0c5f0ceb2858e273ee9633a
-
SHA1
ce9ffe6d73c10e260de31df0b34765708208afee
-
SHA256
881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4
-
SHA512
15e30b0c7b874d1ff11178e147f3adf744a7631e6d94e103bdd150323540131b6f47acbb1d8ad0253071cbca60460da47c9b3abfe0ffc89675c6d83deb8a5dc9
-
SSDEEP
49152:4dW5kRem7F2qwI51qRhqcLSy+Pj+uHR5JKxh9iyU:4c5IL77V51ahjLSy+bxJKX9iyU
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
193.233.132.62
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 16 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe"C:\Users\Admin\AppData\Local\Temp\881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\063562292805_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe" /F4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9478AC8E-2249-4863-8299-00A9390CABF1} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53057a14ae0c5f0ceb2858e273ee9633a
SHA1ce9ffe6d73c10e260de31df0b34765708208afee
SHA256881963d131beda0aa2b22a681b74614574962845a6161e093eee1a3c90ca3de4
SHA51215e30b0c7b874d1ff11178e147f3adf744a7631e6d94e103bdd150323540131b6f47acbb1d8ad0253071cbca60460da47c9b3abfe0ffc89675c6d83deb8a5dc9
-
Filesize
3.0MB
MD53d64a79615fce0bd0bcf8d123b5d4218
SHA1d0d27ee13f2e2c169ce0e89fc2d0584f774edd8e
SHA2560821aa04218b032989b65e98adcbecbea94c94378d94d5c7591b124cd78322bd
SHA512f80087fdea0151710cfe0360eb19c243aa87326c121d05615cf47cf2b6caa5bf90bdde6476c3c76eee38b6a0512630a935c2a8d06038658068b9cdc9ee9e11ef
-
Filesize
448KB
MD55c5048dce12b928996e3596b6cf29f34
SHA1f2fc369604ee888700a4ed22e0f98248d1190f54
SHA2560ea69654b92fe6a1aaf63651202d3e9776bc1dd70bcf415f0f11582f83a5a6ed
SHA512410d9ad659dbe190fe7987ab4e163be3295509898f4ef1346a660f7f378b17958adceeb0036d0a06b48c54a025c55f83ef3b3dbcf1128376f09134586fbd0652
-
Filesize
254KB
MD530c78b9b452b853d9144660f60882af0
SHA1a72198fe06d4c360e085bd3e95430587dc6b3559
SHA256acbd7fb9926e116b44487b9eb8e6fd55feb38f9e5fa655ed2cf429ed2dfca8a7
SHA512dadd87c7e6a91a9806127d252f24edc295535e5d2dce5c68203a246a6626454d5f5b5e070439e7d88f10740b3076bf8be34d2c1ca094bab0f26406e4ed8cf7e8
-
Filesize
207KB
MD516dd15303f7900f8c281ff9008893a98
SHA170ca013bf7937ed44d25b602caa53497396c4859
SHA256e51615bdcefd8adc3a300bcd0f397362cd87a7b26e84ed6c73aeda259873d98d
SHA5125274efb18f7ae64b5fd45ed5e7b2d5677bc9c75bf95c81d30fd9c4bd450bc1c2580b2bf63325b1ab13468da871e6fbb8463e18621ceaebadcfa8c0546d562186
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
3.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB