Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15/03/2024, 11:36
General
-
Target
dcb1a17e199107565d24735a697f677487dbf253a834c20da0a9ef872af41dfe.exe
-
Size
1.8MB
-
MD5
6a9ddeb72a9d353f44eba424c926a6d7
-
SHA1
db9e7258c00d5722fdb6d127a1ec653904d47c56
-
SHA256
dcb1a17e199107565d24735a697f677487dbf253a834c20da0a9ef872af41dfe
-
SHA512
1e3b2b3b1c693fa8994ecddadbb14656c04ae64c50a83b6ff2bc9f539f44701416df0db47e201326628f40f3d73dfc3b5e188f1dbf77dfb827ab075ee453b154
-
SSDEEP
49152:UoVQB2eWfFHZu4jwuVg3wJSClWvPcVI2:UoW2Vfzu8wuYwJvkvkV
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
193.233.132.62
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 15 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcb1a17e199107565d24735a697f677487dbf253a834c20da0a9ef872af41dfe.exe"C:\Users\Admin\AppData\Local\Temp\dcb1a17e199107565d24735a697f677487dbf253a834c20da0a9ef872af41dfe.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe" /F4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\297530677122_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA688B62-AAF4-44A8-B92D-204614178DAD} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD54dd9c0c4deb6395ccf5f650197e57155
SHA1b16bedbb3caee75eab52ddd6f2e1fba498ca32e8
SHA2568348cd2acbded5d667b2bca30d31eb1ff959072f12fa31f8fa4c553a194a62c0
SHA512f088d0a2541062c1aa6dc7ccd29a5589105ac9b957f9930c17cf325ea83c797f72a76ff6e5c3cce1fedb69e32dcf207ba49e8d3c10608b89d92724e4f09b1b36
-
Filesize
1.2MB
MD509fb3c7ba4b83dad33bd1ad01d134d41
SHA16db20a316116c8e809334d524819505d301823a2
SHA2566b930b0377b44af0b5d421f42a749f223057cb595f3e2f4235539aabef69c646
SHA512147e8c96cf22c6e03bd97d89cd2a34cd2fac50cd8a888447d5f2a455e13d78c8113f5c7920f0d7ec6b5a4aa96a06cffb3c720a0ec1e396278c38bfe8791cbabd
-
Filesize
1.8MB
MD56a9ddeb72a9d353f44eba424c926a6d7
SHA1db9e7258c00d5722fdb6d127a1ec653904d47c56
SHA256dcb1a17e199107565d24735a697f677487dbf253a834c20da0a9ef872af41dfe
SHA5121e3b2b3b1c693fa8994ecddadbb14656c04ae64c50a83b6ff2bc9f539f44701416df0db47e201326628f40f3d73dfc3b5e188f1dbf77dfb827ab075ee453b154
-
Filesize
3.0MB
MD5337fb89e1788ebb4fb194c99b46dc1d3
SHA137f6a69a3f0a4a2c9f2f9e34a47fc6c43f7b0555
SHA256adea780a32f45e222912a4409117cd12fb8f12ddeed2b17be82a6cd90c868f81
SHA51264ee5251ee58ed826f8f3f7bc208baa08878d8c8a75f02bb106e73f85bee24f822f02b6608ba53a81ee2db04fe0aae187f9d033a7ba0701d8de53d2ff15a5fb5
-
Filesize
2.8MB
MD5c56d12a5d50666c49e98dbe0567c360a
SHA117088c9612b7aa0f6f2ac578141995e295dcf746
SHA256c6ab45c8edac84b524599a3f4dbb22e28f71352cd03b6a9c3b95bccaadb9c94c
SHA5120d828739112a15dbc83b1c32612c3341ad217b8282659938d51fc24ac4bcd3f7328b66f8a83d209ec1a9122bf2fdcabc59b95f0686b973c256597d9234d7b1fd
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
1.1MB
MD531daf23ab709f0cb154615a8178f5639
SHA1b08728841532b13c894da03d69e31af70106a3fe
SHA2560e6e71188d337835cf30df9bbddd0c322c13867159ffe657a8fd83e28d042d47
SHA5123529245bd99f51f7345ade8ed60140e0900f070b98999f4c125c8fcfa92dbdeb94e42ae20416d1672dc6d053b251cb18974f114266a8ffb5f9b21489b58131a3
-
Filesize
2.8MB
MD5c670a2635c9f71c3f2e9c7aa3408850f
SHA11fb73c45e3ebe339f61121388e287feb7a0cd699
SHA256d49e2610a1e11f8d306cb4412dcf700fe6ccc809607c051613ebcf6cc27a38f5
SHA512a2e72a7e38afd008dedbb42bbb77512cc41d07874596b9af287db89491ac16bb8f3438182768a41ce07f1b7cbba53549235d3a913d14c0343817333935a73700
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
3.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB