Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08/04/2024, 16:58
General
-
Target
0617485886380f882686bdc485bf315751d727750d0a62b3a3014fb26e7c9d2f.exe
-
Size
1.8MB
-
MD5
d058674b4c815f6814f65f864a16e890
-
SHA1
d5014a9862773df2377e0b800a7dc1d4c2195ebd
-
SHA256
0617485886380f882686bdc485bf315751d727750d0a62b3a3014fb26e7c9d2f
-
SHA512
eace6012480ec41d0b8e234a21c0396c73e42bc62e7c31dcbe2eb858b92bfe440dcf8c8d17b012ecd7a5ae19d274a88f20039d1bef0bc41e9877054fae23ea39
-
SSDEEP
49152:mgzpg20B1vuQG1uVtoIEVcx7aEbEowtMJ8Z41X:8dIuHrDdawZMT41
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 63 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0617485886380f882686bdc485bf315751d727750d0a62b3a3014fb26e7c9d2f.exe"C:\Users\Admin\AppData\Local\Temp\0617485886380f882686bdc485bf315751d727750d0a62b3a3014fb26e7c9d2f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\16a8c4d403.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\16a8c4d403.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000051001\facb1d145e.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\facb1d145e.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa20b9758,0x7fffa20b9768,0x7fffa20b97785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2972 --field-trial-handle=1888,i,8160317113871248729,5301686505632451524,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5ef1395f50ce878bdb4314e2455c2637b
SHA1a73b2cf530903eb41ad97643b9c43b2d9f66e337
SHA25675779065079d849ef3e583ba537a6c08ce395cdb80ca21638adf1420dc72f297
SHA512568136a7ff888406ef80e3dfcc7220ecb5e5e4b611177449ed4ff1712045f4d8eba32740c4974492629e0a88929f63773a9f94d6d92380e025ffd1d9e440aadd
-
Filesize
2KB
MD51f7372d514f55efea5b0891201abd599
SHA162cd844a891023d2ba2ad60681eaf9206257ed14
SHA256a72235a1cfdb8e64403b4f103ea1385e8b92f459ea43f2bb708df91ed8ecbcdb
SHA512d68bd4ff2dc1da63cc42b951708e402f8eebd7b20a572462de1dd3897b7f87ad6ef052afb4e185f6e996c74ee10e92945bbe413f09bf06de4e0bfe64f94c8ba7
-
Filesize
2KB
MD5eeb659c42b5dc5ba692829c49a83eb82
SHA15c9fcf12bc4d1dacaf24a91edd64a90919e46481
SHA256dddcab4d9f28d950bc88867d413dd40885f5ada5de641c4e73b1324b1744c0ee
SHA512c033998976b64ef928c5607e4d53f353a83031b47bb0ddf1e1ba362580b4748a666f7ce77f3599cecab3193df984633aa400f75e4c3d09d23d6c81dd562a8e6f
-
Filesize
707B
MD5171da845f3563b45c73c45cc4eae3ad3
SHA10a45ea3f4d76ffb798e84c5250cf345d767c8a31
SHA256e6f7ab83d8859a1e307e5b31ddb9e1a57c32c19f39476596bb5d18cb17bb5ed1
SHA512658662a10ef0742984a9f572749d73b356d6ec87c9428658684dd36c80a444b97668cc0e3baf8d97ac5947d07a01471417bf8ed7a91d06cf941d7206f8c18357
-
Filesize
6KB
MD58a3a4fc1b18b51e5c21ce1695034e47d
SHA12c3874037d86b9ddc787b235b17334ac40842ba0
SHA256e1f0c8ff0fcff82b3419e9a6967203697fcb0a09bdcfc63b63e1b5a66aeb2155
SHA512a88f565e00ebffd7fa94783c3ace0e4a9f5a79b3822771328f2d0d44912ecd76226998db42ce6f35862308a9d1b45157af60214f771b21dacfb51f1ba4e41798
-
Filesize
15KB
MD5ef4ff16d5441c855089fbdb5de6e0766
SHA1dddc02c4993114c63bcdd7c32d79105a3f1dec2c
SHA2563a44d839dd717316bd93ffce5ead86654a289f7321eb5533b3bbe99a41830c5e
SHA5120f760238f68d7830926fafe2e682eb25be09fab3739d3fad94180bc75a1d85dcbb838299264f30d2eb412ba1a0364fdaf2b18234153fcb08877be5f6778ed387
-
Filesize
260KB
MD550de3608f91b06a11a847488602ce0a8
SHA10e3a914f8605f748819b775b756c2ccc0d030b29
SHA25605cd6f8d2f02785926ba954778e0f3b8605fd6b7e9b2aa63309e53cdd1f47b0b
SHA5124601b86babcaa832c640606e9f67a538d4ae66c3c5c88c136159b85b483504e8a1599b471aeb3fa4bfc91af2d33a02e18b6c20b12ed13808f197c886d26d862f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1.8MB
MD5d058674b4c815f6814f65f864a16e890
SHA1d5014a9862773df2377e0b800a7dc1d4c2195ebd
SHA2560617485886380f882686bdc485bf315751d727750d0a62b3a3014fb26e7c9d2f
SHA512eace6012480ec41d0b8e234a21c0396c73e42bc62e7c31dcbe2eb858b92bfe440dcf8c8d17b012ecd7a5ae19d274a88f20039d1bef0bc41e9877054fae23ea39
-
Filesize
3.0MB
MD538afee0aedd3510e82ca0f3d89fd5969
SHA159defe7471007c24a69b6727bb9a529b46904325
SHA2562ead4170a0498d5dd32e60abab017f85cb5594aafb2af6d9ba2c1c15c4f46e90
SHA512cdfd3a06c7fbd1ede71b5945003407ffceec1fddef2f0fae047d7b1b49277b4364806bb41be7adae572180633545adfb2fb84679866a8dbe723eec423b5d323f
-
Filesize
1.8MB
MD58c56326c30676c903ce1e0bcde5a770b
SHA11bf76781c7f8ca96830a66a52ffbcedafac595f7
SHA256356459688c8ba1fd5b4f2f1a2b4ea52ebecf2a673162396479fb22198d444913
SHA51244da8a8a30b844a866fe4841247d76b6fc9fe32da4d899ac18b333901ae42d172107fbcb99e0daa4aa8ef3b39a6f17f73a4a7b7c75683873b4187f89a111e5af
-
Filesize
1.1MB
MD5f0c215f43d9082bcc9f66ef6b2cb317d
SHA1eb654e3a7fa17432f4301567e1eeb1675f930c3b
SHA25604d4d9fd672b6589f0e3b54c4ad1d9df9056265efe325cce920449d3e63dde05
SHA5125bf7951be948e776ab067e5c60436f9795d1d6e93983f1d96bd40a1aea318b01b434ade4a3da8d7dd2195f234be5d1f7a9b24c243d4e552fa8341d71bb40dc7d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB