Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 11:08
Behavioral task
behavioral1
Sample
8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe
Resource
win7-20240508-en
General
-
Target
8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe
-
Size
1.6MB
-
MD5
02a35db1e96aa24f90ba697bc0d8e86e
-
SHA1
c1accbe93aace82f81de88ea039e1ee9984612d2
-
SHA256
8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb
-
SHA512
ec72519dcf97cdb0c1057acdb777c74f0f4baa8ae06371b957e16eee2031516f5a9735ef354be6a1dbb737af0588bd456384d217e4dcc9dc41599f3bdaacd2ab
-
SSDEEP
49152:TtoV1p1u5haRexAd2MH2zusgE0sOd9/Ms:T61pIeRex3ei3klv
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ceea1cda1d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ceea1cda1d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ceea1cda1d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe -
Executes dropped EXE 5 IoCs
pid Process 2364 explorku.exe 2736 explorku.exe 844 amers.exe 2004 axplons.exe 988 ceea1cda1d.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine axplons.exe -
Loads dropped DLL 8 IoCs
pid Process 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 2364 explorku.exe 2364 explorku.exe 844 amers.exe 2364 explorku.exe 1360 WerFault.exe 1360 WerFault.exe 1360 WerFault.exe -
resource yara_rule behavioral1/memory/2212-0-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-1-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-3-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-2-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-5-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-8-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-7-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-6-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2212-4-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/files/0x000c000000016103-16.dat themida behavioral1/memory/2364-23-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-24-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-29-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-28-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-27-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-26-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-25-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-22-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2212-21-0x0000000000230000-0x0000000000763000-memory.dmp themida behavioral1/memory/2364-30-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/2364-93-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/files/0x0006000000016d69-119.dat themida behavioral1/memory/988-134-0x00000000000B0000-0x0000000000744000-memory.dmp themida behavioral1/memory/2364-128-0x0000000000C80000-0x00000000011B3000-memory.dmp themida behavioral1/memory/988-153-0x00000000000B0000-0x0000000000744000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceea1cda1d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\ceea1cda1d.exe" explorku.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ceea1cda1d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2736 explorku.exe 844 amers.exe 2004 axplons.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2364 set thread context of 2736 2364 explorku.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1360 2364 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2736 explorku.exe 844 amers.exe 2004 axplons.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 844 amers.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2364 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 28 PID 2212 wrote to memory of 2364 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 28 PID 2212 wrote to memory of 2364 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 28 PID 2212 wrote to memory of 2364 2212 8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe 28 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 2736 2364 explorku.exe 29 PID 2364 wrote to memory of 844 2364 explorku.exe 31 PID 2364 wrote to memory of 844 2364 explorku.exe 31 PID 2364 wrote to memory of 844 2364 explorku.exe 31 PID 2364 wrote to memory of 844 2364 explorku.exe 31 PID 844 wrote to memory of 2004 844 amers.exe 32 PID 844 wrote to memory of 2004 844 amers.exe 32 PID 844 wrote to memory of 2004 844 amers.exe 32 PID 844 wrote to memory of 2004 844 amers.exe 32 PID 2364 wrote to memory of 988 2364 explorku.exe 33 PID 2364 wrote to memory of 988 2364 explorku.exe 33 PID 2364 wrote to memory of 988 2364 explorku.exe 33 PID 2364 wrote to memory of 988 2364 explorku.exe 33 PID 2364 wrote to memory of 1360 2364 explorku.exe 34 PID 2364 wrote to memory of 1360 2364 explorku.exe 34 PID 2364 wrote to memory of 1360 2364 explorku.exe 34 PID 2364 wrote to memory of 1360 2364 explorku.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe"C:\Users\Admin\AppData\Local\Temp\8c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000014001\ceea1cda1d.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\ceea1cda1d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 9323⤵
- Loads dropped DLL
- Program crash
PID:1360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5010283edd0ea8485ae403d729798cf05
SHA19d1e6f5ac6623b4edde5955618eba966c3e87fc8
SHA256c80886b860d390aca1fabcd623c7e416bbd625866729f1c6b742bdb7c546cd9a
SHA51245e5363664f522d1ba8b9967692effbec75e015cee5f625134abc2ba9cfa5ce32394386be7f1b3725d56cdd38ad9966486b7888eaea80d89aadd43fd5915bca0
-
Filesize
2.2MB
MD59d66f0f6202935958ad41b1323ccac32
SHA1d292cd86c74cbc04f5b4991f7488ddd595b70687
SHA2564b1853b2af04f198c483dab039091f8647c60092c24bc164a72e3992a400b43f
SHA51296da3b9816df5964a52876d1da6aa3bc31ffd3850c22b4a6470f7e540a0ee8c1fe88468466938049bc9ae83fb2e3d7474e573c88dceeef252ae6699dad6514bd
-
Filesize
1.6MB
MD502a35db1e96aa24f90ba697bc0d8e86e
SHA1c1accbe93aace82f81de88ea039e1ee9984612d2
SHA2568c377ed4fd5732cd10e5e718ae7a4435831aaa6b6c191cd5677b5ee0a7b714cb
SHA512ec72519dcf97cdb0c1057acdb777c74f0f4baa8ae06371b957e16eee2031516f5a9735ef354be6a1dbb737af0588bd456384d217e4dcc9dc41599f3bdaacd2ab