Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
264s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe
Resource
win10-20240404-en
General
-
Target
07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe
-
Size
1.8MB
-
MD5
380f9cd5bc70636263493427881a3245
-
SHA1
db5a263cf4a3b9a545dec182a707398ec804fc54
-
SHA256
07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd
-
SHA512
657b001969caabc745729963dc86ed33e5de965bbba27e15655fc9257ae59445bfd3e2caa45cbe38d6f8f5264a0c65b6c7ec4ee41731e4f958f92098f3e74f47
-
SSDEEP
49152:HFHbujLoAHkzLPVefM9/bfLMRSxmmp0LvBwnoRSC:AjLbHkzbtkttSoH
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6d3d40f24d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 93ac2b86cd.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 93ac2b86cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6d3d40f24d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 93ac2b86cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6d3d40f24d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe -
Executes dropped EXE 5 IoCs
pid Process 2436 explortu.exe 1236 explortu.exe 1852 93ac2b86cd.exe 2220 axplont.exe 2872 6d3d40f24d.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 93ac2b86cd.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 6d3d40f24d.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine explortu.exe -
Loads dropped DLL 6 IoCs
pid Process 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 2436 explortu.exe 2436 explortu.exe 1852 93ac2b86cd.exe 2436 explortu.exe 2436 explortu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\6d3d40f24d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\6d3d40f24d.exe" explortu.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 2436 explortu.exe 1236 explortu.exe 1852 93ac2b86cd.exe 2220 axplont.exe 2872 6d3d40f24d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2436 set thread context of 1236 2436 explortu.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe File created C:\Windows\Tasks\axplont.job 93ac2b86cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 2436 explortu.exe 1236 explortu.exe 1852 93ac2b86cd.exe 2220 axplont.exe 2872 6d3d40f24d.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 1852 93ac2b86cd.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2436 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 28 PID 2400 wrote to memory of 2436 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 28 PID 2400 wrote to memory of 2436 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 28 PID 2400 wrote to memory of 2436 2400 07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe 28 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1236 2436 explortu.exe 29 PID 2436 wrote to memory of 1852 2436 explortu.exe 31 PID 2436 wrote to memory of 1852 2436 explortu.exe 31 PID 2436 wrote to memory of 1852 2436 explortu.exe 31 PID 2436 wrote to memory of 1852 2436 explortu.exe 31 PID 1852 wrote to memory of 2220 1852 93ac2b86cd.exe 32 PID 1852 wrote to memory of 2220 1852 93ac2b86cd.exe 32 PID 1852 wrote to memory of 2220 1852 93ac2b86cd.exe 32 PID 1852 wrote to memory of 2220 1852 93ac2b86cd.exe 32 PID 2436 wrote to memory of 2872 2436 explortu.exe 34 PID 2436 wrote to memory of 2872 2436 explortu.exe 34 PID 2436 wrote to memory of 2872 2436 explortu.exe 34 PID 2436 wrote to memory of 2872 2436 explortu.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe"C:\Users\Admin\AppData\Local\Temp\07424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
C:\Users\Admin\1000004002\93ac2b86cd.exe"C:\Users\Admin\1000004002\93ac2b86cd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\6d3d40f24d.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\6d3d40f24d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f55d40b74d38f0fcea654437183a7b1e
SHA1200a9623c12df8470efaac73d85a45927c2b3fad
SHA256d107ed3dadd9d5544a569bd16e0c9eecee52f4f136e1def03c06de46267b4bec
SHA512385d804bdf040336e5d6862487fd3f07bb2c6c1590ef743f45b2ddef40ccf5b1d84f9389ae5f7114eef38b9d89fbb8de3197760dc4e920ff662717c8d16d9e06
-
Filesize
2.3MB
MD5cd1dfa093d37dff12f11f8c1c06d565e
SHA1d70536c72f489edce93bc0df04e21a905348a817
SHA256438974434c65fe40fac3a8e076a01fa432be38325ab8b455476f5f4a446b88a5
SHA51250c1f108821c9fe944a6fe6de7d09dd6f87dcfe3627f76bbc76d124f129acc120db7f1e79ae49ab092e85dccbc21e69abd0999205a3bcca08047a038e5332168
-
Filesize
1.8MB
MD5380f9cd5bc70636263493427881a3245
SHA1db5a263cf4a3b9a545dec182a707398ec804fc54
SHA25607424eb74c4a1b95cb8b3440f9359efc9fe97d9c8d7ef3ce7f8fec8848806ddd
SHA512657b001969caabc745729963dc86ed33e5de965bbba27e15655fc9257ae59445bfd3e2caa45cbe38d6f8f5264a0c65b6c7ec4ee41731e4f958f92098f3e74f47