Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
g2m.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
g2m.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
install.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
install.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
run.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
run.bat
Resource
win10v2004-20240426-en
General
-
Target
install.exe
-
Size
39KB
-
MD5
f1b14f71252de9ac763dbfbfbfc8c2dc
-
SHA1
dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
-
SHA256
796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
-
SHA512
636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
-
SSDEEP
768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2320 created 2760 2320 install.exe 50 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2320 install.exe 2320 install.exe 2016 dialer.exe 2016 dialer.exe 2016 dialer.exe 2016 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2016 2320 install.exe 81 PID 2320 wrote to memory of 2016 2320 install.exe 81 PID 2320 wrote to memory of 2016 2320 install.exe 81 PID 2320 wrote to memory of 2016 2320 install.exe 81 PID 2320 wrote to memory of 2016 2320 install.exe 81
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2760
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320