Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
hoge.exe
Resource
win7-20240221-en
6 signatures
60 seconds
Behavioral task
behavioral2
Sample
hoge.exe
Resource
win10v2004-20240226-en
5 signatures
60 seconds
General
-
Target
hoge.exe
-
Size
621KB
-
MD5
be87ad5596852c9930270778e9eced54
-
SHA1
34a1842d2fd4dbcdc27b892d18ad920ac9d03826
-
SHA256
38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e
-
SHA512
a16e49beb95f461ff5d4af63017bdcd9844800e8037d43942e28e0a3dfa71ceb0808e5020f955380902fdb4c9887ed6e092cfce9a9cf24f6be2e3e9586dbef04
-
SSDEEP
12288:zE50GSHrG6W42JcycysY0V3D9wCV+2nXGwnUP345WRgG3OkGGs/Lwmm:o+GSHrG6W42JcychY0FD9wCVBHw3yeJF
Score
10/10
Malware Config
Signatures
-
Detects DLL dropped by Raspberry Robin. 2 IoCs
Raspberry Robin.
resource yara_rule behavioral1/memory/1220-4-0x0000000077070000-0x000000007718F000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral1/memory/2236-14-0x0000000077070000-0x000000007718F000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1220 created 1192 1220 hoge.exe 21 -
Deletes itself 1 IoCs
pid Process 2236 dialer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1220 hoge.exe 1220 hoge.exe 2236 dialer.exe 2236 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2236 1220 hoge.exe 28 PID 1220 wrote to memory of 2236 1220 hoge.exe 28 PID 1220 wrote to memory of 2236 1220 hoge.exe 28 PID 1220 wrote to memory of 2236 1220 hoge.exe 28 PID 1220 wrote to memory of 2236 1220 hoge.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\hoge.exe"C:\Users\Admin\AppData\Local\Temp\hoge.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220
-
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:2236
-