Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22/06/2024, 01:25
General
-
Target
52ddc1ac2e5e857b26ce0df2a3e06c41863655587a72deba17bd29c0a7068458.exe
-
Size
1.8MB
-
MD5
8ee022fa9992bac7fc37acea71d7d853
-
SHA1
20559f231f2739b3c1ec5d78cf4ef6c0796cc26d
-
SHA256
52ddc1ac2e5e857b26ce0df2a3e06c41863655587a72deba17bd29c0a7068458
-
SHA512
7699d36535c5667bb9b2df152a109bf0f93fa34426690c75bb7ac6a60762dd22a1fbefde38d8a834a5d46b6e440a15d73ab7c5932f3dc069c249533ddf2018af
-
SSDEEP
49152:MUryY5VbjVT/ZFM+5gDN2aEZ1/U6dJzkx7hnkt:oYph3aDNWZ1/U6dJz4
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ddc1ac2e5e857b26ce0df2a3e06c41863655587a72deba17bd29c0a7068458.exe"C:\Users\Admin\AppData\Local\Temp\52ddc1ac2e5e857b26ce0df2a3e06c41863655587a72deba17bd29c0a7068458.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\9baea6151a.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\9baea6151a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\d4eefc2743.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\d4eefc2743.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe9c69ab58,0x7ffe9c69ab68,0x7ffe9c69ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3588 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=2024,i,14147074755380280034,13718283894273958985,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD555e238b8631d59989e91c95bab1a7862
SHA1c9a4beea832f80d2ac357e4b083fe8c9d9fecdd7
SHA2564f98545ca8277c46837e6b3d77188be693f0f5ff847f84e5ef3be5687824f065
SHA5121e0ae459de605e9801e637a093cc71ef8ca5f32c24265f1db540d45d0ac46cf3727e9d26b2b8d353813e3881f48d6165b288f1cc5afa09544352fca21a332a29
-
Filesize
216B
MD5f0ea3eb8eef3bd940ad195938d097e41
SHA1dfb2ed8b894ccf6ad77c563135816308c0c75cb4
SHA2561dd328ae49e3d042c710ad22d3fced96911d09f0fcbfe0529fbbafbb25a60f88
SHA5120036b458a22f8b0bb2fdd590f62dd5455a1d6a56e5917f78deda3b685e849de0707f334e33a721aca27ea75ad4b77a5ba7928be18e744e4afc0b66aae629f1a1
-
Filesize
2KB
MD5d0f97ec0de9c7cfe827861bc8f627ed7
SHA12aa5125e136842672be99fc4449a8bb1014f6ba4
SHA256d702b50042d258fbae88cf6671cad863d32705866d174c94f2e0f99b78d50711
SHA512f4b86a11b1b185cd0708ac3b5170482c8e730b2b43b483b3bd89c3ee04e8e89e95bf13f7e77e65e3b0e28a9cd9ed11eded5753193c8e6938804bd4095ba50937
-
Filesize
2KB
MD50590b367c05c77af83354fc994b63533
SHA13e997d86e42dd03daa87273880d0cafb11b8bf70
SHA2561faaf71274e5984a53c4727007235792bb7893883f9261da24d9ed058b09d840
SHA5122f8862a9752398d3d588e927b23fea3abf7001f97e2db82d14196a5db1776133fbe7e057e1bacc8cda4b11baa406c511867b5c9043b9a29a28f0df6fde04e8ac
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5536ef3db8e28373a426f29ba6b480e79
SHA14b6f7f51830960c022dbe745f0cfeb87acff8f63
SHA256c6ac19b98c636934999af7e0a6da4127896c676fc3f4fb5e702dfa35409bbc51
SHA512af1abcabffdb5380655e8fa2118692baace5d773f6274a121f5b868cfbfbe9e56269ddcd0460bd622555e4904c1f17a584870f98b803c9f98a4fac2bb9d06c6e
-
Filesize
7KB
MD529a53bf00f1023e686c17a9d03cd548c
SHA1435f6545a587cb4f23521bcb9d06112c4e2dbc02
SHA2567f9f0fd2cdb5f41f0ca3944f85691c82ed6a28b8263f7442e2ef481477690be2
SHA51294787e1481307b8995f671aa3ca30e4d43bdb350203b51f6e6ea44e2d83bbd42c2368aebc92de5f3edd4641a79a009e7789fe1927b1074b88bbcf5f291154f64
-
Filesize
16KB
MD5619592544c8546854623c0e94ee4abe3
SHA18063bd599c548794e469b2f028efab537e60e03e
SHA2567a3f6ed70cc5393eb311dd2bb9f966206bfbfe4772fb34637fe959aa10a6a323
SHA51221c2cb5291f7cef489bf55689252c5e88afd1f58d5f48e691fb0aef7069765c7fe919b44c099fa95b7d44246463db45be417e86675ba3d41b6cbdb8261220b22
-
Filesize
2.3MB
MD5fa0d1195771551e814c993bf771aa8af
SHA17222f2adb1c759938068e18690d7128b82ef8ddc
SHA25603ac7eeae4705dd719ce4f70b9f01e446ec72add7db683923f2b8f72aefd87b8
SHA51252fcda8a83548c3b5072b54c7b8e3d23d80502d805565a057bc915ba001ae241cb43c0573b5511d57312529a58b7e858bab4127724d6afeef100d95bea9bc89b
-
Filesize
2.2MB
MD553614ad69a27d45e5dfa826d3dc9c8c3
SHA13851521926d5ad72a0d2a889d379bc02b12ac8f1
SHA25697c27621c1e618eeb001b5a1a02c77c4a86e2d7e9ca0c6c4e8f442047d0d6ae3
SHA512e6f08d8e05ddc4136c05e1496022892fbba6ecfd1c0615e544f4ff6d163163f136925d26e5401c4dea52d06343faca1d34722d0bb3052516cdec99acc061c64e
-
Filesize
1.8MB
MD58ee022fa9992bac7fc37acea71d7d853
SHA120559f231f2739b3c1ec5d78cf4ef6c0796cc26d
SHA25652ddc1ac2e5e857b26ce0df2a3e06c41863655587a72deba17bd29c0a7068458
SHA5127699d36535c5667bb9b2df152a109bf0f93fa34426690c75bb7ac6a60762dd22a1fbefde38d8a834a5d46b6e440a15d73ab7c5932f3dc069c249533ddf2018af
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB