Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23/06/2024, 07:34
General
-
Target
1b375c9362a4b17bf650eb436b828ab254c0336133029564151a041c80653e38.exe
-
Size
1.8MB
-
MD5
5e86c315dddb05f8079aa823fbceea7c
-
SHA1
42d33d7f946ea82e5d320a936c9971295fc3fbe6
-
SHA256
1b375c9362a4b17bf650eb436b828ab254c0336133029564151a041c80653e38
-
SHA512
c61916b0d4dcfc3981bf7b6d77cbdb81a3b68b66ed5c0767cd704886128d66339122db71208b0dc6d5c67882bd3b0895441a0bec326e8f4dc422d1a67818f4e3
-
SSDEEP
49152:mH7xfg2ZxK/yn1aOWtr2Cv2M429dkpfx2Ob+k8:mbVLXK/41rWtdvkpfx2M+F
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b375c9362a4b17bf650eb436b828ab254c0336133029564151a041c80653e38.exe"C:\Users\Admin\AppData\Local\Temp\1b375c9362a4b17bf650eb436b828ab254c0336133029564151a041c80653e38.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\c415bcfd05.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\c415bcfd05.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\bd36778941.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\bd36778941.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe8aac9758,0x7ffe8aac9768,0x7ffe8aac97785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4692 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 --field-trial-handle=1884,i,11739612436240633040,12067677907605930594,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD54d20db9f63e5108a40f390ed00a9b99a
SHA17dff24722f96f85ffd08cfe8cc040be616688b1c
SHA2565768c10911dbed56f3b862ff916092108c5ab33ab270448624c07226aca90881
SHA512f35a488eadca9d7d4651159dd88eef30583ca9d2f6ae08a530257422f472df6b276f6b206bd20a64b53dfa5a9126ba68267d78053b88f2286a0929fe647cd1ae
-
Filesize
1KB
MD53434dc28a82361d03f6399f4e6ad8542
SHA13fcb562687e9f25df42bdde44aec795ef1d909e0
SHA256f125bfa0019baf7dad945bf2f212a4d9c3b2a8478b7876e76cfa6ddc17225dd8
SHA512307919b6098eded37d3c912023e212c35aa1f8f4e18afc7bc9efb2f967c4efe90bb3120f9b3ed5630a10e79b8973a52094b5d72baf91ac5e7d34b1f8c00b9f64
-
Filesize
705B
MD5ba18a0d709ef743933a8d72482702240
SHA155d2d72117a396d21d5604e8d34e9c873e2dd5e7
SHA256bdc13bf73694f0df892671358045073299f5cab7f28b753114574422a991999b
SHA512978e4657be514173ea8dd83df3049426fee37a3f6f92380b8ac8fbd7aa31f917fc2883bc9768765f45c3aef85dae0b747c5592c61f1ac2faecbefd5d08f22171
-
Filesize
6KB
MD52d3517e8521e2ab345f5716ea252ba94
SHA16deae4eb12d68362c229f8f164178a62d97ab1fa
SHA25682846191b45b03dec78598fd0ab67e884f6fcc6eea768a07db865c8e317e3844
SHA51236b7a143267bad7fdf5ed55f26fd976b7b334b64f87c9db416f49888aedbbeac9fc2f6543f9d3d256e4ba9a3b7797747e7c2ca458c9e4d37246a0259057dd849
-
Filesize
6KB
MD5586837d8e42223b52c61aac8ff8a8a3c
SHA10101cc4c6a050677124a305b50c33f2f3d877667
SHA256312c611fb37c97d9d210c8624e47dcdb34e6ae43cb9165ec4a496e1a19580d54
SHA512bd6673d45e3080a9f54a7a87a0bea8f250aedef3e146265a04deb4c2c6c680fade7d80d32a5d784cd3cdfd4ed872ee38e9b37425126ca77b62ef347f2aff1331
-
Filesize
6KB
MD59e102e6683d60f0eab552a5bc9fc712d
SHA1c91898fd630ab9513f3307935a43607cf076a9fa
SHA2564fd452af188f73fc6f36cc809a838ee4e7f38d2f51288dd18d2cce093d1be011
SHA512c1bc993e31d597ac841f05042e76a7f18e5725117a33bb83de2549098197f91b97a151e568f919b726ca6604b8ca6fa075b1d5a37fa84ee8b9365762fd664609
-
Filesize
279KB
MD5e44e82c81984185c9f42fc588890879e
SHA1caf8bd78b314c5284cbfa75e778dbfff790bbaa8
SHA2569a9f252f85dae1f1a700962062bf72f53dedd4678ac78083d0904cdb89eba579
SHA512b9e259129bc4fcb4356fa63b3dda7a1c53420cd95f243cc8174d6b89a9e91bfacb61075899578014f3ebedeeacc1a32bf5d84992e7e0a492d21eb5dc19285487
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2.3MB
MD5b33a8d92363326931620a15917ac0930
SHA1e4dbc660fe6b17288e24d18a860567d33b3a1fb6
SHA2569e9ea9c197938879aa75f476dfae4b28805e79035d1b79da9d336a8d3a48f057
SHA512cb03e789c1ad4d87e73791f364f96b7c0486f9776be0ecfdf7a3b5624f21a1de17b89ee140ae3e87fa2d14dce2ca52415d11aab809e0027f63c3d3b3b9e8eb78
-
Filesize
2.3MB
MD5eca6ffa57ce83e53c723340f0a39a862
SHA1e543d56871911fae9ece477aa5575c4a16d5fb87
SHA25617b22121789b06189d1b8b792ee15cf4d3f81b05532f996332a46ad5a45f1224
SHA5121a0bafad8dfad103c03e6fe2f7dad4039026759dc434ecb5dc489b64dd150cc5833a8e13dc4c1d5c56e30125b6ec98fc9f438cd3f8e8ab0a1c6f3f97c21c72b8
-
Filesize
1.8MB
MD55e86c315dddb05f8079aa823fbceea7c
SHA142d33d7f946ea82e5d320a936c9971295fc3fbe6
SHA2561b375c9362a4b17bf650eb436b828ab254c0336133029564151a041c80653e38
SHA512c61916b0d4dcfc3981bf7b6d77cbdb81a3b68b66ed5c0767cd704886128d66339122db71208b0dc6d5c67882bd3b0895441a0bec326e8f4dc422d1a67818f4e3
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB