Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
23/06/2024, 12:25
General
-
Target
36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe
-
Size
1.8MB
-
MD5
a434d5c301551f28fd501c1a28bc4cc1
-
SHA1
26dc0809a985fe7e8d605a7fc34498967f3c5bdf
-
SHA256
36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3
-
SHA512
18b62e4171edf7c7590f237551c1d142321b1c99d0889c834cd396b79e3a225d89caeff7050b045296316297cb17e47ce454761e584bfb93d0b774524684a738
-
SSDEEP
49152:C1oNJ1L5HA09H7r7OHUgTN4StRv/QQZ0Ld6HMD:CO1dHA8jOHPvzrZyYs
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe"C:\Users\Admin\AppData\Local\Temp\36b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\2f21b354a1.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\2f21b354a1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\d13a3cf604.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\d13a3cf604.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeefb9ab58,0x7ffeefb9ab68,0x7ffeefb9ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1952,i,12590429170169712926,15717356222622984525,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5ec9bd68709d5a1cb6225f2c55ba6151d
SHA1b230e88e466d341ae135e14ef143c051d405f456
SHA256c84ab92a516c4cbc7e4dec018500eb3d690beb7c2062d6d933390b3168191878
SHA5124ad2a82087ed3a3bc2d070098b3b56638c0cfb8c04571df4598ff58b2d82e30c1597693f3b639c9a4ae6a40020e537edc1f41790a8fb8dd6b1bb3677323bd133
-
Filesize
2KB
MD57094c8cebeb6e05377f2f477f0aeea85
SHA154fc3417f40923610b1e1f6a26a875af04cbe6cb
SHA2562137e3dd162126a83b6dc496149bfbbfbfd9f870b7059e06e08240745a42a200
SHA512c64fda3760e48a38b35e93a0ecc90895008e8019a931b229012b48463daadd54680f56594daf8c036f196052e9e95d4f27daaffb9008d9d9c07db7d6e4045f0c
-
Filesize
2KB
MD56fa577b6421319d57c6ecafd2734b54e
SHA129bce0a847c7ada6ae6e88d08fca921543248ae4
SHA256659cd691714751049bec34dc3f101eea9bb9292d7fcf40a0de45a69ae4d22d65
SHA5124c3ed7fda30260a880b78735d5197f956ad087c3f3c2c85ca4bb7e164bac14e127d3acb481ab55d2265a8e5f18ae9ee66e37e99d3db39d90639077d456bf5eca
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD51358a525c8c425c5f434816c7cea6be1
SHA172e851065da7c24501fd29a7341b74ab02806e32
SHA256660f8ac673a3a0780290e63b0fc59216db39446bb9425955239d3156053b1161
SHA51264b97c127061a014509624cf491c52b229b4fa800cdd0a0cce9bc849aaed6790bf0ef673003e1c0dd2a64a8bd21cc12fbacaabfa9b725bfc2130f496cef25397
-
Filesize
7KB
MD5aec1e0638aa51c10801e1f16ca54acb6
SHA11a098bcc7c2bb20178d36296e2ff30f0d97fba78
SHA256916b94582cceaed24993fd8858023b33fa0a8eb89457c366cbc85209d01df757
SHA512928056847ee6418d2ac5e7749ad543e5c5ca4f51563680712f5b7dc363e66e669b4a3d3643a82018e53da7b5fc8cace5f68f6eb58d500b56935640ce0ce4ee2c
-
Filesize
16KB
MD597091d9b9f0d19c5f0ab7a51e9a1f48d
SHA127e89bccc103f49e263288d4fae940438045b46b
SHA256290f83fb307a4ce6966327579dd4fee85ac6d1f44001ab3edbe12d661ce0a9cd
SHA512dfba4b2b431317d6b331ee1aaf42e13ae08424e29e8a73d940cefbc19b5a0b7facefd926640dba7a3ab22ffb306acc6d48ef85f913c286ff62e8a88b223e8b61
-
Filesize
279KB
MD5e4ea9afc36d9e3ed3e6dfc616934f78b
SHA19bc91d9dd9f9951d45488ed2f56007bf038bb9ca
SHA256196dd387fe184b160468636c3bbc651f119e392a08b9354f4c5b971229cb17d1
SHA512ea022ebc0c736d5e66e6225d2c8e00d8194d103118b0e0f3c6c7e2bf0ee158881a1d073de014941adc1696f94cdba1a78a62d9ca845cbbd3e73ae61d7034efe5
-
Filesize
2.3MB
MD560132cb27146af72ae6ebd7e2ba5f523
SHA19d04f2edae301a202a0d0221b3534edf6f3c715b
SHA2561999b67fbbddf3311f72661444f6d79955396839495c97584675c61d04f7964a
SHA51224eeae84d8d87caa87f0d78f76b2d54c9a1d40bb7e7168f7d806d6581c7ce42ed029f3f623659e13ca8bba6694c3cc94c753f90e4355d3aabfd22d484150f05d
-
Filesize
2.3MB
MD5f2919adcf551238270aee051002030ee
SHA1ed08d5f622548975869c8b5b6932d1b4f651564b
SHA25644f043047a39e6c5c4d382a85dd6921d456ac18d89d1a4856c5e894e4d44173a
SHA512437ed9206341a8eb1a755c0c2202b673cb59affafd20e380ffde2a0b21cb7b2236011d18a703dfe614fe3e0d6e68807d895c4916364f39699bd0c5a0ecb27178
-
Filesize
1.8MB
MD5a434d5c301551f28fd501c1a28bc4cc1
SHA126dc0809a985fe7e8d605a7fc34498967f3c5bdf
SHA25636b9c3618903fa63a25084b60e268445a1c81d4fac8664ec5552c8b7f523fee3
SHA51218b62e4171edf7c7590f237551c1d142321b1c99d0889c834cd396b79e3a225d89caeff7050b045296316297cb17e47ce454761e584bfb93d0b774524684a738
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.6MB
-
Filesize
4.6MB