Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
24/06/2024, 19:36
General
-
Target
24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
-
Size
1.8MB
-
MD5
7ee03d405aca43ba9f24b03f3108bc86
-
SHA1
b9f464590e8092fb33c48b04b2b9b1830486d287
-
SHA256
24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6
-
SHA512
fb0a7e97e44581faddd112b1a8055ff4024ce3886d78b0fc431c94dcd9044892aa278e86a304a29399946430a6efc5bc48fb702a2d05c7286bd757412d1fc366
-
SSDEEP
49152:DbyTGNqduFU046PhnkB+ibfESFjvyZNnUXwpB+1h0oSFW9Ui:DMua9IhnkB+ib/j6jgh0dFwZ
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe"C:\Users\Admin\AppData\Local\Temp\24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\fb81c72f0a.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\fb81c72f0a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\a92f944f00.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\a92f944f00.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff984099758,0x7ff984099768,0x7ff9840997785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1924,i,12845824870512009785,18097182067990854326,131072 /prefetch:85⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD50224388beaae0e779fc7d1f0ce7c222d
SHA19b441363e27d135bd0cf8a9f34281f185e98e4b0
SHA2568a6077ef0925b76428f5dd190224d867c58f0e563f91ffae298339b79f2face3
SHA5125e5b27326b92a9608d0d6da94a5300ddcc89ec02a67395317091ca64c9015e3f6795535585387c618b0ec127d81c492c092b2788886100cd641a7694316427ce
-
Filesize
705B
MD536327596c0c6e980f9972f402fd29e34
SHA1075419ad23db5051f2dedd579937c498c15515ab
SHA2562017e0747f4af76dfa8e1c3176cdc0cb4a8504add3ca9e67c94e4acb368ba495
SHA5126d5c5c4c0a6fd892a80a56c3bc905b88fb91733234c6ef51aa355083bb8ff4d29b2b9024430443c9bdf0531466ec1852c904cb05b6e88984c73064704e71b007
-
Filesize
1KB
MD57e5c18782e86a0053aab9524adcf9eca
SHA151f7f3670593a87de5f22fa8c71f461fe41b13b6
SHA256d5df3ac07dec392c3a71edc287232daecdd1afd15a4c87affeb33c6323e43e60
SHA512abf19b9343106aefa8d805038854f9d59444f64ce5a6e0e32663ccd85dffc431f916c295026b450abd1894a96efcc206665db281fcfb4b3c51bf744ad253277a
-
Filesize
6KB
MD5fb3cb394a81f307a65d19fed1cbc0fa3
SHA1ea23db46eb327388fd7c0d1bd4e3ac519c4944a8
SHA256f0b7747695056e3e9bfa63c53c3ca44ca9882bbf7d1487265817c6d29c779a18
SHA51218829fbf7e2ff1df8fc027df192d19b8401501ecc6042470d93f6e5534d05f827cb4ca18245b2577552749c55938c79469b6a6c139d239be20b9b5e48c55ccc9
-
Filesize
6KB
MD54bb775b67e12e191abac2b45e2d12c18
SHA1d4bb8220fcbbbe0f36ab4003e2b78eb5c456337c
SHA256e95a2bc89f7c85d389067aca24d5aac6e01fb4560ee3e97034351971c53ec732
SHA5126374d9658061dc072be20b4d82a45426642f0e82e82872bc5b25076f7e38b4714d602d921d17c93aca8ed18bba904080f44a89299f5db3427e129fc75b54e3ef
-
Filesize
6KB
MD5cfb264405c285be13857484d87becc7a
SHA19e4675684202c9bd79b28384d5ff115753fe552d
SHA256f6c2f69064e46dc4aae11e25ab04105f8131b6fbd8e8c4e08cfad4734c0fdc11
SHA512e4794bcc0c7888bb2825b4cc9cf39b38f1ba1717d5ff4b818333153d212de880a4bcb23f9ea9fabf76d318d41147988094ff6a22baf8bf130b67df5414f9f0e1
-
Filesize
280KB
MD56d11ec7e8e8d567b3ab470a8542342bd
SHA19d01348a3170578ad5f1c8e8b5d93e8f006b36f0
SHA2561fb18bde479d4f5738a048d926d5d6aace1ac0a2ade1a1c2119ddb4993ab086e
SHA51210c333007223174448c7932310b98972cb3bd0f7e9257c2b999ad792fbb3a3c2ea1059e694b23b4dc962e60ee7c82d6221adaedef975833b2f33c3adfe4dae0b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2.3MB
MD5e97a92bda3e0fa17352c15cceb5c5dd9
SHA162ade664c0dc9c774995684e23cf49eaeaf23165
SHA256459f47d3aa8001b8151726c7e74848d949006a62945915c2a1dcadd02a29b8a7
SHA5122adec5ed0a453c6ab45cecb72d269d48fcca54fd5edc41f1414d3cebb83bca5fd19bf6a66f2635df1f9d451a044ebc900a5034d8691531d4db7c357feefbf0a1
-
Filesize
2.3MB
MD564f4e045e3d82bf27eb9a38fba2425e6
SHA1c3a8f3c2725509752d5c9c64ab7e6072c25d3802
SHA25666485826b251863e06e5409225f935dd7416baef765f0b57baedb919e474d886
SHA5126899f4e27eef1df5635d231be4bcd4e3d6538590b6e79f92a353173c088a11cbf2527909da5e3c80e61d060722e061f4af18fdde684cd92d54573881fd2176c7
-
Filesize
1.8MB
MD57ee03d405aca43ba9f24b03f3108bc86
SHA1b9f464590e8092fb33c48b04b2b9b1830486d287
SHA25624304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6
SHA512fb0a7e97e44581faddd112b1a8055ff4024ce3886d78b0fc431c94dcd9044892aa278e86a304a29399946430a6efc5bc48fb702a2d05c7286bd757412d1fc366
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB