Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25/06/2024, 21:27
General
-
Target
06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe
-
Size
1.9MB
-
MD5
055cad687823c779f8a13679749d781b
-
SHA1
5d7b9d4240e3a61b5d1b62c1bdae7d26e04170c8
-
SHA256
06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3
-
SHA512
f5f55dbd5d0a99e4b26daecafb4e1137a7067e25da6f2038153321ea97bcada79df4936c29579fe5539a0f0501d715f3795e0f0f1d36b9f21ca80cf155f87a34
-
SSDEEP
49152:OyKrWGWJAxmH+wQe/Y0vKUVHibkijE4GNZqCjUXP:OOGU4mHvTFRkkU6NwCjUf
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe"C:\Users\Admin\AppData\Local\Temp\06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\549831cfb5.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\549831cfb5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\c1c43106fe.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\c1c43106fe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeab93ab58,0x7ffeab93ab68,0x7ffeab93ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD597ae0610362fdee411221dc605828c76
SHA1dfa13d87906ffd36f7927427d67d75aaa49e1103
SHA25660b1ad18abe9bdba3debcc85135c0654e83a0abd8b40bea7babc5e5c840c3d74
SHA51289cf302f591a8843fd064b718b4a805429bdba3d21bef669d7881883b4d6b31ac8b68d39c3be77d96db0097085d86f3e0df656ce532ec37f568abb842b6c512c
-
Filesize
2KB
MD5ed4e02f19536070c35ce1f5aa0b6739d
SHA1788a6359b75bfc84d3a3c18dbd98c7623ddea666
SHA256a65d9b8552d2faf8219c78a00d2b139b0b16376d1183eae3c5d8c07ed96ee5af
SHA5128e94128722056fde245c126260a20aa2936c354b1324ce589d3b2405557992a6b2d10f5c905526db615ab5c39f83ed44683b138436991ff4b2eb152eba2eab73
-
Filesize
3KB
MD5ab153be0958ddad87c60d03c628f0f6b
SHA197683051b5094d5593d8df3ac8c5a02d8b23f349
SHA2566e045f1239ec5e40da837affde4dcedcafd741bc1a34383491c2cc9588605c5c
SHA5128fc4dac7150958ea49832e68b710aee9518a957d262dd74d8349e35985c683a3fbd039213badc6c73197d9f368f33bade6aeaf75a5d84b098ca2fb656a4c7236
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5978784edf32acc49e8db15e2d8aaa55d
SHA19f9e29a005f2359cfe3715ae04a1e691ce524631
SHA256569f93d4d1aab38dde67067d933b395f3637fe33835103f5b7dd216cf9a9afa5
SHA512e2a3d77477f462e893de7ad4d199f86e9dd7991c5137e1f5f5ac76fe96ebe6fe5ef318ffc8c604d423efd218b8e6159cbed56f20588baf7c64c66e37ac3dc00a
-
Filesize
7KB
MD5e262ee54411b10f7cad56c0f7a086ab9
SHA194b100f19c59ca409eab7ecd2e9f5bdea2dc5f72
SHA25662b3f3b21cce762e3baaa7120e73bdfb67c6d9d8834921b287dab06fe387bb5f
SHA5121d06fd79db661c4d347b0f737d16c1858361af6caaca5536d26ae34eb3184437e261e3e09e4016de375f5997373b13adc34e34173f0b9e574ec00b9fb18a2072
-
Filesize
16KB
MD54a5488621fabf5accb9c2ff15e9dca9d
SHA1a5847f454409e043fc8cf836b782bca1443b5e28
SHA25681f0c7bfff98884cbae0ffed0b2f2d0fc031adaeb6f61ce2398c6036dc5ba905
SHA5120acc980ef8c2dbe7ca8bbf695219dcc752d38aa5939939388394b7b4c3f0a6f6a4cb5aa978b5bba71b65ae6265ace271c7096e0890229e1f23dcbf08add3359e
-
Filesize
281KB
MD5295d378f71b6c6b59288f55cb2c53e14
SHA1adbfc1b663ac9e92fd7c5623633167f1fd734fee
SHA256610cba1ef66a8df5d658af6b8afc939833f57b7ecab2487367ae0f17abc9d755
SHA5129667dbba883adb04a6e5fcd73b7e162d1e6de1d804e5e2d9c6779e29d0360ce792ff1dc34bc2e564c047d714e55641bed91d924c1d6e0cacf0ef7a7d0bf8673c
-
Filesize
2.3MB
MD55deeae1200cb6f919d3599e9b60115a5
SHA1443bdeadb0556d10660eee580cb01512698240d6
SHA2561e7a8c11c988412f44805b3b7f7c560352b6aed04305912beef9d458a2ecd3ff
SHA512d8e259f3c4e5b85c1cf1d7abb3abb960b521a45b40936323a015908b957e13d03b750b25e6646d320dd75f4d0e420e852c92aae1cc6a02abeb342b5f67281a16
-
Filesize
2.3MB
MD5ba3adfc01d77ee2e3a3a85c76f6d5e1f
SHA10f6b9682a80b0588323ad8a5626ffc17ca9e7b8b
SHA256f68f34be86c971e8679f8689c73e39016a9f009d817ad77f52116ee2c9138104
SHA512b40aab38c70dd5becc65be38c93fb42cc40cf674b2292b4baae87b29c348b468009e824f1452b060d13a5a65a2e02f0987819d87b21614a9b33a7be0e6d09b66
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.9MB
MD5055cad687823c779f8a13679749d781b
SHA15d7b9d4240e3a61b5d1b62c1bdae7d26e04170c8
SHA25606eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3
SHA512f5f55dbd5d0a99e4b26daecafb4e1137a7067e25da6f2038153321ea97bcada79df4936c29579fe5539a0f0501d715f3795e0f0f1d36b9f21ca80cf155f87a34
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB