Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
25/06/2024, 23:56
General
-
Target
96c6e94c1053bde32fb1707f5bc8200fac47e920b5fec98bcc67cddf49dea8f2.exe
-
Size
1.9MB
-
MD5
86135c652e52bdd4b0586d48d6b5afcc
-
SHA1
0bbbf9c1e7e487bc66dfb3199be578c142a6f572
-
SHA256
96c6e94c1053bde32fb1707f5bc8200fac47e920b5fec98bcc67cddf49dea8f2
-
SHA512
4861267a2289f4b846437550f137bbb7624c707510072c2efbe3265519ca9ed79a560a05b0119261076c30b353e5609d4449e6cea379054f94e8c543175b428a
-
SSDEEP
49152:VLUaRSKJzQ1uA+gN6BFbFLXCjr3Q0gZXDaAfhQt:VLZRbxY61XCaXw
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96c6e94c1053bde32fb1707f5bc8200fac47e920b5fec98bcc67cddf49dea8f2.exe"C:\Users\Admin\AppData\Local\Temp\96c6e94c1053bde32fb1707f5bc8200fac47e920b5fec98bcc67cddf49dea8f2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\5d73aa8395.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\5d73aa8395.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\17acdbe0a9.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\17acdbe0a9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd06cab58,0x7fffd06cab68,0x7fffd06cab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3244 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1832,i,9518577618720451374,5284573717328345763,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBFCBGCGIJ.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\DBFCBGCGIJ.exe"C:\Users\Admin\AppData\Local\Temp\DBFCBGCGIJ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIJDBAKKKF.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5540540c613ef11423bc0651a9523bc41
SHA1055ebfe31dd2dff76bd5cec47fcc332f8fc17b4d
SHA25612ab72393f974db677eae263adfb8fa2045f287547c3926d6f324fa71d3f9af6
SHA512ee06bc531389189e8138473f87aabfb1c9d26103d08ca94eb9327bfff5b1309df174b6fdd68a430921aec96134a6736683ecb390d1e2bcee22a925ebce331def
-
Filesize
2KB
MD598c1230db77da57694223d15729f9db7
SHA12593b816934b7405ab5ca350a5c6e359da1b2ae1
SHA2562f5baf4478e045518bf03eff27a276608fefd14acda7de5a09f5f5ffa7384466
SHA5125054adbe7c83a50a0f7659acd102f83e8c94531b1ecc747caaed903bebc1a5f82085b24d78367c144f15129db2c4ad71de7dc925252e463ab1ab9bbc390bc90d
-
Filesize
2KB
MD55ad444fb0aff330686e15624217aaea5
SHA18f7e4e4e9643641c119484aa7fbc9561df34db93
SHA256cf485d088c2c8486d626b8c19c844d02b096036402df8a831e95a7f938f5b3c8
SHA512b0c83e90bc0ecd1d7d98dd0064a49463a9303010398474f0a0f05c7f2d5f4132dfd8943f3242ede8d5473cafe47bb2d1893c059a840949719c0319f62b62b334
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5682af540eb7beae65e356ea046e2b09c
SHA151cc4977387cdfb7c04a9f4bee129b353587d22b
SHA2566fd0bd8f7c539af8ffe140e3f711ac472ad6918ec058ee5ad54bb530dabcc746
SHA5124197d6d6733f321fd0569626db8bc0ed9deb3da0b18a24c12d4e179f1434157ff81f31cf7c5dd7452ab61edca7b8a987c9e07cfeba1c038fca282cbb9fc2a47c
-
Filesize
7KB
MD5ca9bd18d8a4cd55907e0d18216ea5ad4
SHA1b0a285bac03715c8e710dfaecef519da1ea5bbe5
SHA256e5f581a829411b2c97d862a39a684b774802157bb4e3e6cd6ec25a736fdcbc3a
SHA5121348b6b50199ef6a82fbf39f99b41c80f9272a2b5a2adbeef905c55e1876e6c6736712a9d77320e516b510dd626248a38f4332e31fe43e7f9c21d3d7c8ac57f5
-
Filesize
16KB
MD510c2a9f431be7132526625f207293f33
SHA1ca53f19b755e1d54a921ab44e4786eda2b346656
SHA256e203d0243583807e51f62fb47ad7b5ab72b4424530542b3204f63086fb8403a2
SHA5128a0edd16903d60987d961eedc446c007e1a0700dbcfa2d299a69347f8682b18a8af405bc7b92216955ede5ddd70210934bad88b3800de572f7e52c6731e4576b
-
Filesize
281KB
MD5e92f45445d5a09e25569a5318d5be6a4
SHA19aadb0de8682e9a3a0b9db6fc31c6104c2a38b5b
SHA2563cd73d11237f1ada06f6e81419ac56a9e0711182bb1c60e0c2001ca66a98226e
SHA5120b641c52e21d6b78bda6166ffb4e7a4732530b509196914c166ce485b251bd3bbdc16fc7a650821a80a81fccd03018fceed72eae264bfd8e336a394efca10a9d
-
Filesize
2.3MB
MD5bc99531ccba4374dfc43de0be67147bc
SHA1704d8d5ca5138a58a7ec5515ac6a94c1a0c8649d
SHA2560cd18f67b575e8e34f59f5bd4f45b5aaa942b3273f4ba1f21b29801c11a0ff2f
SHA5127d2816dab2149a8ffbe19fb29be573e1dd339509392ab1f46f5d166eaa784c4d93d3db38d671273d686835a6a1b347db71b0816b3016893e71c59af08d01efcf
-
Filesize
2.3MB
MD5cc38557b918b80ad74467fd652dc6c84
SHA1f0ff279966df1c46dc4cdd0d465a6d29e2695ed6
SHA2563d399dbbdaffea2d51a912ec07127e9824df3e455de709b05d5cb124b77aa037
SHA51251426c660ad79857cb7573fd87b0cd68bfb453c7e1c74bcc8dd574937d531a3a11cb9ef352dd927572d5ed22026dd7aba74364599275f584ce0cbba775e31842
-
Filesize
2.4MB
MD5813c6100f58bc85dca48211bd6e40fb4
SHA15207e73f0f7029e1f1aa7d871530a62f489feb75
SHA25676244ccdd68ec711ddc966da515332d391487bf9f25d4e115963fb20969f4e9f
SHA512b5a0e626c1bf8471c07726862470fe6d0d8f1afd411b84e1fa606e288d88c5210a08d55997e784d83d8229257c0ffbdbe1dbc574d372ea7d259b1d7f9acd75ce
-
Filesize
1.9MB
MD586135c652e52bdd4b0586d48d6b5afcc
SHA10bbbf9c1e7e487bc66dfb3199be578c142a6f572
SHA25696c6e94c1053bde32fb1707f5bc8200fac47e920b5fec98bcc67cddf49dea8f2
SHA5124861267a2289f4b846437550f137bbb7624c707510072c2efbe3265519ca9ed79a560a05b0119261076c30b353e5609d4449e6cea379054f94e8c543175b428a
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
11.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB