Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
25/06/2024, 18:57
General
-
Target
0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe
-
Size
1.8MB
-
MD5
ca6846c9841f9095022576a0078e9577
-
SHA1
6c3af76544e148899e08ac7bf2ca0179e7995587
-
SHA256
0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c
-
SHA512
50938a53e6225985f9460e37e947646b918d43ca436e4bec0be34798e10ce9cb9a198d80df13bfe91773e41734c29019a794c83df5a907bbe5481a16bc5487d1
-
SSDEEP
24576:doRxns7hEBHWf23680860BdnM3u5k4UDs9L8M5GJnWBAn5Kpc+eVjlTaMQWIHwnp:r2B16nMrk4WlP3jTaMje/RnEdG3
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe"C:\Users\Admin\AppData\Local\Temp\0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\0487cb92b6.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\0487cb92b6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\1e08a72964.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\1e08a72964.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4dd7ab58,0x7fff4dd7ab68,0x7fff4dd7ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3904 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD550e16756b91092522e09ae8d27f6637d
SHA18eaed7df665a3ca8323b2c35be6157dc77168e4b
SHA2562b25b1d910145696e7fae4af6eb215cec6da241ede63f9ca03f1ababe67efc15
SHA5120e43decd75d2d569e548db0469f5aed4cf30b387edfd4080a9f1e46ee99a02985c2b5dd74483d195c333b5b2ab7a5468538bd106224efc1a92a423be91de5d93
-
Filesize
3KB
MD52c5caa514dac849f1b20df238101f557
SHA11b3ab5c97052b5d3bda67c43457e955eac585581
SHA2561b3c6d721a08e47613cbb8ae5e0a67e5cf1b5e8baab11eb81def6f9f729f8edd
SHA512abec37ab5c1ef3b146809bdddd92b9aa72a15f7d6bafb3bce5008aae68a993993cf45cf589a09c806bbb0ed9ef81ad24125602fed3dfb0236c3b2da7ffbb9f67
-
Filesize
2KB
MD5f18b7a79cb6e81703378227bf926ecdb
SHA1a21407e632ee05ba3a576bf1f2ff9bb86415a5b5
SHA256318458323328c7484a9b64c2714ed9d06408661fe423ceee4715e5bae6a60a61
SHA512071bf1e32cea2ffd9a85ba977f331d7231602b555ecef0feae60be541f0496415aa5191eb831b62f7f1ad010f0a6a102d183d0b02d0d9728fecfbb4a2ceded40
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD551835e2ae22ac9dc9aa9a2d52917d3cc
SHA140539d318c9ec9f360984067f9443bc6966c1f08
SHA2560473b26f392453c42aec4658146ece1365110fbcc9827df532a36fd8239803ec
SHA51244e1533fc1397063d2c83b4dc193fc313ce44a948fbbce5724cfbdb81be3b46eabefb8d4caed927aa2b6096934f7851f64d274f1d633a988ab45ab043997ac81
-
Filesize
7KB
MD54c0cf5482900bd14dbbba60429eb1d39
SHA1829efd7369d30724823a69b2c2eb1bfe6c38ed7c
SHA2566653d1c6c73cd60056e473b2765ab47580cad55f8ade660c7047ec2934d432ab
SHA5126c573dbb706c686478d66f8069febad33a8ba433403981f74b922025643c5375bdf99d35c905f7a0dc47aa2f172cde7e5baffa66ecd0356498a6fa4d3b34a549
-
Filesize
16KB
MD551d29036d5ee642dd63ca5bd18757e91
SHA1837208b9ebd5c947ac0ac0f308d3fb538e6f7872
SHA2569a2b4c6c08537c78494ea9741baa53f6f47001f364d41aa52fb76ac47aab9276
SHA5123fc48b703745ad132cfbdcf94bd2bc6d696e8f519e3340ad2be7aa45877eaa14c41a9d2e1f6d50f44b9ca50641a37294e97a3281b715ae79b76db9d6a64d76c3
-
Filesize
281KB
MD51756b571e99aa464390b35ff380cd338
SHA190d747a929a0aa93aac9628f33fc369025b9b57d
SHA256cb5def85051f6e2a0815cf1b50ed8cda841db880b45fdbbfaf1760d8de833531
SHA51244d390084699bb2a96ff29df6247740b56a3ac4b53caf1b5d7f71b01a9c82e16478746ee3aa466d11168fed012b0b3c54bf1967e1cf673e32d6d770b9307f228
-
Filesize
2.3MB
MD52bc10723e1bf0fcf8423f9ffdcd9d20a
SHA13e5d1e782cd1be4998700ffb461c3b61c964fd12
SHA256742e3092da671f1cb4fb624cccf5e810a6d9238e9ce4c83bcbea44a5edfd4b5f
SHA512a6148da40355e7fad6194e0c52ce40867c8e61c0ea85f8a698c1ec62a382bd60893ff3957da784a3778b52d1051e80a39ef6d1e76c5f5c66186ceeed2c8eda7f
-
Filesize
2.3MB
MD52f35b68f6ec03a086b3f0d838f8d44a9
SHA1f31015838b27dd2e6c4a42c7e961b14fd98e50ea
SHA256ac0481b17754f56daf7985a8e4a17d90a991d658c4b9a1d49142a0208a372b9b
SHA5120e47a6ef199755b84c501c4b88d71f87db8e2b269e2cd19b3ac3ecbfe3e41fae5a8398278be28873a34285d526f0b9d864de416a5bb89502cd4bf2e1b7ce384a
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.8MB
MD5ca6846c9841f9095022576a0078e9577
SHA16c3af76544e148899e08ac7bf2ca0179e7995587
SHA2560e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c
SHA51250938a53e6225985f9460e37e947646b918d43ca436e4bec0be34798e10ce9cb9a198d80df13bfe91773e41734c29019a794c83df5a907bbe5481a16bc5487d1
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB