Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b93f788115...in.exe

windows7-x64

10

b93f788115...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • submitted
    04/08/2024, 07:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b93f7881155103cb85a167145bbe594b.bin.exe

  • Size

    7.4MB

  • MD5

    4bbc93cc56bf15816d8ce4ddc23a6a17

  • SHA1

    d9f560d25157fc978c7b5c0f216c21958687a7d5

  • SHA256

    7716fc431a6486354a6f450cdd275e05c63ae8bb7614cf8ad4509e1c67427a95

  • SHA512

    46d359082e10b7c4b5b012678b99c8bb618b5190713aa9c7c972cef4bdec8a922bb3a30c4ef77b2d7b603e0c27cb64dd4312736c9c4830faa23a059e626a7152

  • SSDEEP

    98304:diMrdaUIJ3sxQvmzLvqwBOZTcjgxffDjqJbzEwqWfm1Rqvn:Yi68xQ+zLJOZwjgZ7CfaRSn

Score
10/10
hijackloaderrhadamanthysdiscoveryloaderstealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://109.120.185.28:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Hijackloader family
    hijackloader
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b93f7881155103cb85a167145bbe594b.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b93f7881155103cb85a167145bbe594b.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5fed56d2
    Filesize

    1.1MB

    MD5

    ae140b168663b32b465f0779461b8e0b

    SHA1

    b9bc54c935be7c8212c347ec1ebcd2c096bdba07

    SHA256

    eb30a91edfab74933b1ca9c5af87e9e0efc173b8e1e06f0ef24dc98972a2dcb1

    SHA512

    9a37eaa76ff482a34d462b4f25027c992a8422898f8eba93f298aba04d5fe916bfcd1309f47705b18b5fb9a37812cce76dad35e1a3fae3f86e4783ce74c54c0a

    Download Submit

  • memory/2080-15-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2080-13-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2080-11-0x0000000077C30000-0x0000000077DD9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2080-12-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2080-9-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2540-6-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2540-3-0x0000000077C30000-0x0000000077DD9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2540-1-0x0000000000400000-0x0000000000BFC000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2540-2-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2540-5-0x0000000074DD0000-0x0000000074F44000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2540-4-0x0000000074DE3000-0x0000000074DE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2540-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-16-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2840-17-0x0000000077C30000-0x0000000077DD9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2840-18-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2840-20-0x0000000000980000-0x0000000000988000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2840-21-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.