Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240704-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
baf9c65740a624a1368c5daf804dbe75
-
SHA1
4d420290abe5a7cb44aa3ee6471e2f914d7f092a
-
SHA256
f03a849ae2d670ff7e468da63c26789b8c738d830a0e49aad3a26ff5bc555805
-
SHA512
5624e7a58773275af48696b0a382863402b61019a22f779d579b50f649aba21f4cd74d21bc6f58c57b10f0ecab03627897046b08282003a3516efc9f46612573
-
SSDEEP
49152:85k1rXyxjjLjmnH6n8wVSg2oHJ0HU5gJA:8ygxjnana8wzBHJ0NJ
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2a681b8205.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dec68f9d73.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2a681b8205.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2a681b8205.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dec68f9d73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dec68f9d73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
pid Process 2772 explorti.exe 2592 2a681b8205.exe 1412 dec68f9d73.exe 1232 d7461cc221.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine 2a681b8205.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine dec68f9d73.exe -
Loads dropped DLL 6 IoCs
pid Process 1280 file.exe 2772 explorti.exe 2772 explorti.exe 2772 explorti.exe 2772 explorti.exe 2772 explorti.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019361-65.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1280 file.exe 2772 explorti.exe 2592 2a681b8205.exe 1412 dec68f9d73.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a681b8205.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7461cc221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dec68f9d73.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1280 file.exe 2772 explorti.exe 2592 2a681b8205.exe 1412 dec68f9d73.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1280 file.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe 1232 d7461cc221.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2772 1280 file.exe 31 PID 1280 wrote to memory of 2772 1280 file.exe 31 PID 1280 wrote to memory of 2772 1280 file.exe 31 PID 1280 wrote to memory of 2772 1280 file.exe 31 PID 2772 wrote to memory of 2592 2772 explorti.exe 32 PID 2772 wrote to memory of 2592 2772 explorti.exe 32 PID 2772 wrote to memory of 2592 2772 explorti.exe 32 PID 2772 wrote to memory of 2592 2772 explorti.exe 32 PID 2772 wrote to memory of 1412 2772 explorti.exe 33 PID 2772 wrote to memory of 1412 2772 explorti.exe 33 PID 2772 wrote to memory of 1412 2772 explorti.exe 33 PID 2772 wrote to memory of 1412 2772 explorti.exe 33 PID 2772 wrote to memory of 1232 2772 explorti.exe 35 PID 2772 wrote to memory of 1232 2772 explorti.exe 35 PID 2772 wrote to memory of 1232 2772 explorti.exe 35 PID 2772 wrote to memory of 1232 2772 explorti.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Roaming\1000051000\2a681b8205.exe"C:\Users\Admin\AppData\Roaming\1000051000\2a681b8205.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Users\Admin\AppData\Roaming\1000052000\dec68f9d73.exe"C:\Users\Admin\AppData\Roaming\1000052000\dec68f9d73.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Users\Admin\AppData\Local\Temp\1000053001\d7461cc221.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\d7461cc221.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5baf9c65740a624a1368c5daf804dbe75
SHA14d420290abe5a7cb44aa3ee6471e2f914d7f092a
SHA256f03a849ae2d670ff7e468da63c26789b8c738d830a0e49aad3a26ff5bc555805
SHA5125624e7a58773275af48696b0a382863402b61019a22f779d579b50f649aba21f4cd74d21bc6f58c57b10f0ecab03627897046b08282003a3516efc9f46612573
-
Filesize
896KB
MD5815d0325b08029dc535dc4c7c9daeaf7
SHA15f0d5f6624954c274bbce5edd211b28696897400
SHA25680c206cdeb203530a85f6700016155be6e1380d913c589bad66ca7a7ff209b4f
SHA512cb754b8f9d907be570ed3a5d218184970872c015b88e8ba78ae5425198fcf8ea6e8d01a4ecfbd8b3dbc1ac3eccfcc692297579cb5c9b67a560059038f62c8d0f
-
Filesize
1.7MB
MD5c318d3326ce1921ff20be775cbc99782
SHA194bb85d34e0fccf26fd58cfadfabe90606ec00f4
SHA2563ab3541c8960a2f4ccc60e0e8efc339d0f99d9cb96b0ea46a5e0440b020347d9
SHA51235556fabf9cd5c229fb2975a9075dd25b1ff913d152689a5e955b6214691779b6e8f58d53750bd9abb1ffddedc5b238a6284628c1b3a2286f59ef727aade7919