Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe
Resource
win7-20240903-en
General
-
Target
5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe
-
Size
1.8MB
-
MD5
7e8bb569cef261538ca8f3758bf41c20
-
SHA1
7271361f7497ffe341e46cc675f5b2baadd3f57b
-
SHA256
5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023f
-
SHA512
d998760a71634cc407c21d46931676729e4dcfd72909f4ba5cede7a14accf665a46d86afb1080b399e9f3e3b438aa0a30e30d914cbcf6064676dfe1bd28e220c
-
SSDEEP
49152:Zqs3Qx2kjDpFbLRO+/bjN4hNiXrRTyFGoVn0dnbj7:Us3S/TO+/bjsiXxlynK
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2bd90b193.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6f2ebc9727.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2bd90b193.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2bd90b193.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6f2ebc9727.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6f2ebc9727.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 3 IoCs
pid Process 2724 axplong.exe 2884 b2bd90b193.exe 1256 6f2ebc9727.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine b2bd90b193.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 6f2ebc9727.exe -
Loads dropped DLL 5 IoCs
pid Process 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 2724 axplong.exe 2724 axplong.exe 2724 axplong.exe 2724 axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\b2bd90b193.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001989001\\b2bd90b193.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f2ebc9727.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001990001\\6f2ebc9727.exe" axplong.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 2724 axplong.exe 2884 b2bd90b193.exe 1256 6f2ebc9727.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2bd90b193.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f2ebc9727.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 2724 axplong.exe 2884 b2bd90b193.exe 1256 6f2ebc9727.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2724 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 30 PID 2468 wrote to memory of 2724 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 30 PID 2468 wrote to memory of 2724 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 30 PID 2468 wrote to memory of 2724 2468 5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe 30 PID 2724 wrote to memory of 2884 2724 axplong.exe 32 PID 2724 wrote to memory of 2884 2724 axplong.exe 32 PID 2724 wrote to memory of 2884 2724 axplong.exe 32 PID 2724 wrote to memory of 2884 2724 axplong.exe 32 PID 2724 wrote to memory of 1256 2724 axplong.exe 33 PID 2724 wrote to memory of 1256 2724 axplong.exe 33 PID 2724 wrote to memory of 1256 2724 axplong.exe 33 PID 2724 wrote to memory of 1256 2724 axplong.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe"C:\Users\Admin\AppData\Local\Temp\5174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023fN.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\1001989001\b2bd90b193.exe"C:\Users\Admin\AppData\Local\Temp\1001989001\b2bd90b193.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\1001990001\6f2ebc9727.exe"C:\Users\Admin\AppData\Local\Temp\1001990001\6f2ebc9727.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d295038f6facf219e302c0444bffa7b0
SHA117a55b8e0872feb3476eb425758c7b8500e857fb
SHA256a0cc678c942c6f391cb39e06f20cb9a8cdc2e319e41f52023c5e0e7b3985594d
SHA512075691b3e30fd88fc59428f94c05858a0d625b371a1c44625d2d801efe337548bff94d7dc4facf14cbb88679a8186f23b053b9c7952120f40b50498693178e09
-
Filesize
3.0MB
MD50d7b1ba6e967a55e6cff34069832498e
SHA1be54bc4033d47cd14bc9648ce964c67b283fb6c6
SHA2566ecb0aee684e895fbaede81d1ecacd3b2379301d7ab37ccd883de5ece7651988
SHA512a4713d6a23b406c2bba2035d34c9e8a7da2b4af1fb27f3a26b9821c45f250766b7d171044b7f8a35bc51a49eae7f6541c483af0bb08f06040b9fc4be567c73e2
-
Filesize
1.8MB
MD57e8bb569cef261538ca8f3758bf41c20
SHA17271361f7497ffe341e46cc675f5b2baadd3f57b
SHA2565174cb538e49b7cf8cdd3bd47945d3bf03da030d84850fa1a4c0971de6d0023f
SHA512d998760a71634cc407c21d46931676729e4dcfd72909f4ba5cede7a14accf665a46d86afb1080b399e9f3e3b438aa0a30e30d914cbcf6064676dfe1bd28e220c