Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
07/11/2024, 03:13 UTC
General
-
Target
c7510bffe5fb99700c5fdcc63de2a95db0accf6d24ce7edde98fb0eb981734d5.exe
-
Size
1.8MB
-
MD5
05b829047cbbd5d6fc28b471734f2c78
-
SHA1
70d19ae71b549d99b582d590e4cc1c6b49197f60
-
SHA256
c7510bffe5fb99700c5fdcc63de2a95db0accf6d24ce7edde98fb0eb981734d5
-
SHA512
462299cda8cecf7dd9053b48e7837b3167d25bb174e15dbfd0f8eef0b335d4667f86251b00df944746eb196c1c6e4233319ff65c148ca50a8ca719a73a9047c8
-
SSDEEP
49152:K7WZX1nemVoLqmXAZgyZgV5Pwwv3pNkaUaLjnK:nZXonumXAZgOkHv
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.41
Botnet
fed3aa
C2
http://185.215.113.16
Attributes
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c
Extracted
Family
stealc
Botnet
tale
C2
http://185.215.113.206
Attributes
-
url_path
/6c4adf523b719729.php
Extracted
Family
lumma
C2
https://founpiuer.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7510bffe5fb99700c5fdcc63de2a95db0accf6d24ce7edde98fb0eb981734d5.exe"C:\Users\Admin\AppData\Local\Temp\c7510bffe5fb99700c5fdcc63de2a95db0accf6d24ce7edde98fb0eb981734d5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1002158001\5defb9403a.exe"C:\Users\Admin\AppData\Local\Temp\1002158001\5defb9403a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1002159001\ad0d904167.exe"C:\Users\Admin\AppData\Local\Temp\1002159001\ad0d904167.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
Network
-
POSThttp://185.215.113.16/Jo89Ku7d/index.phpRemote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
POSThttp://185.215.113.16/Jo89Ku7d/index.phpRemote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://185.215.113.16/steam/random.exeRemote address:185.215.113.16:80RequestGET /steam/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:11 GMT
Content-Type: application/octet-stream
Content-Length: 2163712
Last-Modified: Thu, 07 Nov 2024 02:49:06 GMT
Connection: keep-alive
ETag: "672c2aa2-210400"
Accept-Ranges: bytes
-
POSThttp://185.215.113.16/Jo89Ku7d/index.phpRemote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://185.215.113.16/luma/random.exeRemote address:185.215.113.16:80RequestGET /luma/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:13 GMT
Content-Type: application/octet-stream
Content-Length: 3155968
Last-Modified: Thu, 07 Nov 2024 02:48:53 GMT
Connection: keep-alive
ETag: "672c2a95-302800"
Accept-Ranges: bytes
-
POSThttp://185.215.113.16/Jo89Ku7d/index.phpRemote address:185.215.113.16:80RequestPOST /Jo89Ku7d/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.16
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 03:13:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://185.215.113.206/Remote address:185.215.113.206:80RequestGET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 07 Nov 2024 03:13:14 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
POSThttp://185.215.113.206/6c4adf523b719729.phpRemote address:185.215.113.206:80RequestPOST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHJDGHIJDGCBAAAAAFIJ
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 07 Nov 2024 03:13:14 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
DNSpresticitpo.storeRemote address:8.8.8.8:53Requestpresticitpo.storeIN AResponse -
DNScrisiwarny.storeRemote address:8.8.8.8:53Requestcrisiwarny.storeIN AResponse
-
DNSfadehairucw.storeRemote address:8.8.8.8:53Requestfadehairucw.storeIN AResponse
-
DNSthumbystriw.storeRemote address:8.8.8.8:53Requestthumbystriw.storeIN AResponse
-
DNSnecklacedmny.storeRemote address:8.8.8.8:53Requestnecklacedmny.storeIN AResponse
-
DNSfounpiuer.storeRemote address:8.8.8.8:53Requestfounpiuer.storeIN AResponsefounpiuer.storeIN A172.67.133.135founpiuer.storeIN A104.21.5.155
-
POSThttps://founpiuer.store/apiRemote address:172.67.133.135:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: founpiuer.store
ResponseHTTP/1.1 403 Forbidden
Date: Thu, 07 Nov 2024 03:13:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BgPQFDng71AInwJRw7T5soc4Zb7xXMo50x0AAoOv4K3e3m8uiE2EOqEgNLuzSweNRtEAzKYKuVPIOfytCoSmttXEABIBgqUFYf9MUS660VR3hGG1cGPKgQfLqFRAXJQZwZk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8dea2589cf8976af-LHR
-
POSThttps://founpiuer.store/apiRemote address:172.67.133.135:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=Ue8I8PZYfq1I__8z2DrMQ6Yus7_5gmGplDnXyhAt888-1730949198-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 52
Host: founpiuer.store
ResponseHTTP/1.1 200 OK
Date: Thu, 07 Nov 2024 03:13:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ijscgi5tnp0r6v7j9pgoq3hed1; expires=Sun, 02-Mar-2025 20:59:57 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FT54sINVVd8STccxPW1zsRne7Zd6r32LLTxHasR9i5JxYPpEc5pUrFZ1LRPQ1PqOmRGREO5I4HbGbWiq2ahLVGc1ITS65VgLg3Dz2zLqkBWoIymLjkNo0SDyDPiKww2zQ0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8dea258a6fc076af-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=30642&sent=15&recv=13&lost=0&retrans=0&sent_bytes=7999&recv_bytes=1057&delivery_rate=491177&cwnd=257&unsent_bytes=0&cid=47aa2e68d0e73180&ts=434&x=0"
-
185.215.113.16:80http://185.215.113.16/Jo89Ku7d/index.phphttp
HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/steam/random.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200HTTP Request
GET http://185.215.113.16/luma/random.exeHTTP Response
200HTTP Request
POST http://185.215.113.16/Jo89Ku7d/index.phpHTTP Response
200 -
185.215.113.206:80http://185.215.113.206/6c4adf523b719729.phphttp
HTTP Request
GET http://185.215.113.206/HTTP Response
200HTTP Request
POST http://185.215.113.206/6c4adf523b719729.phpHTTP Response
200 -
172.67.133.135:443https://founpiuer.store/apitls, http
HTTP Request
POST https://founpiuer.store/apiHTTP Response
403HTTP Request
POST https://founpiuer.store/apiHTTP Response
200
-
8.8.8.8:53presticitpo.storedns
DNS Request
presticitpo.store
-
8.8.8.8:53crisiwarny.storedns
DNS Request
crisiwarny.store
-
8.8.8.8:53fadehairucw.storedns
DNS Request
fadehairucw.store
-
8.8.8.8:53thumbystriw.storedns
DNS Request
thumbystriw.store
-
8.8.8.8:53necklacedmny.storedns
DNS Request
necklacedmny.store
-
8.8.8.8:53founpiuer.storedns
DNS Request
founpiuer.store
DNS Response
172.67.133.135104.21.5.155
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d21a2eb1558c04af68aa39932c381a77
SHA18a1c7f2c06fcf55ccdfb8155a2aa2ec94cb8c5bb
SHA256ba62e9e2f8ace5672fbc814db0b5fbd5a2d0a5d2d8ef55fd359e91ac756b4bbc
SHA512bffa84774f7857c827702c1f21619f55e4fe7b8fab650b1e8598ab5d5c327b9ddf80724a3be0acb605c5e177b330830276c59e999754fc28809f1781feba2fc7
-
Filesize
3.0MB
MD5a17f03daddf4ffd5b038f13ca94cca7d
SHA1ba20321c4f47082502dadddec7a70769c21e253a
SHA2564149dded7fd91b0eca160fff8d1e48d81bd206ef719bd54d1d5f86bc023eb4f9
SHA5127a4d981c68e5be25078a18ae2844c1842c491f93137b7b3037a3ae2af9dd1074ce37f33bcf79c7bb9e47eb83a3ceb595918171f09039c2d1d398e7d892479a54
-
Filesize
1.8MB
MD505b829047cbbd5d6fc28b471734f2c78
SHA170d19ae71b549d99b582d590e4cc1c6b49197f60
SHA256c7510bffe5fb99700c5fdcc63de2a95db0accf6d24ce7edde98fb0eb981734d5
SHA512462299cda8cecf7dd9053b48e7837b3167d25bb174e15dbfd0f8eef0b335d4667f86251b00df944746eb196c1c6e4233319ff65c148ca50a8ca719a73a9047c8
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
7.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
7.2MB
-
Filesize
4.7MB
-
Filesize
7.2MB
-
Filesize
3.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB