Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3contactsUX.dll
windows7-x64
3contactsUX.dll
windows10-2004-x64
3msidcrl40.dll
windows7-x64
3msidcrl40.dll
windows10-2004-x64
3msn.exe
windows7-x64
10msn.exe
windows10-2004-x64
10msncore.dll
windows7-x64
3msncore.dll
windows10-2004-x64
3msvcr80.dll
windows7-x64
3msvcr80.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
contactsUX.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
contactsUX.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
msidcrl40.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
msidcrl40.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
msn.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
msn.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
msncore.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
msncore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
msvcr80.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
msvcr80.dll
Resource
win10v2004-20241007-en
General
-
Target
msn.exe
-
Size
5.5MB
-
MD5
537915708fe4e81e18e99d5104b353ed
-
SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb
-
SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
-
SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2
-
SSDEEP
49152:ERUl697ngPTrho9J8kgdjbHNZ5PP/Re5m3mxVN6KEp0v7J7k66ZRkQTXw+sljVop:uAXqnhON8m3mzNHTdw6YSX+sleu5y
Malware Config
Extracted
rhadamanthys
https://185.196.11.237:9697/f002171ab05c7/73434jqg.jxviu
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1956 created 2496 1956 explorer.exe 44 -
Executes dropped EXE 1 IoCs
pid Process 1984 msn.exe -
Loads dropped DLL 3 IoCs
pid Process 1984 msn.exe 1984 msn.exe 1984 msn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1984 set thread context of 1968 1984 msn.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4792 msn.exe 1984 msn.exe 1984 msn.exe 1968 cmd.exe 1968 cmd.exe 1956 explorer.exe 1956 explorer.exe 4392 openwith.exe 4392 openwith.exe 4392 openwith.exe 4392 openwith.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1984 msn.exe 1968 cmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4792 wrote to memory of 1984 4792 msn.exe 83 PID 4792 wrote to memory of 1984 4792 msn.exe 83 PID 4792 wrote to memory of 1984 4792 msn.exe 83 PID 1984 wrote to memory of 1968 1984 msn.exe 84 PID 1984 wrote to memory of 1968 1984 msn.exe 84 PID 1984 wrote to memory of 1968 1984 msn.exe 84 PID 1984 wrote to memory of 1968 1984 msn.exe 84 PID 1968 wrote to memory of 1956 1968 cmd.exe 100 PID 1968 wrote to memory of 1956 1968 cmd.exe 100 PID 1968 wrote to memory of 1956 1968 cmd.exe 100 PID 1968 wrote to memory of 1956 1968 cmd.exe 100 PID 1956 wrote to memory of 4392 1956 explorer.exe 104 PID 1956 wrote to memory of 4392 1956 explorer.exe 104 PID 1956 wrote to memory of 4392 1956 explorer.exe 104 PID 1956 wrote to memory of 4392 1956 explorer.exe 104 PID 1956 wrote to memory of 4392 1956 explorer.exe 104
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2496
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\msn.exe"C:\Users\Admin\AppData\Local\Temp\msn.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\ProgramData\downloaddemo_test\msn.exeC:\ProgramData\downloaddemo_test\msn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
991KB
MD5deaa38a71c85d2f9d4ba71343d1603da
SHA1bdbb492512cee480794e761d1bea718db14013ec
SHA2561dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65
SHA51287b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7
-
Filesize
896KB
MD50180c5a2f5b002e8755c60a3786c4975
SHA164bcbe91e3dd1dcd21709cbf189c032bb47501a2
SHA2566eff0ca0c63ce6c712dc5f1f892b68d43894d13b681f75ab585b6c611dc16476
SHA5128dbdfef7906be474ecadb7848042f3736483ef9b4ea05f4f60a3ae049a99bf1a8bcd57507b334e229c972784b6355b9dcf647c5992e56518a35d9ff0d639e1ff
-
Filesize
331KB
MD554ee6a204238313dc6aca21c7e036c17
SHA1531fd1c18e2e4984c72334eb56af78a1048da6c7
SHA2560abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
SHA51219a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820
-
Filesize
88KB
MD506a62106f0d01ed3a971415b57366a8b
SHA19d905a38a4f53961a3828b2f759062b428dd25a9
SHA2566c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93
SHA5124565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74
-
Filesize
784KB
MD5f1f8d156bbdd5945a4f933ac7fa7cc41
SHA1e581235e9f1a3a8a63b8a470eaed882bc93b9085
SHA256344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a
SHA51286d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9
-
Filesize
5.5MB
MD5537915708fe4e81e18e99d5104b353ed
SHA1128ddb7096e5b748c72dc13f55b593d8d20aa3fb
SHA2566dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
SHA5129ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2
-
Filesize
1.1MB
MD5ebec36be1bcf5a820f341f1275dbe317
SHA1e4b9396294a26ddecc17c00a149abf6b6b2c034b
SHA25607b1dec8353d242dd761647c2d110763457e2d654f92246bceb8a42a45581b1d
SHA5129e51836e4e8feb3af773dc9609a38a533581560b8d651a14e73b48ad13608e9c11baef8d5c2796c5159c80763c5882cf91e05177bafa7619230c27f0ef77524c