Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
9Release/Ne....3.exe
windows7-x64
10Release/Ne....3.exe
windows10-2004-x64
10Release/au...in.dll
windows7-x64
3Release/au...in.dll
windows10-2004-x64
3Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...er.dll
windows7-x64
1Release/lo...er.dll
windows10-2004-x64
1Release/lo...-1.dll
windows7-x64
1Release/lo...-1.dll
windows10-2004-x64
1Release/sc...fig.js
windows7-x64
3Release/sc...fig.js
windows10-2004-x64
3Release/sc...al.dll
windows7-x64
3Release/sc...al.dll
windows10-2004-x64
3Release/sc...wp.dll
windows7-x64
3Release/sc...wp.dll
windows10-2004-x64
3Analysis
-
max time kernel
92s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 11:32
Behavioral task
behavioral1
Sample
Release/New V1.0.3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Release/New V1.0.3.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
Release/autoexec/bin.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Release/autoexec/bin.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral7
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral9
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral11
Sample
Release/locales/resources/vk_swiftshader.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Release/locales/resources/vk_swiftshader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Release/locales/resources/vulkan-1.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
Release/locales/resources/vulkan-1.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral15
Sample
Release/scripts/config.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Release/scripts/config.js
Resource
win10v2004-20250129-en
Behavioral task
behavioral17
Sample
Release/scripts/local.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Release/scripts/local.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral19
Sample
Release/scripts/uwp.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Release/scripts/uwp.dll
Resource
win10v2004-20250129-en
General
-
Target
Release/New V1.0.3.exe
-
Size
1.2MB
-
MD5
bb51d554e3b4fd7fed2bad278b9970d0
-
SHA1
7d6f516b0755b2472bfb39d086da0106a8eb3e68
-
SHA256
1fb66beef1b9185abbf99a473188a755a0dee0e122a066a0e0776e251d716f95
-
SHA512
acafe93c075c71b94ab3efacaec6dd168986d2a88b330958e57647adaca4e043a5ea538bb0007ba8685925c8373fda6a3d99c59c9f30f65de8fc948e2304efac
-
SSDEEP
24576:lsKH7wrz1OIcJhiTKGOwD8HxgQotG411iS4QZl+5nLHoWLb57BW21wRqNb:rjIcJhrJxgQHPS42sHoWH9QuA+
Malware Config
Signatures
-
Detects Rhadamanthys payload 4 IoCs
resource yara_rule behavioral2/memory/3272-377-0x0000000004940000-0x00000000049C1000-memory.dmp Rhadamanthys_v8 behavioral2/memory/3272-380-0x0000000004940000-0x00000000049C1000-memory.dmp Rhadamanthys_v8 behavioral2/memory/3272-379-0x0000000004940000-0x00000000049C1000-memory.dmp Rhadamanthys_v8 behavioral2/memory/3272-378-0x0000000004940000-0x00000000049C1000-memory.dmp Rhadamanthys_v8 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3272 created 2640 3272 Unity.com 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation New V1.0.3.exe -
Executes dropped EXE 1 IoCs
pid Process 3272 Unity.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4200 tasklist.exe 4784 tasklist.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\ConsentSyria New V1.0.3.exe File opened for modification C:\Windows\TractRecovery New V1.0.3.exe File opened for modification C:\Windows\JoeFunctional New V1.0.3.exe File opened for modification C:\Windows\ExpenseRecognize New V1.0.3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4724 3272 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New V1.0.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unity.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 3272 Unity.com 8 svchost.exe 8 svchost.exe 8 svchost.exe 8 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4200 tasklist.exe Token: SeDebugPrivilege 4784 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3272 Unity.com 3272 Unity.com 3272 Unity.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3272 Unity.com 3272 Unity.com 3272 Unity.com -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2100 2828 New V1.0.3.exe 84 PID 2828 wrote to memory of 2100 2828 New V1.0.3.exe 84 PID 2828 wrote to memory of 2100 2828 New V1.0.3.exe 84 PID 2100 wrote to memory of 4200 2100 cmd.exe 86 PID 2100 wrote to memory of 4200 2100 cmd.exe 86 PID 2100 wrote to memory of 4200 2100 cmd.exe 86 PID 2100 wrote to memory of 3948 2100 cmd.exe 87 PID 2100 wrote to memory of 3948 2100 cmd.exe 87 PID 2100 wrote to memory of 3948 2100 cmd.exe 87 PID 2100 wrote to memory of 4784 2100 cmd.exe 89 PID 2100 wrote to memory of 4784 2100 cmd.exe 89 PID 2100 wrote to memory of 4784 2100 cmd.exe 89 PID 2100 wrote to memory of 5112 2100 cmd.exe 90 PID 2100 wrote to memory of 5112 2100 cmd.exe 90 PID 2100 wrote to memory of 5112 2100 cmd.exe 90 PID 2100 wrote to memory of 4960 2100 cmd.exe 91 PID 2100 wrote to memory of 4960 2100 cmd.exe 91 PID 2100 wrote to memory of 4960 2100 cmd.exe 91 PID 2100 wrote to memory of 4832 2100 cmd.exe 92 PID 2100 wrote to memory of 4832 2100 cmd.exe 92 PID 2100 wrote to memory of 4832 2100 cmd.exe 92 PID 2100 wrote to memory of 1224 2100 cmd.exe 93 PID 2100 wrote to memory of 1224 2100 cmd.exe 93 PID 2100 wrote to memory of 1224 2100 cmd.exe 93 PID 2100 wrote to memory of 1656 2100 cmd.exe 94 PID 2100 wrote to memory of 1656 2100 cmd.exe 94 PID 2100 wrote to memory of 1656 2100 cmd.exe 94 PID 2100 wrote to memory of 2936 2100 cmd.exe 95 PID 2100 wrote to memory of 2936 2100 cmd.exe 95 PID 2100 wrote to memory of 2936 2100 cmd.exe 95 PID 2100 wrote to memory of 3272 2100 cmd.exe 96 PID 2100 wrote to memory of 3272 2100 cmd.exe 96 PID 2100 wrote to memory of 3272 2100 cmd.exe 96 PID 2100 wrote to memory of 2496 2100 cmd.exe 97 PID 2100 wrote to memory of 2496 2100 cmd.exe 97 PID 2100 wrote to memory of 2496 2100 cmd.exe 97 PID 3272 wrote to memory of 8 3272 Unity.com 99 PID 3272 wrote to memory of 8 3272 Unity.com 99 PID 3272 wrote to memory of 8 3272 Unity.com 99 PID 3272 wrote to memory of 8 3272 Unity.com 99 PID 3272 wrote to memory of 8 3272 Unity.com 99
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\Release\New V1.0.3.exe"C:\Users\Admin\AppData\Local\Temp\Release\New V1.0.3.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Sent Sent.cmd & Sent.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2614643⤵
- System Location Discovery: System Language Discovery
PID:4960
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Carroll3⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Circumstances" Club3⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 261464\Unity.com + Excellent + Annotation + Changing + Decades + Beginning + Junior + Notebooks + Regional + License + Blog 261464\Unity.com3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Products + ..\Additions + ..\Promotions + ..\Packet + ..\Weblogs + ..\Variation + ..\Among + ..\Volleyball + ..\Story f3⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\261464\Unity.comUnity.com f3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 9044⤵
- Program crash
PID:4724
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3272 -ip 32721⤵PID:4472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
659KB
MD50c333a581ed96e1e6a88953420dda7a9
SHA164850d764dd78c09142bc69be5dd9de0b3f94804
SHA25612b25168ff8a9cf95062d43c335690ef1f7bc85e991995ac29bc40cca8888e0d
SHA51243cd057d602c3822ef4acad70762d91af7b41188c8f0e421a7e08ca04ef29c2c02a801d88a106be8976affa685357918a7bc5552c8b233a4398895236cf0f53b
-
Filesize
90KB
MD5c72f068db481aea27a842c9bfe9860cd
SHA1a5561a6759b918a5764704a6e11b3db42aa87a62
SHA256286f77e1e107ffc16bddc64df1d9002c15a832c4cebd4c5b880f39edc0881e76
SHA512d7fad6083e721437d54c706310ca3ca467c7b9cacb285e774a94df82929cf1f885d05a2b57570dedd5114741f0fbf7ebcd7cec1f91a43881ed12b7129cf21b8f
-
Filesize
79KB
MD57012d631f674f310afa13ce8914d65fd
SHA122a7c3cad15d58e3a457a85283819fc011fb3723
SHA2561c914ffb2f2482606616fb6ebde6f0a7a6951d5010de4ba2171a2e5c9e327d15
SHA5124162b802b91d8e57d1e6a9d23f9e2e695d455cb2b90797a09e8a337097433c90770834fbab8e6b820c60f461058043ff854dfeaed4024aeddec2cbbd3c409c33
-
Filesize
477KB
MD5a77177e063866e67b654a09a832672c0
SHA16ee75c8e8829c39e6b2faae314389d02318f8f4d
SHA256a7b45687d0a9e018e6e855831f91e762a54971cdf63531f53dbd8469393e85cd
SHA51214984d6680ec1a7a0bf3b25db92ee3bb12d0b99abd52f8b33bb4369bc5bc69795c4fce5b28468d94354c5f33392ab605c97a9dbe174fc28fb4cabd428d532a61
-
Filesize
2KB
MD5d40a9665e004c5013821eb49f33a0bb3
SHA1c95a41dbf5736a553e7cee3712c34c9c502650cd
SHA25636fbdb6df849a7569df809733c55594f7a85f564c1ea9253cc571f48e0b9e6de
SHA512d6c91ce9cbb414680943c105e14529a8c73ff27a30a1eaa79f828d5dc075a616406c70736cee27d6e6f5d84a97c33613e728edae8a6caae2f8f5b8a6d493c50b
-
Filesize
81KB
MD5456f43b6e72ff0d24fa3c53b217ba4d4
SHA1faf97b154f4ff5cf3ea3c05edd181b678851b791
SHA25606ce66ef041544e67e2285cb1058609c96956666fc9871ce73f7a18f935d9d22
SHA512f305823a2874b563f8ee903261032ba7e906bb99e6ade2403d81794f4f62e1384262ca89766fd8fac860cdef13cdebf4bf4245af33d28d82b51ebf40944dcdf7
-
Filesize
98KB
MD5111b101b105931f30eb83a71fe5afdd0
SHA1c6d2a3d962cba8a577810a9f28a90f830868d085
SHA256c4ba666d274ccd8b84f0b7a380a4631ff854fb13e1488de00e23f541def45c37
SHA512094877a2d43d004e44140f6954bbb8536fe4671a81572033886de00001b84bdfbdb896dcda85bc9eec7e8497899bcc0e10697a24ab557d1ad1f09c3dce540633
-
Filesize
75KB
MD5f27774e72d304c34dc7b89ad60d60795
SHA1e4f2fac6ada186cb09f4453671dc975b7d05ff4a
SHA2563528c5df4b5ffa9b32abd75b9ce12d64e06e6f074e6f423b15e34e414554aa1a
SHA5122c22b06f67a4c9e41b96dff72c6a621dcd54308dd5e2b401074256b2cc7248158caae9d88f2f87d8521dc7e800c74bae10801dd8fc4f4049d898ca25d6b6192b
-
Filesize
13KB
MD53ee7cdd746bba67652fc33569f65b26c
SHA1faf8d585c7f958fb6fdb4c1722804e7cc72706a6
SHA256830c15610555e0a97af93db9b52ca77def4a3f9f3591e92f7ca8ff24f6c0ba08
SHA5125808fcdd9fd0f8cef9f2d4cfd09647fbebc1dc36384e8dc4ed77746e4b94315420d4005a6e37307583825c8bf5806ad86047507573a83046ce28fb939816b709
-
Filesize
16KB
MD5868f399817a4fd0ccd2f6f7811a8ac6c
SHA1dd7b57fe6fd0334c54d99ec6ffba70f681bd166c
SHA2566e4c030887808454f3c0636e96cd37d51bf27dbc955cd749713729e6a27cf5f0
SHA5122b479c61c71511420d0357053164073e0a32b4796321dfaa3b0757dfc146f45ec600c78b114e002e8caba26e2ad59cb3fa2148457bc889bfb769e3d16851aaad
-
Filesize
62KB
MD5e15f86584daedd177c1296dc33f188e4
SHA1bc6515f729472565cffefb14a1ae3f14429a026d
SHA256b52645f7bc60e9e6b7b49f4d5da26d5d64f4d44a38fa8afaae507d16a9ca8698
SHA5125d6f9408a84e25e35aae00a9813685572bc5553a0a747cd5956cd9004259928ec3700f58c31ca08f1205fbcc27257f527092651e05d6138e20c87d280117c51e
-
Filesize
61KB
MD5463da136de6fde57596fcdb3372d6fd0
SHA1085f19e35378ad99f6af3b40412ab355ae2d2de3
SHA256edc012053ae253ed0877b417177f8dae9bc2040a91f9ed294e3b8ddb78627150
SHA5125b86fd3249e9291f45370f27a8dd45d8ad407329648c03500d2fbddca99d9a9c73815420ee14dce2be963e06663bcd6d7342872ea83fbe5ab73b796809bf2608
-
Filesize
97KB
MD5d705b020227898d3e059653391c1b796
SHA16889cd184e9db0ef19cdb7fdde5917e03088d2ed
SHA256c3ce02ff43ebb1c2015b96689cde0767ddc77dc76ad8e41d8b117f3bba196163
SHA512411cad3b86b2aaa6baf4f71b5db65bca259c65c8e69c218504825c86c4f3c6171649fa7e2e37a2a96ebb5b7a85aa1d207d1ad9d67744f63df2d0efd071c3db4b