Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/02/2025, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
AMOR.pdf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AMOR.pdf
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
guia del AMORRRRRRRR.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
guia del AMORRRRRRRR.exe
Resource
win10v2004-20250129-en
General
-
Target
guia del AMORRRRRRRR.exe
-
Size
4.3MB
-
MD5
d876fdc6818190fc7ecc1e849cb6b3c0
-
SHA1
ca964ab6263ef213b0e865dd4a30b31776e78744
-
SHA256
e423ed04c23696b1463447e89aa2b8084aea4746dd5e039f4a8218f59675f7c6
-
SHA512
80cba59de560e1168e31a0e053b99c53aee9afd841284bf0717426df773f7ff59de3b0454da74e528f3751c798ba5f01c5e91875c133f41261fb1c47e6ca29dc
-
SSDEEP
98304:F1dl23qOyYd6oHKzh9CNs8142z6VVegllWP2QN/rK5OfpFE:myYYoqUH1/zCvG2QtW8+
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral3/files/0x0006000000019242-36.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2936 Install.exe 2596 HBMK.exe -
Loads dropped DLL 10 IoCs
pid Process 2256 guia del AMORRRRRRRR.exe 2936 Install.exe 2936 Install.exe 2936 Install.exe 2936 Install.exe 2936 Install.exe 2596 HBMK.exe 2596 HBMK.exe 2596 HBMK.exe 2596 HBMK.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBMK Agent = "C:\\Windows\\SysWOW64\\28463\\HBMK.exe" HBMK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\HBMK.001 Install.exe File created C:\Windows\SysWOW64\28463\HBMK.006 Install.exe File created C:\Windows\SysWOW64\28463\HBMK.007 Install.exe File created C:\Windows\SysWOW64\28463\HBMK.exe Install.exe File created C:\Windows\SysWOW64\28463\AKV.exe Install.exe File created C:\Windows\SysWOW64\28463\HBMK.009 HBMK.exe File opened for modification C:\Windows\SysWOW64\28463\HBMK.009 HBMK.exe File created C:\Windows\SysWOW64\28463\key.bin Install.exe File opened for modification C:\Windows\SysWOW64\28463 HBMK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guia del AMORRRRRRRR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HBMK.exe -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib\ HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ = "Xamana Object" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\ = "WinBioPolicy 1.0 Type Library" HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID\ = "PortableDeviceWMDRM.PortableDeviceWMDRM" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\biocpl.dll" HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32\ HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID\ = "PortableDeviceWMDRM.PortableDeviceWMDRM.1" HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0 HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32 HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib\ = "{E7569642-1547-1568-5629-B8E5A6814EB7}" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID\ HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32 HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7} HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\ HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8} HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR\ = "%SystemRoot%\\system32" HBMK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0 HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version\ = "1.0" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32\ = "C:\\Windows\\SysWOW64\\portabledevicewmdrm.dll" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS\ HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS\ = "0" HBMK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version\ HBMK.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2864 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2596 HBMK.exe Token: SeIncBasePriorityPrivilege 2596 HBMK.exe Token: 33 2864 vlc.exe Token: SeIncBasePriorityPrivilege 2864 vlc.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe 2864 vlc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2596 HBMK.exe 2596 HBMK.exe 2596 HBMK.exe 2596 HBMK.exe 2596 HBMK.exe 2864 vlc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2256 wrote to memory of 2936 2256 guia del AMORRRRRRRR.exe 30 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2936 wrote to memory of 2596 2936 Install.exe 31 PID 2256 wrote to memory of 2864 2256 guia del AMORRRRRRRR.exe 32 PID 2256 wrote to memory of 2864 2256 guia del AMORRRRRRRR.exe 32 PID 2256 wrote to memory of 2864 2256 guia del AMORRRRRRRR.exe 32 PID 2256 wrote to memory of 2864 2256 guia del AMORRRRRRRR.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\guia del AMORRRRRRRR.exe"C:\Users\Admin\AppData\Local\Temp\guia del AMORRRRRRRR.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\28463\HBMK.exe"C:\Windows\system32\28463\HBMK.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\3-cuando.mp3"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5966999a7762c93404988e186372196b2
SHA14be609785a55bd53ffe4773f4f203869f394ec25
SHA256c11cd70f089d7fe02808f7729434100d84b77091d6df39a6d21ecceab17d9143
SHA512820807f07d9f7e0067c4c1b595f9e951faf93120fd2e2f9ec6c2855bfa3b8c2b6f0c588019b8de717c16dcd729b8bac6babcc4d85ffe25b6896131b16403cf4a
-
Filesize
198B
MD50f1cae3280963a60c4625e18fc1b7c22
SHA13d2b70780fa54274229d78c970bb0c6a632a1337
SHA256905f02023807d7e9e335a800b7be29ee89699438ab6071e034e398739927593e
SHA5125e015d4165d6cc2a3232640cf2c54f82a6c9bd583db3569ab7e9c096e8b7c4fab7bfd54725232b62d86d9687d2fc17ba6946ce72fa8ca86b94e060215168e13a
-
Filesize
457KB
MD546ccfd974518e5849738449034a05a17
SHA1d391108816aed7ba8f7beb205ad7171c74eae6b2
SHA256571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe
SHA512773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a
-
Filesize
624B
MD57bfd3b9de4a6b14eccef8fa67b32c021
SHA175636b19b8e6ee04e08282232c06c18ffbf07be3
SHA2567461e839232322955ad4c4cfa045868356adccf1f93206c154abc07ebfe42316
SHA51213b66816a442a6dd5fbd352e1f95aedc2b15e50e1db18594581eb9ef57d46091176b60bef34274aebd36e00620f9677ba595f7a9e00e638ca27d515d7d569693
-
Filesize
8KB
MD5395bbef326fa5ad1216b23f5debf167b
SHA1aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA2567c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679
-
Filesize
5KB
MD51b5e72f0ebd49cf146f9ae68d792ffe5
SHA11e90a69c12b9a849fbbac0670296b07331c1cf87
SHA2568f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA5126364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc
-
Filesize
105B
MD527c90d4d9b049f4cd00f32ed1d2e5baf
SHA1338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae
-
Filesize
4KB
MD54b8ed89120fe8ddc31ddba07bc15372b
SHA1181e7ac3d444656f50c1cd02a6832708253428e6
SHA2562ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93
SHA51249269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23
-
Filesize
787KB
MD5d06ded340770bb22e613ef7e7dfc3de0
SHA11c2be300320e9cecbba81b94e96bdbb12012c101
SHA256f0cc11b7493de36b4ef0aa3a90aa2acdc71521577bcadaa931673365e2ecd0d9
SHA512c8841d2f1be82ed064e3334dcc8912b98b26f0cd9d07f70a52a7dc119353b9aba5fa12acd508ae43f30282ca3d170736c9c15751af9f76a9bb2ca16c33429e77
-
Filesize
649KB
MD52bff0c75a04401dada0adfab933e46a7
SHA1364d97f90b137f8e359d998164fb15d474be7bbb
SHA2562aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da
SHA51288b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f