Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

019e368cdf...2a.exe

windows7-x64

10

019e368cdf...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe

  • Size

    6.8MB

  • MD5

    72ec64d0bc0b31f8842c9b5d488c11e7

  • SHA1

    85d81edeac18c67d6c8b73ab628347586a5039ad

  • SHA256

    019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a

  • SHA512

    e2d42b2f43916cd1191994b9f21b5961b965b23ac0ae87f679bcb13cf97f030e656f4e8eaec493dbcd54b9702e062eac02c761d14557bf20d8e00e02fcb993e0

  • SSDEEP

    196608:v/urAt9I7l4UXW4AzZS4NQdQtmAbGRHjoec:v7Ea/4AkAQdsmA88ec

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 3 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe
        "C:\Users\Admin\AppData\Local\Temp\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\TEMP\{52F9E764-BC55-494A-A4D0-B22DF8E28E37}\.cr\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe
          "C:\Windows\TEMP\{52F9E764-BC55-494A-A4D0-B22DF8E28E37}\.cr\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\WinX_DVD_Ripper_Platinum.exe
            C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\WinX_DVD_Ripper_Platinum.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Users\Admin\AppData\Roaming\Dn_explore_test\WinX_DVD_Ripper_Platinum.exe
              C:\Users\Admin\AppData\Roaming\Dn_explore_test\WinX_DVD_Ripper_Platinum.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\SysWOW64\cmd.exe
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2696
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  7⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2068
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1051cfc8
      Filesize

      1.1MB

      MD5

      bf0facd12ee93cac135677d205ad09eb

      SHA1

      7cd5211d2dafc87aaca28215a3f6b7d3505c5636

      SHA256

      9a0782c752ce9856f7bb60e8530fdec41b7e34c93b623a42b6279f511b24dd92

      SHA512

      92a114ad74ea292b4dca8e8e3d6776b4f7f38b49dc29fe7d56da43f5c4cbe0f1694b3934d69597db34fa5ca0a2673610765086bbc34240a1693293c1c96dcd7f

      Download Submit

    • C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\LIBEAY32.DLL
      Filesize

      1.0MB

      MD5

      73a8cdc0bb5b95c1ba6deb39d71f0349

      SHA1

      bef1bb7843d0e424d55203bfa6fa3f40eedc9379

      SHA256

      639980c48dd692e9ff3144f3d932aa07e501f12197d587ec47eb5ec8f6b7696a

      SHA512

      7f81a44da7d6849f78d9eb6610831fc1c2aa6a76f986bd6d1f11ac79565189497c16ac76902750d101c97082915c6db267df4260eb48a0de1d88744a75e14722

      Download Submit

    • C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\PROFILE.DLL
      Filesize

      241KB

      MD5

      a957f7e18d5493a99d151ff504214d09

      SHA1

      cfdb6cb20382b68888b0efd8e761649d60c0a7b5

      SHA256

      3cb6f7bbefac6d1fa487ddaec82d4565cf2f564ec5f14eca1cbd5c987735ae9a

      SHA512

      80d3f142a637545255eefb73a20e278c0fdaf832b5a221e4588c4469ac8177f166d176262c86c7f8c90e5293992c2566b35703a2333507f4f3756f375d620bbe

      Download Submit

    • C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\restart.msg
      Filesize

      863KB

      MD5

      d1f6010adeeeb153fcbf492a2013176d

      SHA1

      990b47b4948badd2b9499f2ca2bc065a639a6bdd

      SHA256

      4647a4cbd1b866fa7425682aefdd5236812ce099e37d5f21a973eaea694182da

      SHA512

      4bc78c048a8a70beeb096bcf7b93410f67752df9cb1029279b689dd119c8feaf40cda0634f5d259b5b7ec3aac4a647451e51de47312a94b200c4d99c4a42d70c

      Download Submit

    • C:\Windows\TEMP\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\transform.asp
      Filesize

      45KB

      MD5

      63afa5cdf59535a6ee3a44c29972f740

      SHA1

      90d721394d8c683078a146253f8e903767d6cae3

      SHA256

      e63d72eb447dba2e5110fe4cae4483f6395272ce26b79638ced29116037facef

      SHA512

      1d6c895aa0d3b02cf5e11ee50a8b9d57b6ef796a2adca5f092cf7f65a4d7cfe380c573e628d72fb59cbb304c5bf4620b1cb951d27969af3bf98e58034ce7cfd2

      Download Submit

    • C:\Windows\Temp\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\WinX_DVD_Ripper_Platinum.exe
      Filesize

      15.1MB

      MD5

      3c64548b4aedbd79411d69029bdae67f

      SHA1

      c27d42f5984ec27f63db147dfec7828c1c877990

      SHA256

      1f7a9cf0f11e5d30538e7162aa69c9216839dda3928b25368434f7e6e96ea0fb

      SHA512

      f61f2de84b61a6f8dfa943435d1ad0230df5c71081a5e642a95c35ce5b0ac7849d903ffc2985ba13cdbd457615150a3ed88d6bde2a9744d938ecb8f80305c842

      Download Submit

    • \Windows\Temp\{52F9E764-BC55-494A-A4D0-B22DF8E28E37}\.cr\019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a.exe
      Filesize

      6.8MB

      MD5

      93860d60d2df0f9da732e45513e7ba5d

      SHA1

      ce6acbd9d61da9d988fb86a01daebecd0291d005

      SHA256

      9366725e71cf2999398b7b257286637b9fcb11d8b49a4afb96649921dfb31b1b

      SHA512

      e62d5ff6e85e053b22d4f4eb36d3da3336bf38d4bc5c95d8f800f7a81afad8a472075347756d1beb16e523b5a657a65379c01b8ef5b1143025c7a2e57e2288b3

      Download Submit

    • \Windows\Temp\{81F535E2-E3F0-47F6-A90A-B67E2DA4BAC8}\.ba\Serum.dll
      Filesize

      130KB

      MD5

      20aa36c2ce87d64cb58e7e32f0546fb1

      SHA1

      d65d8b30c3343c4f22d2765325f7e518ba5cec2e

      SHA256

      55285f72c479667b7e4c395ec503f81e5ef560d224a0ffc5347dcb44b2bcd394

      SHA512

      5ab90561dc204402bfb4e7a7931f68bcbe73b2bae3e2999f8421406b0edf4225c1b1cebc8d888b59d0c936c71fbe4da99a3f7366c48196d578dcfe65051a5514

      Download Submit

    • memory/1736-76-0x0000000076AA0000-0x0000000076AE7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1736-74-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1736-73-0x0000000001E50000-0x0000000002250000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1736-69-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2068-62-0x0000000000080000-0x0000000000103000-memory.dmp

      Filesize

      524KB

      Download

    • memory/2068-64-0x0000000002BC0000-0x0000000002FC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2068-71-0x0000000000080000-0x0000000000103000-memory.dmp

      Filesize

      524KB

      Download

    • memory/2068-68-0x0000000076AA0000-0x0000000076AE7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2068-65-0x0000000002BC0000-0x0000000002FC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2068-60-0x0000000000080000-0x0000000000103000-memory.dmp

      Filesize

      524KB

      Download

    • memory/2068-61-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2696-57-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2696-58-0x0000000074F70000-0x00000000750E4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2740-44-0x0000000001510000-0x0000000001618000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2740-49-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2740-48-0x0000000074F70000-0x00000000750E4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2740-53-0x0000000074F70000-0x00000000750E4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2740-50-0x0000000000400000-0x0000000001335000-memory.dmp

      Filesize

      15.2MB

      Download

    • memory/2748-28-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2748-38-0x0000000000400000-0x0000000001335000-memory.dmp

      Filesize

      15.2MB

      Download

    • memory/2748-27-0x0000000074F50000-0x00000000750C4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2748-23-0x0000000000230000-0x0000000000338000-memory.dmp

      Filesize

      1.0MB

      Download