Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20241010-es -
resource tags
arch:x64arch:x86image:win7-20241010-eslocale:es-esos:windows7-x64systemwindows -
submitted
09/02/2025, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20241010-es
Behavioral task
behavioral2
Sample
random.exe
Resource
win10ltsc2021-20250207-es
Behavioral task
behavioral3
Sample
random.exe
Resource
win11-20250207-es
General
-
Target
random.exe
-
Size
1.8MB
-
MD5
53bf4bc2cc4257121dc450c9c3167319
-
SHA1
3c718864780bc87e6478041b8cbcf313e70d1505
-
SHA256
bc634b49ae03f0905b72036605952afc3b9dc0ce3f1f57c578397dda2e3b8293
-
SHA512
6a7552dd6bda139d5800241084a6bd7e8c55de4ae9f2c7af5b22d5b4f618e2ff5f897906c126ba7df6f139cc8946755c5dac7e733060222cbd54b8510bb9e80e
-
SSDEEP
49152:b6VqLc5WAdbvR8skOmgoWGRjMFpDjecFM3r:b6V+xsbZ89OmgoTwjjHM3r
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 8 2768 axplong.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 1 IoCs
pid Process 2768 axplong.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine axplong.exe -
Loads dropped DLL 2 IoCs
pid Process 2444 random.exe 2444 random.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2444 random.exe 2768 axplong.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job random.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2444 random.exe 2768 axplong.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2444 random.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2768 2444 random.exe 30 PID 2444 wrote to memory of 2768 2444 random.exe 30 PID 2444 wrote to memory of 2768 2444 random.exe 30 PID 2444 wrote to memory of 2768 2444 random.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5405b833bcd68cd4f6e7f9c9888f409eb
SHA1789d2aeed77cb4fbf3f050306fdb08ecd04ebffe
SHA256cdfe7f7027e25ced2b5373a4bcc8461603e24e74274f4261cb4165841bdceb1f
SHA51285738b86ec0192ce4ed9bb625240604e10ae9d3d65eeceb7b38d88f0360fc25e8e71d62eaf88e915e15d61e4b20dd6f117a49aae859a5da989f480bf45b7a7aa
-
Filesize
512KB
MD5a74eb7f136788c21a81fefed2caf0e8d
SHA12fdf1cefdfad23bcf0c9742fd1877b8eec37e89f
SHA256f8fde14d6dd939ae094825c05f2b1557f79d00ca6d53905b77fcc1bc72d4fad1
SHA512eed68195101b1ad7dbe7555bca2a781920b2c5dbe7e01d258c928e942c3d34af4e4ffa291d9503ed17c996b5134f3dff151ef9db833745e93446cd7873cd0bbd
-
Filesize
1.8MB
MD553bf4bc2cc4257121dc450c9c3167319
SHA13c718864780bc87e6478041b8cbcf313e70d1505
SHA256bc634b49ae03f0905b72036605952afc3b9dc0ce3f1f57c578397dda2e3b8293
SHA5126a7552dd6bda139d5800241084a6bd7e8c55de4ae9f2c7af5b22d5b4f618e2ff5f897906c126ba7df6f139cc8946755c5dac7e733060222cbd54b8510bb9e80e