Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-es -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows -
submitted
09/02/2025, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20241010-es
Behavioral task
behavioral2
Sample
random.exe
Resource
win10ltsc2021-20250207-es
Behavioral task
behavioral3
Sample
random.exe
Resource
win11-20250207-es
General
-
Target
random.exe
-
Size
1.8MB
-
MD5
53bf4bc2cc4257121dc450c9c3167319
-
SHA1
3c718864780bc87e6478041b8cbcf313e70d1505
-
SHA256
bc634b49ae03f0905b72036605952afc3b9dc0ce3f1f57c578397dda2e3b8293
-
SHA512
6a7552dd6bda139d5800241084a6bd7e8c55de4ae9f2c7af5b22d5b4f618e2ff5f897906c126ba7df6f139cc8946755c5dac7e733060222cbd54b8510bb9e80e
-
SSDEEP
49152:b6VqLc5WAdbvR8skOmgoWGRjMFpDjecFM3r:b6V+xsbZ89OmgoTwjjHM3r
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file 4 IoCs
flow pid Process 94 2056 Process not Found 99 4956 axplong.exe 21 4956 axplong.exe 21 4956 axplong.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Control Panel\International\Geo\Nation axplong.exe -
Executes dropped EXE 11 IoCs
pid Process 4956 axplong.exe 3992 alex12312312321.exe 2804 alex12312312321.exe 5032 goldik12321.exe 4236 goldik12321.exe 2112 axplong.exe 4368 axplong.exe 2628 trano.exe 3560 axplong.exe 4660 axplong.exe 4448 axplong.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Software\Wine axplong.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3840 random.exe 4956 axplong.exe 2112 axplong.exe 4368 axplong.exe 3560 axplong.exe 4660 axplong.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3992 set thread context of 2804 3992 alex12312312321.exe 92 PID 5032 set thread context of 4236 5032 goldik12321.exe 97 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job random.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000d000000027f05-99.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3052 3992 WerFault.exe 91 4088 5032 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex12312312321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex12312312321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language goldik12321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language goldik12321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2208 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3840 random.exe 3840 random.exe 4956 axplong.exe 4956 axplong.exe 2804 alex12312312321.exe 2804 alex12312312321.exe 2804 alex12312312321.exe 2804 alex12312312321.exe 2112 axplong.exe 2112 axplong.exe 4368 axplong.exe 4368 axplong.exe 3560 axplong.exe 3560 axplong.exe 4660 axplong.exe 4660 axplong.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3840 random.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3840 wrote to memory of 4956 3840 random.exe 88 PID 3840 wrote to memory of 4956 3840 random.exe 88 PID 3840 wrote to memory of 4956 3840 random.exe 88 PID 4956 wrote to memory of 3992 4956 axplong.exe 91 PID 4956 wrote to memory of 3992 4956 axplong.exe 91 PID 4956 wrote to memory of 3992 4956 axplong.exe 91 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 3992 wrote to memory of 2804 3992 alex12312312321.exe 92 PID 4956 wrote to memory of 5032 4956 axplong.exe 96 PID 4956 wrote to memory of 5032 4956 axplong.exe 96 PID 4956 wrote to memory of 5032 4956 axplong.exe 96 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 5032 wrote to memory of 4236 5032 goldik12321.exe 97 PID 4956 wrote to memory of 2628 4956 axplong.exe 105 PID 4956 wrote to memory of 2628 4956 axplong.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\1001527001\alex12312312321.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex12312312321.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\1001527001\alex12312312321.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex12312312321.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 8244⤵
- Program crash
PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8244⤵
- Program crash
PID:4088
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016645001\trano.exe"C:\Users\Admin\AppData\Local\Temp\1016645001\trano.exe"3⤵
- Executes dropped EXE
PID:2628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3992 -ip 39921⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5032 -ip 50321⤵PID:1076
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDBCNzUyRjUtNUJDNy00Q0ZELUE1MjUtNDYwOTg3QTFCNDc0fSIgdXNlcmlkPSJ7Qzg5NjEzQ0UtODVGMi00RjkwLUJGREItOEZEOUNFMTAyMUVCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzREM0YzMDUtNUEzMS00QTk2LUE2MzctQjZGMkNFMzZDMDIzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzAxODEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMwNjU3NTY0MSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2208
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4448
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
563KB
MD54aa99fad3331371b00eaca12eb716d40
SHA1dc0dcf92fb24643c925d94c84f665fae02dab9b9
SHA2566438ceb9af6892efa6ca2f1fa3057d98cb5fcdc029f249194a058b1b5af36e5b
SHA5122bf15f12c1cd278e2fe35667eb5c2203a32806daca018a04aaddd45019196df44beb3394f55f20e789fcc6ed2de010f731a4776f65e1070e3f578ef830f4f7a0
-
Filesize
501KB
MD5c80b4443546055bfdc0f3edc5b88abe8
SHA14df4951f787aca9b1fbeafa4590614fa9db9db4a
SHA2566d15b1a8ef83b775e3a71618c88a2e1b4dbffb8b81afe61552e8af2d77214d64
SHA5121388114d4cf91a7ae5bc1c37a1caae5e3c17cfd02a2730fa3398582ad8896d8f7a94bf7f730d855cebe9dff1af31abafc3d82e831514a16d5f17333879d5c324
-
Filesize
1.4MB
MD53e3cb81d7d7eba7012187207743c591d
SHA147cd94363625c9caf4bd82f0c29aa51c311e061f
SHA25644ae92658a72a11893a9cb92d44b7cb55e1259335b5cfe71487339b510fc2370
SHA512dd2d714555b7f24761c08639eecae74706e544b846107ae78db7e951573e5a7b841714b8ebe4d293df53a32c7da1823adeb8bdc4baaf1b0d7bf07febb3f741cd
-
Filesize
48KB
MD5b5ecbf9fe4b69ce4da2906e147f41533
SHA15cf1c6507918601652608da01147e86e092f67f8
SHA2560114eed12b6d310f76f20befc54711eaef992a4794a238a47ea24763268863e3
SHA512adf000bd87f7ae64c46debe06c0fed46b02d08c0c046ed8eb3ecab5690348e4b727c29ff9d6cab95b530d2e9307b5caeb1a2a616469ca26d32d25f5c2f7f9b72
-
Filesize
832KB
MD5c870279df0a51f6ddf48bf678314c5ca
SHA11d017a2ddbe20193bd0a71ff136cd191aa0122b3
SHA256579ccfc532969587f39437d3ddeb96b89291ea9a2dae1a0cf28c14f6f84a75fd
SHA512a9b7d319fe184a32a862d268c59388ff7785c742b77682267e058fdfd8fd404b11548df53b3654f27ee58d18b2ffb369f34f5602dabc9b54c8c95ec177ef9d9c
-
Filesize
1.8MB
MD553bf4bc2cc4257121dc450c9c3167319
SHA13c718864780bc87e6478041b8cbcf313e70d1505
SHA256bc634b49ae03f0905b72036605952afc3b9dc0ce3f1f57c578397dda2e3b8293
SHA5126a7552dd6bda139d5800241084a6bd7e8c55de4ae9f2c7af5b22d5b4f618e2ff5f897906c126ba7df6f139cc8946755c5dac7e733060222cbd54b8510bb9e80e