Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20241010-en
General
-
Target
random.exe
-
Size
1.9MB
-
MD5
e67596e44012bac363634be64ffb53a2
-
SHA1
359a0d08089429de8b940e36001b6616643d1e7a
-
SHA256
ae82b53e626e7f9082fdec3f156ac490b601fa93aa9a4bbbbc99eefe75a6823c
-
SHA512
78b5704a666daedc12cbe24c5adc81e90aa09912693f3b92201bba086e3d5dc1a635ffbedefef00d58338c3dd352b4b9960769d6838ecafdefb1a3849c36ddb6
-
SSDEEP
49152:SBzFsb7/7APmpnbpr9wboPdLxo5CQ2bOeW7mh:SBAjcOpnbbld99pbbW7
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 rapes.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine rapes.exe -
Loads dropped DLL 2 IoCs
pid Process 2304 random.exe 2304 random.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2304 random.exe 3044 rapes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job random.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2304 random.exe 3044 rapes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2304 random.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2304 wrote to memory of 3044 2304 random.exe 29 PID 2304 wrote to memory of 3044 2304 random.exe 29 PID 2304 wrote to memory of 3044 2304 random.exe 29 PID 2304 wrote to memory of 3044 2304 random.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5e67596e44012bac363634be64ffb53a2
SHA1359a0d08089429de8b940e36001b6616643d1e7a
SHA256ae82b53e626e7f9082fdec3f156ac490b601fa93aa9a4bbbbc99eefe75a6823c
SHA51278b5704a666daedc12cbe24c5adc81e90aa09912693f3b92201bba086e3d5dc1a635ffbedefef00d58338c3dd352b4b9960769d6838ecafdefb1a3849c36ddb6