Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

agreement.msi

windows7-x64

10

agreement.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agreement.msi

  • Size

    4.4MB

  • MD5

    4eba0ef4de1fc24c1da0af9a2cf241bd

  • SHA1

    95db57022873966109111c79676e23669b70da20

  • SHA256

    6e3c1e99ff62da0a2ac7e2bc89d61b515743a8074eb6559ff4328c98b0a0b4b7

  • SHA512

    724ce4c420016d0d637e6fddafc8739970de5cb79aab2b832edd675703c985ec5365493dfee7e1dc955f273bc8db8fa9aa23652a02560d681cfaa27cb1b5789c

  • SSDEEP

    98304:paldb5xT4nnk+KxSex9qQGDxE2dFsJcHztt4KbJ58BiJTsNa:UlRTn+eSrv7fsaHzzL/MZN

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 22 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1284
      • C:\Windows\system32\msiexec.exe
        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\agreement.msi
        2⤵
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2580
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1720
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe
        "C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:300
        • C:\Users\Admin\AppData\Roaming\JMSecurity\AMCB.exe
          C:\Users\Admin\AppData\Roaming\JMSecurity\AMCB.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:828
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D0" "00000000000005A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f781882.rbs
      Filesize

      9KB

      MD5

      55636e589cfc69db2de1631c08cf731f

      SHA1

      06fcd6044d66c7ab239f3fe02e7b584da9250331

      SHA256

      c1121172e12e1c7a7a16741475dc9ddd143875ee210a0f53f7b2a68ccee5fe21

      SHA512

      4203beaccd8dfc26ebb152c1a0c9fbd2b2c14af53cd26160d4a9a9ea697eb904feb4595d3362893df2159be1d7944685492f0d83a6d30f237cb437283a8c7eea

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe
      Filesize

      917KB

      MD5

      a2e78c6d2f267f2d40242551a7b55349

      SHA1

      be1240ed6a7830c7990eb270c15c189efa8d402d

      SHA256

      5324dc272c2a342e9925d741173e114b393bd34aef41572d9b0c93a9aceb4e14

      SHA512

      fa7b2ff11f038319ee9b89859a1e93d391a60d5b82c50854b6e4823f00531fbc747888e612aeb9583688c0b7ed8f293d3d0bbb44092d233450585628dd74d133

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\Comn.dll
      Filesize

      349KB

      MD5

      f76f5a566cbb5f561d26e7aca841c723

      SHA1

      4838fd2dd9dbfcdaf2b1f11091f15a17f93c29be

      SHA256

      0576fc3b0c9381c47a8a9443abdd195eebb34ece0adc5c6d17624ca0e914e8e3

      SHA512

      9f574f09a4c54b8e786846297fcfad7af647eb134d8e960b078a83e982ccae2956aa6c4c1014c01c7774461e31314904cb6dfc325c7a90c3e31130838beb24c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\ammcauth.dll
      Filesize

      525KB

      MD5

      cb6eb26cd48803e02d0886a9a6fb5476

      SHA1

      1b7480af52a4ecc6eedd405c71eb2818e468bf05

      SHA256

      8b8278edc0a7eb5c36510531fd23c67736143c7e167587bb39c8dbbc7d43c381

      SHA512

      9b04f3f1c5f323fbaeaa77271287687e368665f94ba00e58db19446ff71e6d2c0afdf5dff57d3efb42a80b1e3817683a28a4037233d5470e367f2ae63e5b5ead

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\cisterna.ai
      Filesize

      53KB

      MD5

      0a3b46d7fde8f0aa2b75fa22879459c3

      SHA1

      1bc2c72e7c5c674e3f70e84f7c7978db0f68047a

      SHA256

      981053aa59aa1cbedc2a2a5172e1ea19926721414a587adf2f6227d422f0660a

      SHA512

      b63a7fb2bfad7c06be599f16ccb22c14ffc4403e06ca1d2255899caeecbc929e3838a001c8f97a6cfc6a05195d78d7a091c887263af45ada09e7b03c5f7cf67a

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\dumbbell.pkg
      Filesize

      1.6MB

      MD5

      ec337049ee96d9344b828539961bb09f

      SHA1

      42751a042a14241e626857fec5f9dd014a209547

      SHA256

      5d20ca496b247c210db7fed594411b75af07f66f2f02aa650b435f048f4a60b0

      SHA512

      ed90fb2766fefaa9f0861db5f7900478d92e58ef6cc39eff2bdbda4a99ecfaa0da78911f1ace123c533670b99309291319d02b81d98ca9b5707bda08aef4322f

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\libamcbconsole.dll
      Filesize

      865KB

      MD5

      9ee16db906e3aea9ababf666e6e0e551

      SHA1

      f18749c9492194c88d52a48a1b2c4928fb51694b

      SHA256

      cfc71f971e1e4156760d4014a7e5fec46e4e39209d62fd8f6fe1cee788239207

      SHA512

      a79d94411a9f6c0d609cbc6d83b94dda088d18720769e4227ed869197b2bfb035ba94d1149cc5f172abc59aa42bd5044d3d585d0b04b18af5ff3c5f839a1142e

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\libamcbdb.dll
      Filesize

      665KB

      MD5

      b2c4cb2042f0913017b91fd89bb4ce5d

      SHA1

      2aeee5df3e0491494f5a74009f95a25da71f4036

      SHA256

      4bd12cbd9ee7cc059514c055be02ead0beae11bbb9db69f293e76cab9efb7fd2

      SHA512

      b0691fac42d948f5db8096fc5887b063198da73c047dd081e0111d2d92f30cf3f26e791cd1cc4617495b316324bcb24d705eec1d94aefa720eb6dc8d061c9a94

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\libcrypto-1_1.dll
      Filesize

      2.2MB

      MD5

      2c62a82ba54891ab482bf43920a507f1

      SHA1

      2f9679f974af582a67af8010509ce1024a51d738

      SHA256

      93649fd8403748715b702814d3835ae9886d1fe9e04e3aec656f7c69b1e6e55e

      SHA512

      ac5d88fd520dcd37db671c94a2c75dd99e3293fb91971579edd9cefe537ce5b13d977a930e47eea1b34f0ae8ea57365705c9904f9d2da8f41a4befc20761d875

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\msvcp80.dll
      Filesize

      536KB

      MD5

      272a9e637adcaf30b34ea184f4852836

      SHA1

      6de8a52a565f813f8ac7362e0c8ba334b680f8f8

      SHA256

      35b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4

      SHA512

      f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\msvcr80.dll
      Filesize

      612KB

      MD5

      43143abb001d4211fab627c136124a44

      SHA1

      edb99760ae04bfe68aaacf34eb0287a3c10ec885

      SHA256

      cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

      SHA512

      ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\sqlite3.dll
      Filesize

      733KB

      MD5

      b175706734947856a9263b255e72658e

      SHA1

      00a4511096b13f59bbd985976791ff03318e0da0

      SHA256

      f85a6fba996cf222265876ae41cee48fa20c7d960c105d5e1f4d7bbc47106978

      SHA512

      e796a7b582edb51376ec4e428caaf47dd6db31fc6dcb789b37c431dbe64752f298b2a6104b9c70ae6018f46275521e567a10f14afa5b5ac6a862cffbde5eb530

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cfa1ad94
      Filesize

      1.8MB

      MD5

      3d2bb313294bdf913d5b56c72ea85315

      SHA1

      4872f8f4943862b0eead2b85fa7c956f55566821

      SHA256

      ec1fcec5c5bedb8ebf6251cb3c23a5d8d21db7eb92fbbda8aa0fdac321e240a5

      SHA512

      4b5868d4eaf78cb6a57a9b76ca4e8d3477b3ed5f469cdb92abb1b04986d84e4abebc6d59fbe98fe9dcf5a0d9fb6deb7d307587a7b4dc19968cd21c8c4c6a0da1

      Download Submit

    • C:\Windows\Installer\f781880.msi
      Filesize

      4.4MB

      MD5

      4eba0ef4de1fc24c1da0af9a2cf241bd

      SHA1

      95db57022873966109111c79676e23669b70da20

      SHA256

      6e3c1e99ff62da0a2ac7e2bc89d61b515743a8074eb6559ff4328c98b0a0b4b7

      SHA512

      724ce4c420016d0d637e6fddafc8739970de5cb79aab2b832edd675703c985ec5365493dfee7e1dc955f273bc8db8fa9aa23652a02560d681cfaa27cb1b5789c

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libamct.dll
      Filesize

      1017KB

      MD5

      d528dd8ba8de94c0720ba40b76ab96fd

      SHA1

      adf8fbf50016a22fef926fced5057eb55c2fef7e

      SHA256

      82db66c5e51a84fc9669b74e82db9ec6f32441903bdadb587fbb368bcf008268

      SHA512

      9a1adf0b27a7dc067144e82085e25092aba4294ddbad13ae2748df9d6a1287a4d180c4675cef477d65e6895d89a9549dd2c57daff7ae0fc7c7500d34292dbdca

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libcurl.dll
      Filesize

      409KB

      MD5

      62ddd175d6110cd30e6095c69c736bb2

      SHA1

      667b8f1a17d56ef2f2f727229ebdfd4751937806

      SHA256

      221b2cf1c07b5d6d56d3191963c1bc24188c8f60ab2ef8786d34ae9c809be758

      SHA512

      764a896516743237612bfcac4333f352800c3005013459b86aad3582a1ef89d16a4d8cab65db6d9929bc47c8caee9b12c62759c5847ec758d734452c6fb99df5

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libssl-1_1.dll
      Filesize

      641KB

      MD5

      cdbf8cd36924ffb81b19487746f7f18e

      SHA1

      781190c5a979359054ce56ceef714a8f5384cfbb

      SHA256

      0813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57

      SHA512

      ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\log4cplusU.dll
      Filesize

      330KB

      MD5

      52530bc5a745e56c0d8164beb7500322

      SHA1

      a440ab259d6c9c437d2e5fcf51c53b4c5eb179e7

      SHA256

      345a3de62dcb5abed30fc9cfa634274b652244c023e594595485227b0d2a8f76

      SHA512

      ede5e5af76542d0a2e9aa49cf2a2bbebf2d093f68602c6d8583a589fc4e0a49f47ac3eabaf82787369afda322abbedd089fa5a2bebb5532f05db7f26c623d7f3

      Download Submit

    • memory/300-78-0x0000000074350000-0x00000000744C4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/300-44-0x0000000000230000-0x00000000002EB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/300-70-0x0000000000680000-0x00000000006D3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/300-67-0x0000000000A40000-0x0000000000C7D000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/300-74-0x0000000000810000-0x00000000008E3000-memory.dmp

      Filesize

      844KB

      Download

    • memory/300-60-0x0000000000600000-0x0000000000661000-memory.dmp

      Filesize

      388KB

      Download

    • memory/300-64-0x0000000000760000-0x00000000007FE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/300-79-0x0000000076EE0000-0x0000000077089000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/300-52-0x0000000000500000-0x00000000005FA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/300-48-0x00000000002F0000-0x0000000000341000-memory.dmp

      Filesize

      324KB

      Download

    • memory/300-56-0x0000000000370000-0x00000000003EE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/828-157-0x0000000005210000-0x0000000005610000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/828-155-0x00000000001E0000-0x00000000001E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/828-161-0x0000000076C70000-0x0000000076CB7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/828-159-0x0000000076EE0000-0x0000000077089000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/828-158-0x0000000005210000-0x0000000005610000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/828-152-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-153-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-151-0x0000000072460000-0x00000000734C2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/828-154-0x0000000000400000-0x0000000000522000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/828-156-0x0000000000300000-0x0000000000310000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1632-149-0x0000000074340000-0x00000000744B4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1632-148-0x0000000076EE0000-0x0000000077089000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1720-162-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1720-164-0x0000000001CE0000-0x00000000020E0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1720-165-0x0000000076EE0000-0x0000000077089000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1720-167-0x0000000076C70000-0x0000000076CB7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1752-145-0x0000000074340000-0x00000000744B4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1752-143-0x0000000074340000-0x00000000744B4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1752-144-0x0000000076EE0000-0x0000000077089000-memory.dmp

      Filesize

      1.7MB

      Download