Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

agreement.msi

windows7-x64

10

agreement.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agreement.msi

  • Size

    4.4MB

  • MD5

    4eba0ef4de1fc24c1da0af9a2cf241bd

  • SHA1

    95db57022873966109111c79676e23669b70da20

  • SHA256

    6e3c1e99ff62da0a2ac7e2bc89d61b515743a8074eb6559ff4328c98b0a0b4b7

  • SHA512

    724ce4c420016d0d637e6fddafc8739970de5cb79aab2b832edd675703c985ec5365493dfee7e1dc955f273bc8db8fa9aa23652a02560d681cfaa27cb1b5789c

  • SSDEEP

    98304:paldb5xT4nnk+KxSex9qQGDxE2dFsJcHztt4KbJ58BiJTsNa:UlRTn+eSrv7fsaHzzL/MZN

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 22 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Windows\system32\msiexec.exe
        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\agreement.msi
        2⤵
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2072
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:992
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe
        "C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Users\Admin\AppData\Roaming\JMSecurity\AMCB.exe
          C:\Users\Admin\AppData\Roaming\JMSecurity\AMCB.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:580
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2432
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:484
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C8" "0000000000000494"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76e7e1.rbs
      Filesize

      9KB

      MD5

      9cf24b49ad4191ed64a606d899b635ce

      SHA1

      e84bb1f15fb3248ff4a21e325b372a5e4897c09d

      SHA256

      9fcce55687bede93f32fe1307d3aef65f7ba90ba1b785ef72a9c8379ffe1ec91

      SHA512

      cea0f9345ab1a3298379cf7f38b86cecf94d3975b0b93618ce4ae8c8dc09ae2e592b7da094b22897b7fe20adc646837ef7735c8932d9797397dc20a444e75ad2

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\AMCB.exe
      Filesize

      917KB

      MD5

      a2e78c6d2f267f2d40242551a7b55349

      SHA1

      be1240ed6a7830c7990eb270c15c189efa8d402d

      SHA256

      5324dc272c2a342e9925d741173e114b393bd34aef41572d9b0c93a9aceb4e14

      SHA512

      fa7b2ff11f038319ee9b89859a1e93d391a60d5b82c50854b6e4823f00531fbc747888e612aeb9583688c0b7ed8f293d3d0bbb44092d233450585628dd74d133

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\cisterna.ai
      Filesize

      53KB

      MD5

      0a3b46d7fde8f0aa2b75fa22879459c3

      SHA1

      1bc2c72e7c5c674e3f70e84f7c7978db0f68047a

      SHA256

      981053aa59aa1cbedc2a2a5172e1ea19926721414a587adf2f6227d422f0660a

      SHA512

      b63a7fb2bfad7c06be599f16ccb22c14ffc4403e06ca1d2255899caeecbc929e3838a001c8f97a6cfc6a05195d78d7a091c887263af45ada09e7b03c5f7cf67a

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\dumbbell.pkg
      Filesize

      1.6MB

      MD5

      ec337049ee96d9344b828539961bb09f

      SHA1

      42751a042a14241e626857fec5f9dd014a209547

      SHA256

      5d20ca496b247c210db7fed594411b75af07f66f2f02aa650b435f048f4a60b0

      SHA512

      ed90fb2766fefaa9f0861db5f7900478d92e58ef6cc39eff2bdbda4a99ecfaa0da78911f1ace123c533670b99309291319d02b81d98ca9b5707bda08aef4322f

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\msvcp80.dll
      Filesize

      536KB

      MD5

      272a9e637adcaf30b34ea184f4852836

      SHA1

      6de8a52a565f813f8ac7362e0c8ba334b680f8f8

      SHA256

      35b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4

      SHA512

      f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52

      Download Submit

    • C:\Users\Admin\AppData\Local\Conversazione\msvcr80.dll
      Filesize

      612KB

      MD5

      43143abb001d4211fab627c136124a44

      SHA1

      edb99760ae04bfe68aaacf34eb0287a3c10ec885

      SHA256

      cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

      SHA512

      ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\f0db0fa8
      Filesize

      1.8MB

      MD5

      95982ff34b422734d306018d5ea3fd0c

      SHA1

      e692ba73077ce611238c6a6ad141e8297e4dafd7

      SHA256

      372a1a82f59e3f00fc4ebe21bb0770434c22c6853d133384628864dc47f6fa4f

      SHA512

      bfb569fcbfcc5f8a8fc4de77151b56d9bcb804eaa2ab7539e5f2db899122dc51d02b0c8d2e2cf4ebb3c79537074a502c80b8d9fe2e0791815b34d1925868993a

      Download Submit

    • C:\Windows\Installer\f76e7df.msi
      Filesize

      4.4MB

      MD5

      4eba0ef4de1fc24c1da0af9a2cf241bd

      SHA1

      95db57022873966109111c79676e23669b70da20

      SHA256

      6e3c1e99ff62da0a2ac7e2bc89d61b515743a8074eb6559ff4328c98b0a0b4b7

      SHA512

      724ce4c420016d0d637e6fddafc8739970de5cb79aab2b832edd675703c985ec5365493dfee7e1dc955f273bc8db8fa9aa23652a02560d681cfaa27cb1b5789c

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\Comn.dll
      Filesize

      349KB

      MD5

      f76f5a566cbb5f561d26e7aca841c723

      SHA1

      4838fd2dd9dbfcdaf2b1f11091f15a17f93c29be

      SHA256

      0576fc3b0c9381c47a8a9443abdd195eebb34ece0adc5c6d17624ca0e914e8e3

      SHA512

      9f574f09a4c54b8e786846297fcfad7af647eb134d8e960b078a83e982ccae2956aa6c4c1014c01c7774461e31314904cb6dfc325c7a90c3e31130838beb24c0

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\ammcauth.dll
      Filesize

      525KB

      MD5

      cb6eb26cd48803e02d0886a9a6fb5476

      SHA1

      1b7480af52a4ecc6eedd405c71eb2818e468bf05

      SHA256

      8b8278edc0a7eb5c36510531fd23c67736143c7e167587bb39c8dbbc7d43c381

      SHA512

      9b04f3f1c5f323fbaeaa77271287687e368665f94ba00e58db19446ff71e6d2c0afdf5dff57d3efb42a80b1e3817683a28a4037233d5470e367f2ae63e5b5ead

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libamcbconsole.dll
      Filesize

      865KB

      MD5

      9ee16db906e3aea9ababf666e6e0e551

      SHA1

      f18749c9492194c88d52a48a1b2c4928fb51694b

      SHA256

      cfc71f971e1e4156760d4014a7e5fec46e4e39209d62fd8f6fe1cee788239207

      SHA512

      a79d94411a9f6c0d609cbc6d83b94dda088d18720769e4227ed869197b2bfb035ba94d1149cc5f172abc59aa42bd5044d3d585d0b04b18af5ff3c5f839a1142e

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libamcbdb.dll
      Filesize

      665KB

      MD5

      b2c4cb2042f0913017b91fd89bb4ce5d

      SHA1

      2aeee5df3e0491494f5a74009f95a25da71f4036

      SHA256

      4bd12cbd9ee7cc059514c055be02ead0beae11bbb9db69f293e76cab9efb7fd2

      SHA512

      b0691fac42d948f5db8096fc5887b063198da73c047dd081e0111d2d92f30cf3f26e791cd1cc4617495b316324bcb24d705eec1d94aefa720eb6dc8d061c9a94

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libamct.dll
      Filesize

      1017KB

      MD5

      d528dd8ba8de94c0720ba40b76ab96fd

      SHA1

      adf8fbf50016a22fef926fced5057eb55c2fef7e

      SHA256

      82db66c5e51a84fc9669b74e82db9ec6f32441903bdadb587fbb368bcf008268

      SHA512

      9a1adf0b27a7dc067144e82085e25092aba4294ddbad13ae2748df9d6a1287a4d180c4675cef477d65e6895d89a9549dd2c57daff7ae0fc7c7500d34292dbdca

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libcrypto-1_1.dll
      Filesize

      2.2MB

      MD5

      2c62a82ba54891ab482bf43920a507f1

      SHA1

      2f9679f974af582a67af8010509ce1024a51d738

      SHA256

      93649fd8403748715b702814d3835ae9886d1fe9e04e3aec656f7c69b1e6e55e

      SHA512

      ac5d88fd520dcd37db671c94a2c75dd99e3293fb91971579edd9cefe537ce5b13d977a930e47eea1b34f0ae8ea57365705c9904f9d2da8f41a4befc20761d875

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libcurl.dll
      Filesize

      409KB

      MD5

      62ddd175d6110cd30e6095c69c736bb2

      SHA1

      667b8f1a17d56ef2f2f727229ebdfd4751937806

      SHA256

      221b2cf1c07b5d6d56d3191963c1bc24188c8f60ab2ef8786d34ae9c809be758

      SHA512

      764a896516743237612bfcac4333f352800c3005013459b86aad3582a1ef89d16a4d8cab65db6d9929bc47c8caee9b12c62759c5847ec758d734452c6fb99df5

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\libssl-1_1.dll
      Filesize

      641KB

      MD5

      cdbf8cd36924ffb81b19487746f7f18e

      SHA1

      781190c5a979359054ce56ceef714a8f5384cfbb

      SHA256

      0813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57

      SHA512

      ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\log4cplusU.dll
      Filesize

      330KB

      MD5

      52530bc5a745e56c0d8164beb7500322

      SHA1

      a440ab259d6c9c437d2e5fcf51c53b4c5eb179e7

      SHA256

      345a3de62dcb5abed30fc9cfa634274b652244c023e594595485227b0d2a8f76

      SHA512

      ede5e5af76542d0a2e9aa49cf2a2bbebf2d093f68602c6d8583a589fc4e0a49f47ac3eabaf82787369afda322abbedd089fa5a2bebb5532f05db7f26c623d7f3

      Download Submit

    • \Users\Admin\AppData\Local\Conversazione\sqlite3.dll
      Filesize

      733KB

      MD5

      b175706734947856a9263b255e72658e

      SHA1

      00a4511096b13f59bbd985976791ff03318e0da0

      SHA256

      f85a6fba996cf222265876ae41cee48fa20c7d960c105d5e1f4d7bbc47106978

      SHA512

      e796a7b582edb51376ec4e428caaf47dd6db31fc6dcb789b37c431dbe64752f298b2a6104b9c70ae6018f46275521e567a10f14afa5b5ac6a862cffbde5eb530

      Download Submit

    • memory/580-148-0x0000000077B40000-0x0000000077CE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/580-149-0x0000000074FA0000-0x0000000075114000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/992-165-0x0000000077B40000-0x0000000077CE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/992-164-0x0000000001E20000-0x0000000002220000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/992-162-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/992-167-0x00000000775D0000-0x0000000077617000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1516-56-0x0000000000720000-0x000000000079E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1516-52-0x0000000000620000-0x000000000071A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1516-48-0x00000000005C0000-0x0000000000611000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1516-79-0x0000000077B40000-0x0000000077CE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1516-74-0x0000000000B50000-0x0000000000C23000-memory.dmp

      Filesize

      844KB

      Download

    • memory/1516-70-0x0000000000AF0000-0x0000000000B43000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1516-67-0x00000000008B0000-0x0000000000AED000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1516-64-0x0000000000810000-0x00000000008AE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1516-60-0x00000000007A0000-0x0000000000801000-memory.dmp

      Filesize

      388KB

      Download

    • memory/1516-44-0x0000000000500000-0x00000000005BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/1516-78-0x0000000074FB0000-0x0000000075124000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2160-117-0x00000000006E0000-0x00000000007DA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/2160-125-0x00000000007E0000-0x0000000000841000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2160-143-0x0000000074FA0000-0x0000000075114000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2160-144-0x0000000077B40000-0x0000000077CE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2160-145-0x0000000074FA0000-0x0000000075114000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2160-132-0x00000000008F0000-0x0000000000B2D000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2160-135-0x0000000000B30000-0x0000000000B83000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2160-121-0x0000000000500000-0x000000000057E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2160-109-0x0000000000320000-0x00000000003DB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/2160-113-0x0000000000230000-0x0000000000281000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2160-129-0x0000000000850000-0x00000000008EE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2160-139-0x0000000000B90000-0x0000000000C63000-memory.dmp

      Filesize

      844KB

      Download

    • memory/2432-154-0x0000000000400000-0x0000000000522000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2432-156-0x0000000000600000-0x0000000000610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2432-157-0x0000000004F30000-0x0000000005330000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2432-159-0x0000000077B40000-0x0000000077CE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-161-0x00000000775D0000-0x0000000077617000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2432-158-0x0000000004F30000-0x0000000005330000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2432-155-0x00000000005A0000-0x00000000005A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2432-151-0x00000000730C0000-0x0000000074122000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2432-152-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-153-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download