Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ba96f1e9c7...62.msi

windows7-x64

10

ba96f1e9c7...62.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi

  • Size

    34.9MB

  • MD5

    9cf0093a76065c3c65c1dfbbb76fa82b

  • SHA1

    98276b30afb00ea041b2b5b922eff7e917b620ea

  • SHA256

    ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62

  • SHA512

    b3fd984c03000884c566caf79bc5686078018dc7f79b4919e1fcec0f6dc47cf05136439229aa292a508739f37151fa209546cfa53622416666f4fb2ae17a3c5a

  • SSDEEP

    786432:pCLRK7wXCr4zP7pRv/dpO26Aj1Izj6T6Da9Bm:4LM7Vr4zlJ626A8Na9B

Score
10/10
rhadamanthysdiscoverypersistenceprivilege_escalationpyinstallerstealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3016
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3092
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi
      1⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4100
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
          PID:2592
        • C:\Users\Admin\AppData\Local\Temp\Here\WiseTurbo.exe
          "C:\Users\Admin\AppData\Local\Temp\Here\WiseTurbo.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\WiseTurbo.exe
            C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\WiseTurbo.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3660
            • C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\ZKGPTQJUSEIARV\installer.exe
              C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\ZKGPTQJUSEIARV\installer.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4976
              • C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\ZKGPTQJUSEIARV\installer.exe
                C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\ZKGPTQJUSEIARV\installer.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3836
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2520
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                5⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3764
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:2716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57c15d.rbs
        Filesize

        8KB

        MD5

        e149e8492094cc8e7952a9bb55e33569

        SHA1

        1612ec72ae26262957c1d7b8fb9de0cbb9368a53

        SHA256

        043b5ba8c90beb03502a3516458891c71672f8cee34397108696aeb68bec5357

        SHA512

        7f5b637fd2ee8243b636a6bba13e2a307c0639f31fb9ab8441dd4321b55535e9575e10df41964b6f04b0e9f1ae51bb49bf6c12c514c69dcccb6c6c4241a20861

        Download Submit

      • C:\Users\Admin\AppData\Local\ServiceCom_NSG_alpha3\ZKGPTQJUSEIARV\installer.exe
        Filesize

        31.6MB

        MD5

        4656eb115aea07eb129fb445964ee63d

        SHA1

        e6131c83dda3107a7639eca0304acd14dfcaaa54

        SHA256

        bf0ba2f8ac2a54111471850e570ccd61d63e26ee398229068df801a3440fdb0e

        SHA512

        49c3326a85744fe1891b6fd19b9166863b129003bf52e5fe7ebdd8b88909118d7c9a011eaa106aa93a5909753c34fdb937190f8ac92ae3871924862d354cab1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\66c5d889
        Filesize

        32.7MB

        MD5

        d593afad9ff32bed29eda3b8d56288ae

        SHA1

        6e95442d7d04ce117013d828ea0396a0e392434a

        SHA256

        228fb9d553fc9208374eedd456c25a008a3f9dec27e0003e4fe5477c0623a686

        SHA512

        72f7e74fbb79e85570990c0ebd39f91ae5827b7be1659f07d2c83e31ea9d894ad79e488a3743a386e98281d887f4f7d2d05392d8e94d3062baf2f6266c426475

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Here\WiseTurbo.exe
        Filesize

        8.7MB

        MD5

        1f166f5c76eb155d44dd1bf160f37a6a

        SHA1

        cd6f7aa931d3193023f2e23a1f2716516ca3708c

        SHA256

        2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

        SHA512

        38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Here\clangor.flv
        Filesize

        39KB

        MD5

        6e87bf97a21c6c3b22b9620e5bdd8a33

        SHA1

        fe5f456535cdac4e9305021d000b9b6f33e88918

        SHA256

        e96f1b1cd83b830567ce7c7161c3aabd91c7fac6aa5dd856891584ae615187f4

        SHA512

        e33230feb31b47f301097fe4d8745eeefeda6e654a34a5379be5beb02d8e7083fc222a5aa9808147887eb9f24eb7855ad647e8b9b6277f172593f45915e15b8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Here\sqlite3.dll
        Filesize

        882KB

        MD5

        c657ed746c9a08b910bde0f3780366bf

        SHA1

        5030a916544a452e432e5dfeac55ee6a56060250

        SHA256

        5b0dd7cdf57fc0d9429cadba0564c9f2671aab465732c7c403e407fa3dc4e3bf

        SHA512

        082d88272ad1aff697e32097bf2146634f782b7dc8e59648a07f5d4f89c146afb92d483a38863f5fe67e33d00cdef55fb7fc2bca0110a2ab8bf33ed9ad8b1d94

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Here\ungulate.tar
        Filesize

        32.3MB

        MD5

        ec9950a2297dc3ef3d7d96f73900f800

        SHA1

        89dedcca8c5ce2e5f033c603a574bd9cdc483a3c

        SHA256

        4ee4f33221668e34f7a843bdb23231061d41574163a9d7724341745c3739142d

        SHA512

        4811d3ca95bc1fddb8b149c8d9ac1079acfeb334438292a0bf0e302f9e7788cbb45317f7bf45ac4b72e0fdbccb52f269074879262bc177f59455eedf83428e45

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI49762\VCRUNTIME140.dll
        Filesize

        99KB

        MD5

        8697c106593e93c11adc34faa483c4a0

        SHA1

        cd080c51a97aa288ce6394d6c029c06ccb783790

        SHA256

        ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

        SHA512

        724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI49762\_ctypes.pyd
        Filesize

        122KB

        MD5

        29da9b022c16da461392795951ce32d9

        SHA1

        0e514a8f88395b50e797d481cbbed2b4ae490c19

        SHA256

        3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

        SHA512

        5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI49762\base_library.zip
        Filesize

        1006KB

        MD5

        206a03b5257df65655597d17799aae7b

        SHA1

        0a1039f9ac9c53535249df377ac4db3baac6e246

        SHA256

        c550b1290d063f3ed200f9287b5c478d286a577cbb80c088e0dc5d294779d8ec

        SHA512

        63a3747c97be6ab47b867a9d34625327b698c6b559894c4cb3fd0c599e0cd900a326d9ae6bdaa845d799aaa3aec4addddcce64561ec1f641a8b1cf1f8be8725b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI49762\libffi-7.dll
        Filesize

        32KB

        MD5

        eef7981412be8ea459064d3090f4b3aa

        SHA1

        c60da4830ce27afc234b3c3014c583f7f0a5a925

        SHA256

        f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

        SHA512

        dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI49762\python39.dll
        Filesize

        4.3MB

        MD5

        11c051f93c922d6b6b4829772f27a5be

        SHA1

        42fbdf3403a4bc3d46d348ca37a9f835e073d440

        SHA256

        0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

        SHA512

        1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

        Download Submit

      • C:\Windows\Installer\e57c15c.msi
        Filesize

        34.9MB

        MD5

        9cf0093a76065c3c65c1dfbbb76fa82b

        SHA1

        98276b30afb00ea041b2b5b922eff7e917b620ea

        SHA256

        ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62

        SHA512

        b3fd984c03000884c566caf79bc5686078018dc7f79b4919e1fcec0f6dc47cf05136439229aa292a508739f37151fa209546cfa53622416666f4fb2ae17a3c5a

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        30b90d59e396ab5a0638e6ef6d16296a

        SHA1

        c6757e6353dbb28d2190da168e98077fb54cc29f

        SHA256

        a3608fc1c4c033eab6e2b34544bfb80de0f6b191f5cb3b485aaaf23131e9539a

        SHA512

        a8f1c61d15ea2ec541f3a99da5ead6e752ad9927c6cd7699565004ca49e8558a8280c489016a0b977eb217c55b781fed207728d0c559d0a9a30ecd70be7732db

        Download Submit

      • \??\Volume{2c2b4495-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b080bc57-fbd1-44a3-ba4a-93c08712f12f}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        17645eca83824b5163c288bb046dc7fa

        SHA1

        6b30bf0a6327a2aae56ed452e5c7cee07d1531fe

        SHA256

        16ff45472b1149b152182aa36edc2bcf4eee96224bf48623d3bc1670eff676d7

        SHA512

        69a92c4e0fa5ec89aadf9963240eb4343c1b5bf502097e65b347edc81d88bca18163ddcc81b4571e905f675ae35e62bde04b00a0f3937de3cfc8e97fa8faddb0

        Download Submit

      • memory/1788-40-0x0000000000400000-0x0000000000D48000-memory.dmp

        Filesize

        9.3MB

        Download

      • memory/1788-32-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1788-31-0x00000000743E0000-0x000000007455B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2520-95-0x00000000743E0000-0x000000007455B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2520-94-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3092-106-0x0000000000C20000-0x0000000000C2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3092-113-0x0000000076270000-0x0000000076485000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3092-111-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3092-110-0x0000000001240000-0x0000000001640000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3660-77-0x00000000743E0000-0x000000007455B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3660-82-0x0000000000400000-0x0000000000D48000-memory.dmp

        Filesize

        9.3MB

        Download

      • memory/3660-46-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3660-48-0x00000000743E0000-0x000000007455B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3660-45-0x00000000743E0000-0x000000007455B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3764-101-0x0000000005740000-0x0000000005B40000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3764-105-0x0000000076270000-0x0000000076485000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3764-109-0x0000000000670000-0x00000000006F2000-memory.dmp

        Filesize

        520KB

        Download

      • memory/3764-102-0x0000000005740000-0x0000000005B40000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3764-100-0x00007FF987C30000-0x00007FF987E25000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3764-99-0x0000000000670000-0x00000000006F2000-memory.dmp

        Filesize

        520KB

        Download