Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
24/03/2025, 18:54
General
-
Target
quanto.exe.bin.exe
-
Size
4.6MB
-
MD5
8903a3a26cd448747ae51dc64e359211
-
SHA1
198b3ea699183d292e95748300acc176773f6834
-
SHA256
92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603
-
SHA512
4cbaa5e0c267f39baa8f9e07d6c13563ce25b7c4f8ef474388588bf9868d56713ebc663eaecfdb134aadc6d2e8e3802dff10c3ba5f86f335b42d813ff066bc5b
-
SSDEEP
98304:MKaAh0jTZCMVjTec6LVdMi8SJblSEbWAj3FUn3v8n9VuIf9u3:/laRCMVa7dP82lSuzBkq/uIU3
Malware Config
Signatures
-
Detects Rhadamanthys payload 3 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{4B46E2AA-8BA8-4235-8857-7A2EEC25AC34}\.cr\quanto.exe.bin.exe"C:\Windows\TEMP\{4B46E2AA-8BA8-4235-8857-7A2EEC25AC34}\.cr\quanto.exe.bin.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe" -burn.filehandle.attached=664 -burn.filehandle.self=6482⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{C8233B4F-5598-4C39-B448-91BDB586E548}\.ba\WiseTurbo.exeC:\Windows\TEMP\{C8233B4F-5598-4C39-B448-91BDB586E548}\.ba\WiseTurbo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exeC:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5898f718be684d84b0be675d5b1f6d6b8
SHA1364e8da24bec4b274a1ce034da1e1d20ca6ac12e
SHA25628f46d468d856a04824e85fee7e1b14791e97016c332dca815efc7ca351e9771
SHA5126b87116650200870460e6b9fef6fd80913f85d279c9aae134de8450510197e54568cacb3acdd055e2eef6c3d609b253441f9431736b8a3e1cd8dae34b2bd8753
-
Filesize
863KB
MD50905b3ca4c3989e8dd6222736ae3a151
SHA1bee40c368333c70272b3f0c60cd0ae3383f909d8
SHA2561672e7fa812259cf9ffb95bb24ebd6139fc40381a4f34267b5955f96b549ee20
SHA5122e1da1157d0b774688c658bc711480b6950d3c98ef5deb64899f4d6bf9d93f0465a7cb53c23019ce2e1f60c9c24f41728411ff781ff5a2366a4d9841bfbbb68e
-
Filesize
891KB
MD5f18535f3edbc5a948cbe169b32532cd4
SHA154575320f198626ef74f08b17022671e05c09df0
SHA25672b214770043bce3c69b35803f8c83bb04cd88561af4571ce5c13b68ce9f38f6
SHA5122f4322043f55406772e6b16bc97e1c94c4f537ae6d8a238535a50717b7cb2eaa5ea1a7bd5fd184ffa6f1cf54e88f5a9128c51f77eb6b4a5d1368e6dd9737ddef
-
Filesize
4.5MB
MD5c785d6c4511b8577ab1a17de6452f063
SHA17f7dc6e303d7ae0bf9ed48da70b1dc1bfe408305
SHA25642019eb9f6c1c9420ef67e323139047ef07e9c14dc0ee109126cfa24ebbdfba7
SHA512d767fcf9211b92685f41529b5842f8bef46d61a45549923f6a176f0d08b45c0d77099913df5adc8a506d35e14f9c51b05be68f7756d8d67d7ca79385dcef2130
-
Filesize
203KB
MD5edd36228f691d9528e7a4a99ae237d0b
SHA190c234e0a27bffc9414e49743648f249e467287e
SHA256a2c80f88af00d526b10c3b18c8403ff5ac6353ea229ed86c441303b6a6f9fcba
SHA51230a4882a30255ca7869eb631ec56e0fbee5090cdad634efc0145d0e211082576ea8e3b9031a5a05b56513faf8849c21f2f890606dc6650820507c289aada87ad
-
Filesize
8.7MB
MD51f166f5c76eb155d44dd1bf160f37a6a
SHA1cd6f7aa931d3193023f2e23a1f2716516ca3708c
SHA2562d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588
SHA51238ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7
-
Filesize
67KB
MD5bd42648e3937a646fc2e5b71614a499e
SHA11d8bb75712dda9b26a035c8abfc96e6e1c182ba3
SHA256406557b203253097558ce7b29367628a5e079667eba1c96aa5cfbc1da7159a4d
SHA512c11f12036a35d3ef0b0acd00dd298caf146bbcc5435c4bf21f7c6b642e458b8e756652099da8b5e4eb40cb2293c2cae2bfc6dfbb63496edf7a7bb98b9cf50dab
-
Filesize
9.3MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
9.3MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
40KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
2.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
524KB
