Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07/10/2022, 19:41
General
-
Target
d9cbb8b59cb294437a95d632bd67bd95.exe
-
Size
268KB
-
MD5
d9cbb8b59cb294437a95d632bd67bd95
-
SHA1
4660e342a02c6084ca69d84ac74ca7353befbca7
-
SHA256
dcdd0cd8d4a274600c01db970c804976b8d56911111250786be99d8aa7dd094c
-
SHA512
17f7b229083e623c70708aececde8f9e846364dad6c072668e8138978344d030379eaad271043dffbbb92ef1c7c00254a0db9d6afe42c508333d1730d893b7e3
-
SSDEEP
3072:bXN1fhc0WNE7PalYhMm5WlbkvEfjsUK9St9k8AvNpPIcc2V788VggjcGkNIVqIx/:zTZtalYCp6EfQUWoKv/s2uI7ITsqe4
Malware Config
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 3 IoCs
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9cbb8b59cb294437a95d632bd67bd95.exe"C:\Users\Admin\AppData\Local\Temp\d9cbb8b59cb294437a95d632bd67bd95.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F9F5.exeC:\Users\Admin\AppData\Local\Temp\F9F5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FDDE.exeC:\Users\Admin\AppData\Local\Temp\FDDE.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1138.exeC:\Users\Admin\AppData\Local\Temp\1138.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe"C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wfyoot.exe /TR "C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\70b90d83e65db7\cred64.dll, Main3⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\70b90d83e65db7\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 11242⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4452 -ip 44521⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exeC:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 3122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4804 -ip 48041⤵
-
C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exeC:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 3162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4856 -ip 48561⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
314KB
MD5bff67ce5d7f8ebb150a23e848027d470
SHA1c5e3a083979418315e2ac09cf1041da33a55f7d5
SHA25623443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
SHA512300b220a36a36aab485a9d6ac3e5bcb6dfbd76b17e360cc80a65392fb4e7881cb0cf0e36567d14a9102040003f63cd1af37d39454affc7acc83cc474c574e575
-
Filesize
363KB
MD5e292a6cbeb112872c04796311b52ae30
SHA18ecefecab9231e42429a33256f5db84eff302948
SHA25639c4fa10490d1f6e5f909786dee9ab0d8e8eb79bb04a9c541d2209224367ad16
SHA512c506b3c796d99f8fb3e70d36596720bd1a6328a653c77769e20cbb358da122e576d72518508f63217e80985eb9abaa79abaa681312e9100445e391828029577e
-
Filesize
363KB
MD5e292a6cbeb112872c04796311b52ae30
SHA18ecefecab9231e42429a33256f5db84eff302948
SHA25639c4fa10490d1f6e5f909786dee9ab0d8e8eb79bb04a9c541d2209224367ad16
SHA512c506b3c796d99f8fb3e70d36596720bd1a6328a653c77769e20cbb358da122e576d72518508f63217e80985eb9abaa79abaa681312e9100445e391828029577e
-
Filesize
363KB
MD5ad170ecbf3579649162c3cb67d398672
SHA1838306ef60ae4286030be9b395c866abd0c8ff47
SHA2565e924125ff6aeb76684f4fb7f578c6d9278b243ed18e9a9eff8b2b28045ec5a5
SHA51283a5511b668f49d4361a4a9dd5c8944c6395504f8f31c3a0ab94a9ea1d75d4b17c72c433c53d73cd9dfbb641c34b2741ef15474bacc7c6728e889511ffafc185
-
Filesize
363KB
MD5ad170ecbf3579649162c3cb67d398672
SHA1838306ef60ae4286030be9b395c866abd0c8ff47
SHA2565e924125ff6aeb76684f4fb7f578c6d9278b243ed18e9a9eff8b2b28045ec5a5
SHA51283a5511b668f49d4361a4a9dd5c8944c6395504f8f31c3a0ab94a9ea1d75d4b17c72c433c53d73cd9dfbb641c34b2741ef15474bacc7c6728e889511ffafc185
-
Filesize
126KB
MD56a0718d278ba7511b78df6706c12b71a
SHA183cefe0cdfcc041e0b8cdd8b903abcba95b947a2
SHA256ed09ad4a634284fcff5d1e12eb0263092d5fdbe910c5c2ae76827bbab6401675
SHA512f0afb8559dfd60af8be5269edb99b3c47ccb83ce48aaff6cce6daaf6ca3b3d77f4058cb43b7ca8c5d506afc15955db9cae8ea843aa081ff990ea6313f1f2f7df
-
Filesize
126KB
MD56a0718d278ba7511b78df6706c12b71a
SHA183cefe0cdfcc041e0b8cdd8b903abcba95b947a2
SHA256ed09ad4a634284fcff5d1e12eb0263092d5fdbe910c5c2ae76827bbab6401675
SHA512f0afb8559dfd60af8be5269edb99b3c47ccb83ce48aaff6cce6daaf6ca3b3d77f4058cb43b7ca8c5d506afc15955db9cae8ea843aa081ff990ea6313f1f2f7df
-
Filesize
126KB
MD56a0718d278ba7511b78df6706c12b71a
SHA183cefe0cdfcc041e0b8cdd8b903abcba95b947a2
SHA256ed09ad4a634284fcff5d1e12eb0263092d5fdbe910c5c2ae76827bbab6401675
SHA512f0afb8559dfd60af8be5269edb99b3c47ccb83ce48aaff6cce6daaf6ca3b3d77f4058cb43b7ca8c5d506afc15955db9cae8ea843aa081ff990ea6313f1f2f7df
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
68KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
332KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
220KB
-
Filesize
116KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
332KB