Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
27/11/2022, 12:25
Static task
static1
Behavioral task
behavioral1
Sample
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe
Resource
win10-20220812-en
General
-
Target
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe
-
Size
209KB
-
MD5
837e602c1c99e5b1a1c222dae09ce30f
-
SHA1
4de8c0574230139aa4f840ffda05e58ee9771f71
-
SHA256
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
-
SHA512
b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
-
SSDEEP
3072:0744wqfFImJjYd4LOy4W5l1df8NduLtDLmPaZqL1ylO/fHFyGEjgjdHg20cTSVFU:fEbJ24LOK3Z6PIa1yCfH8GjpHg2cn74
Malware Config
Extracted
amadey
3.50
31.41.244.17/hfk3vK9/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral1/files/0x0003000000015567-297.dat amadey_cred_module behavioral1/files/0x0003000000015567-298.dat amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 8 4984 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 4120 gntuud.exe 3912 gntuud.exe 4248 gntuud.exe -
Loads dropped DLL 1 IoCs
pid Process 4984 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4120 2124 b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe 66 PID 2124 wrote to memory of 4120 2124 b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe 66 PID 2124 wrote to memory of 4120 2124 b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe 66 PID 4120 wrote to memory of 4952 4120 gntuud.exe 67 PID 4120 wrote to memory of 4952 4120 gntuud.exe 67 PID 4120 wrote to memory of 4952 4120 gntuud.exe 67 PID 4120 wrote to memory of 4984 4120 gntuud.exe 69 PID 4120 wrote to memory of 4984 4120 gntuud.exe 69 PID 4120 wrote to memory of 4984 4120 gntuud.exe 69 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe"C:\Users\Admin\AppData\Local\Temp\b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:4952
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
PID:4248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5837e602c1c99e5b1a1c222dae09ce30f
SHA14de8c0574230139aa4f840ffda05e58ee9771f71
SHA256b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
SHA512b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
-
Filesize
209KB
MD5837e602c1c99e5b1a1c222dae09ce30f
SHA14de8c0574230139aa4f840ffda05e58ee9771f71
SHA256b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
SHA512b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
-
Filesize
209KB
MD5837e602c1c99e5b1a1c222dae09ce30f
SHA14de8c0574230139aa4f840ffda05e58ee9771f71
SHA256b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
SHA512b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
-
Filesize
209KB
MD5837e602c1c99e5b1a1c222dae09ce30f
SHA14de8c0574230139aa4f840ffda05e58ee9771f71
SHA256b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
SHA512b9f62a027900bbcd4368ecb95630186ff99657c94397d3d96c13e0522ccbeb7b947c8225272614511c117b9e81334ab5c4e46db3b70d387e7e38dafdd5f8b36f
-
Filesize
126KB
MD5adbaf286228c46522e50371c4be31a03
SHA1a29d644c4663b2e2b2bd92046ba0df629537c297
SHA256d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0
SHA51274a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d
-
Filesize
126KB
MD5adbaf286228c46522e50371c4be31a03
SHA1a29d644c4663b2e2b2bd92046ba0df629537c297
SHA256d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0
SHA51274a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d