Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2022, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe
Resource
win10v2004-20220812-en
General
-
Target
952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe
-
Size
367KB
-
MD5
17988a22cb3105fae2488f11a38e55e7
-
SHA1
ded099d65110a6be60931ae3e46d14c24ef562e6
-
SHA256
952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
-
SHA512
0bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
SSDEEP
6144:JYCnsLtk6+k4guyzJGRRpppzgLno2VMzrPrTvt0l0iPvzpQ6ijLxQFiaI:FsBkDtOFKpdgLoBPfv+lxnzpQ6ijqF
Malware Config
Extracted
amadey
3.60
62.204.41.79/fb73jc3/index.php
Signatures
-
Detect Amadey credential stealer module 4 IoCs
resource yara_rule behavioral2/files/0x000a000000022e49-155.dat amadey_cred_module behavioral2/files/0x000a000000022e49-156.dat amadey_cred_module behavioral2/files/0x000a000000022e49-157.dat amadey_cred_module behavioral2/memory/4124-158-0x0000000000980000-0x00000000009A4000-memory.dmp amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 57 4124 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 3472 gntuud.exe 3368 gntuud.exe 1276 gntuud.exe 4356 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 2 IoCs
pid Process 4124 rundll32.exe 4124 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 3196 676 WerFault.exe 81 4336 3368 WerFault.exe 101 3744 1276 WerFault.exe 106 4164 4356 WerFault.exe 109 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4124 rundll32.exe 4124 rundll32.exe 4124 rundll32.exe 4124 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 676 wrote to memory of 3472 676 952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe 82 PID 676 wrote to memory of 3472 676 952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe 82 PID 676 wrote to memory of 3472 676 952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe 82 PID 3472 wrote to memory of 548 3472 gntuud.exe 85 PID 3472 wrote to memory of 548 3472 gntuud.exe 85 PID 3472 wrote to memory of 548 3472 gntuud.exe 85 PID 3472 wrote to memory of 4312 3472 gntuud.exe 87 PID 3472 wrote to memory of 4312 3472 gntuud.exe 87 PID 3472 wrote to memory of 4312 3472 gntuud.exe 87 PID 4312 wrote to memory of 1048 4312 cmd.exe 89 PID 4312 wrote to memory of 1048 4312 cmd.exe 89 PID 4312 wrote to memory of 1048 4312 cmd.exe 89 PID 4312 wrote to memory of 4400 4312 cmd.exe 90 PID 4312 wrote to memory of 4400 4312 cmd.exe 90 PID 4312 wrote to memory of 4400 4312 cmd.exe 90 PID 4312 wrote to memory of 100 4312 cmd.exe 91 PID 4312 wrote to memory of 100 4312 cmd.exe 91 PID 4312 wrote to memory of 100 4312 cmd.exe 91 PID 4312 wrote to memory of 204 4312 cmd.exe 92 PID 4312 wrote to memory of 204 4312 cmd.exe 92 PID 4312 wrote to memory of 204 4312 cmd.exe 92 PID 4312 wrote to memory of 228 4312 cmd.exe 93 PID 4312 wrote to memory of 228 4312 cmd.exe 93 PID 4312 wrote to memory of 228 4312 cmd.exe 93 PID 4312 wrote to memory of 4796 4312 cmd.exe 94 PID 4312 wrote to memory of 4796 4312 cmd.exe 94 PID 4312 wrote to memory of 4796 4312 cmd.exe 94 PID 3472 wrote to memory of 4124 3472 gntuud.exe 105 PID 3472 wrote to memory of 4124 3472 gntuud.exe 105 PID 3472 wrote to memory of 4124 3472 gntuud.exe 105 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe"C:\Users\Admin\AppData\Local\Temp\952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:548
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "Admin:N"&&CACLS "..\2c33368f7d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1048
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"4⤵PID:4400
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E4⤵PID:100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:204
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\2c33368f7d" /P "Admin:N"4⤵PID:228
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\2c33368f7d" /P "Admin:R" /E4⤵PID:4796
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4124
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 11362⤵
- Program crash
PID:3196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 676 -ip 6761⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe1⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 4202⤵
- Program crash
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3368 -ip 33681⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe1⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 4282⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1276 -ip 12761⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe1⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 2362⤵
- Program crash
PID:4164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4356 -ip 43561⤵PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD517988a22cb3105fae2488f11a38e55e7
SHA1ded099d65110a6be60931ae3e46d14c24ef562e6
SHA256952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
SHA5120bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
Filesize
367KB
MD517988a22cb3105fae2488f11a38e55e7
SHA1ded099d65110a6be60931ae3e46d14c24ef562e6
SHA256952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
SHA5120bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
Filesize
367KB
MD517988a22cb3105fae2488f11a38e55e7
SHA1ded099d65110a6be60931ae3e46d14c24ef562e6
SHA256952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
SHA5120bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
Filesize
367KB
MD517988a22cb3105fae2488f11a38e55e7
SHA1ded099d65110a6be60931ae3e46d14c24ef562e6
SHA256952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
SHA5120bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
Filesize
367KB
MD517988a22cb3105fae2488f11a38e55e7
SHA1ded099d65110a6be60931ae3e46d14c24ef562e6
SHA256952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
SHA5120bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56
-
Filesize
126KB
MD59995abf2f401e4945a7d2930a3727619
SHA17715e14ad6e4adf609c62c5812419800343fbd4f
SHA256d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a
SHA51242726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda
-
Filesize
126KB
MD59995abf2f401e4945a7d2930a3727619
SHA17715e14ad6e4adf609c62c5812419800343fbd4f
SHA256d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a
SHA51242726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda
-
Filesize
126KB
MD59995abf2f401e4945a7d2930a3727619
SHA17715e14ad6e4adf609c62c5812419800343fbd4f
SHA256d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a
SHA51242726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda