Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    273KB

  • MD5

    67d588981512c4db6508225a1d7b1644

  • SHA1

    baaa04249099b2faede5550e4410a82651f64d46

  • SHA256

    90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

  • SHA512

    fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

  • SSDEEP

    6144:329dkLiUR5PW5BRGhSPLETPNCxZWT4x6hng3CDNLU0V6:329i28e5fVPLELzT4whgS54O

Score
10/10
amadeycollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:1916
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "gntuud.exe" /P "Admin:N"
            4⤵
              PID:4188
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "gntuud.exe" /P "Admin:R" /E
              4⤵
                PID:224
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:4136
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\9c69749b54" /P "Admin:N"
                  4⤵
                    PID:4228
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\9c69749b54" /P "Admin:R" /E
                    4⤵
                      PID:1152
                  • C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe"
                    3⤵
                    • Executes dropped EXE
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:4868
                    • C:\Windows\SysWOW64\msiexec.exe
                      "C:\Windows\System32\msiexec.exe" /y .\JKXD.TK
                      4⤵
                      • Loads dropped DLL
                      PID:2120
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                    3⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Accesses Microsoft Outlook profiles
                    • Suspicious behavior: EnumeratesProcesses
                    • outlook_win_path
                    PID:2144
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1220
                  2⤵
                  • Program crash
                  PID:2696
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4572 -ip 4572
                1⤵
                  PID:4844
                • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3520
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 416
                    2⤵
                    • Program crash
                    PID:3020
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3520 -ip 3520
                  1⤵
                    PID:4100
                  • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    1⤵
                    • Executes dropped EXE
                    PID:2500
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 416
                      2⤵
                      • Program crash
                      PID:4568
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2500 -ip 2500
                    1⤵
                      PID:4756

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
                      Filesize

                      1.6MB

                      MD5

                      3a4e11c08616a3ff092252247319fc69

                      SHA1

                      5f2c09aee73a06de21712bc3c500cd79bac372ee

                      SHA256

                      5a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a

                      SHA512

                      9c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
                      Filesize

                      1.6MB

                      MD5

                      3a4e11c08616a3ff092252247319fc69

                      SHA1

                      5f2c09aee73a06de21712bc3c500cd79bac372ee

                      SHA256

                      5a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a

                      SHA512

                      9c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      273KB

                      MD5

                      67d588981512c4db6508225a1d7b1644

                      SHA1

                      baaa04249099b2faede5550e4410a82651f64d46

                      SHA256

                      90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

                      SHA512

                      fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      273KB

                      MD5

                      67d588981512c4db6508225a1d7b1644

                      SHA1

                      baaa04249099b2faede5550e4410a82651f64d46

                      SHA256

                      90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

                      SHA512

                      fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      273KB

                      MD5

                      67d588981512c4db6508225a1d7b1644

                      SHA1

                      baaa04249099b2faede5550e4410a82651f64d46

                      SHA256

                      90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

                      SHA512

                      fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      273KB

                      MD5

                      67d588981512c4db6508225a1d7b1644

                      SHA1

                      baaa04249099b2faede5550e4410a82651f64d46

                      SHA256

                      90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

                      SHA512

                      fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\JKXD.TK
                      Filesize

                      1.5MB

                      MD5

                      91f53769ce7683539c24dbee102808b1

                      SHA1

                      4a6e5916446476ec8e8aeab14cd9b8bae252f981

                      SHA256

                      3e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe

                      SHA512

                      e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\JKXd.TK
                      Filesize

                      1.5MB

                      MD5

                      91f53769ce7683539c24dbee102808b1

                      SHA1

                      4a6e5916446476ec8e8aeab14cd9b8bae252f981

                      SHA256

                      3e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe

                      SHA512

                      e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
                      Filesize

                      126KB

                      MD5

                      c0fd0167e213b6148333351bd16ed1fb

                      SHA1

                      1cfb2b42686557656dead53e02d1db3f2a848026

                      SHA256

                      c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

                      SHA512

                      d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
                      Filesize

                      126KB

                      MD5

                      c0fd0167e213b6148333351bd16ed1fb

                      SHA1

                      1cfb2b42686557656dead53e02d1db3f2a848026

                      SHA256

                      c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

                      SHA512

                      d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

                      Download Submit

                    • memory/2120-156-0x0000000002D20000-0x0000000002E1D000-memory.dmp

                      Filesize

                      1012KB

                      Download

                    • memory/2120-161-0x0000000003100000-0x00000000031BB000-memory.dmp

                      Filesize

                      748KB

                      Download

                    • memory/2120-160-0x0000000003020000-0x00000000030F1000-memory.dmp

                      Filesize

                      836KB

                      Download

                    • memory/2120-164-0x0000000002F20000-0x000000000301B000-memory.dmp

                      Filesize

                      1004KB

                      Download

                    • memory/2120-162-0x0000000003100000-0x00000000031BB000-memory.dmp

                      Filesize

                      748KB

                      Download

                    • memory/2120-157-0x0000000002F20000-0x000000000301B000-memory.dmp

                      Filesize

                      1004KB

                      Download

                    • memory/2500-174-0x0000000000400000-0x000000000046E000-memory.dmp

                      Filesize

                      440KB

                      Download

                    • memory/2500-173-0x0000000000634000-0x0000000000653000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/3520-168-0x0000000000400000-0x000000000046E000-memory.dmp

                      Filesize

                      440KB

                      Download

                    • memory/3520-167-0x0000000000470000-0x0000000000570000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/4572-138-0x0000000000693000-0x00000000006B2000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/4572-139-0x00000000005E0000-0x000000000061E000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/4572-132-0x0000000000693000-0x00000000006B2000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/4572-137-0x0000000000400000-0x000000000046E000-memory.dmp

                      Filesize

                      440KB

                      Download

                    • memory/4572-133-0x00000000005E0000-0x000000000061E000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/4772-159-0x0000000000400000-0x000000000046E000-memory.dmp

                      Filesize

                      440KB

                      Download

                    • memory/4772-145-0x0000000000400000-0x000000000046E000-memory.dmp

                      Filesize

                      440KB

                      Download

                    • memory/4772-158-0x0000000000703000-0x0000000000722000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/4772-144-0x0000000000703000-0x0000000000722000-memory.dmp

                      Filesize

                      124KB

                      Download