Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 00:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
273KB
-
MD5
67d588981512c4db6508225a1d7b1644
-
SHA1
baaa04249099b2faede5550e4410a82651f64d46
-
SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
-
SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
-
SSDEEP
6144:329dkLiUR5PW5BRGhSPLETPNCxZWT4x6hng3CDNLU0V6:329i28e5fVPLELzT4whgS54O
Malware Config
Extracted
amadey
3.50
31.41.244.237/jg94cVd30f/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral2/files/0x000a000000022db4-170.dat amadey_cred_module behavioral2/files/0x000a000000022db4-171.dat amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 33 2144 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 4772 gntuud.exe 4868 linda5.exe 3520 gntuud.exe 2500 gntuud.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 2 IoCs
pid Process 2120 msiexec.exe 2144 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\linda5.exe" gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 2696 4572 WerFault.exe 78 3020 3520 WerFault.exe 102 4568 2500 WerFault.exe 106 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4772 4572 file.exe 81 PID 4572 wrote to memory of 4772 4572 file.exe 81 PID 4572 wrote to memory of 4772 4572 file.exe 81 PID 4772 wrote to memory of 2560 4772 gntuud.exe 85 PID 4772 wrote to memory of 2560 4772 gntuud.exe 85 PID 4772 wrote to memory of 2560 4772 gntuud.exe 85 PID 4772 wrote to memory of 1792 4772 gntuud.exe 87 PID 4772 wrote to memory of 1792 4772 gntuud.exe 87 PID 4772 wrote to memory of 1792 4772 gntuud.exe 87 PID 1792 wrote to memory of 1916 1792 cmd.exe 89 PID 1792 wrote to memory of 1916 1792 cmd.exe 89 PID 1792 wrote to memory of 1916 1792 cmd.exe 89 PID 1792 wrote to memory of 4188 1792 cmd.exe 90 PID 1792 wrote to memory of 4188 1792 cmd.exe 90 PID 1792 wrote to memory of 4188 1792 cmd.exe 90 PID 1792 wrote to memory of 224 1792 cmd.exe 91 PID 1792 wrote to memory of 224 1792 cmd.exe 91 PID 1792 wrote to memory of 224 1792 cmd.exe 91 PID 1792 wrote to memory of 4136 1792 cmd.exe 92 PID 1792 wrote to memory of 4136 1792 cmd.exe 92 PID 1792 wrote to memory of 4136 1792 cmd.exe 92 PID 1792 wrote to memory of 4228 1792 cmd.exe 93 PID 1792 wrote to memory of 4228 1792 cmd.exe 93 PID 1792 wrote to memory of 4228 1792 cmd.exe 93 PID 1792 wrote to memory of 1152 1792 cmd.exe 94 PID 1792 wrote to memory of 1152 1792 cmd.exe 94 PID 1792 wrote to memory of 1152 1792 cmd.exe 94 PID 4772 wrote to memory of 4868 4772 gntuud.exe 96 PID 4772 wrote to memory of 4868 4772 gntuud.exe 96 PID 4772 wrote to memory of 4868 4772 gntuud.exe 96 PID 4868 wrote to memory of 2120 4868 linda5.exe 97 PID 4868 wrote to memory of 2120 4868 linda5.exe 97 PID 4868 wrote to memory of 2120 4868 linda5.exe 97 PID 4772 wrote to memory of 2144 4772 gntuud.exe 105 PID 4772 wrote to memory of 2144 4772 gntuud.exe 105 PID 4772 wrote to memory of 2144 4772 gntuud.exe 105 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:2560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1916
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"4⤵PID:4188
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E4⤵PID:224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4136
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:N"4⤵PID:4228
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:R" /E4⤵PID:1152
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\JKXD.TK4⤵
- Loads dropped DLL
PID:2120
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2144
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 12202⤵
- Program crash
PID:2696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4572 -ip 45721⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe1⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 4162⤵
- Program crash
PID:3020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3520 -ip 35201⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe1⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 4162⤵
- Program crash
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2500 -ip 25001⤵PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD53a4e11c08616a3ff092252247319fc69
SHA15f2c09aee73a06de21712bc3c500cd79bac372ee
SHA2565a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a
SHA5129c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0
-
Filesize
1.6MB
MD53a4e11c08616a3ff092252247319fc69
SHA15f2c09aee73a06de21712bc3c500cd79bac372ee
SHA2565a9cbf6ce9beaa771b9c59a76573c1954ebcdf02aa31ecf161081a27302eee4a
SHA5129c0b098190614c2896d43530551c3853dbfd9d7ad075c00840b046ad1effc87af556bdd1b84f1083da95171d98f787acdb3dd1a998043196bf1e6a36adb8efa0
-
Filesize
273KB
MD567d588981512c4db6508225a1d7b1644
SHA1baaa04249099b2faede5550e4410a82651f64d46
SHA25690ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
SHA512fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
-
Filesize
273KB
MD567d588981512c4db6508225a1d7b1644
SHA1baaa04249099b2faede5550e4410a82651f64d46
SHA25690ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
SHA512fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
-
Filesize
273KB
MD567d588981512c4db6508225a1d7b1644
SHA1baaa04249099b2faede5550e4410a82651f64d46
SHA25690ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
SHA512fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
-
Filesize
273KB
MD567d588981512c4db6508225a1d7b1644
SHA1baaa04249099b2faede5550e4410a82651f64d46
SHA25690ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
SHA512fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b
-
Filesize
1.5MB
MD591f53769ce7683539c24dbee102808b1
SHA14a6e5916446476ec8e8aeab14cd9b8bae252f981
SHA2563e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe
SHA512e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7
-
Filesize
1.5MB
MD591f53769ce7683539c24dbee102808b1
SHA14a6e5916446476ec8e8aeab14cd9b8bae252f981
SHA2563e1a99a3db505aff6d1bd9e7d38016b0b5b8db4170b6e3c8b7876c9f67552ebe
SHA512e043c23ed30d3c0bf2fccda4ee4a8f5f5c58535b072c3f030e64e8bec851e3ce47b5af2cee5e3e33cc364bb80ca84e33cbfa47c49cd337920369734a0ec772a7
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9