Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18/12/2022, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
273KB
-
MD5
aaf6a4fdb7162f10f0e4ad630fbd9eb7
-
SHA1
1437589d6703436f9fe0c594dad6e5bea2d55cc2
-
SHA256
293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
-
SHA512
2ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
SSDEEP
6144:RkLtSylHhayreRo+Z4cV72WYWzxq4f1FFa+JwjlVklPH:RkhSYBayiRB4cVaWrzB1FkoYlU
Malware Config
Extracted
amadey
3.50
31.41.244.237/jg94cVd30f/index.php
Signatures
-
Detect Amadey credential stealer module 6 IoCs
resource yara_rule behavioral1/files/0x00060000000142d3-86.dat amadey_cred_module behavioral1/files/0x00060000000142d3-87.dat amadey_cred_module behavioral1/files/0x00060000000142d3-88.dat amadey_cred_module behavioral1/files/0x00060000000142d3-89.dat amadey_cred_module behavioral1/files/0x00060000000142d3-90.dat amadey_cred_module behavioral1/memory/1076-91-0x00000000001D0000-0x00000000001F4000-memory.dmp amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1076 rundll32.exe -
Executes dropped EXE 3 IoCs
pid Process 952 gntuud.exe 1428 gntuud.exe 1748 gntuud.exe -
Loads dropped DLL 6 IoCs
pid Process 604 file.exe 604 file.exe 1076 rundll32.exe 1076 rundll32.exe 1076 rundll32.exe 1076 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1076 rundll32.exe 1076 rundll32.exe 1076 rundll32.exe 1076 rundll32.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 604 wrote to memory of 952 604 file.exe 28 PID 604 wrote to memory of 952 604 file.exe 28 PID 604 wrote to memory of 952 604 file.exe 28 PID 604 wrote to memory of 952 604 file.exe 28 PID 952 wrote to memory of 660 952 gntuud.exe 29 PID 952 wrote to memory of 660 952 gntuud.exe 29 PID 952 wrote to memory of 660 952 gntuud.exe 29 PID 952 wrote to memory of 660 952 gntuud.exe 29 PID 952 wrote to memory of 520 952 gntuud.exe 31 PID 952 wrote to memory of 520 952 gntuud.exe 31 PID 952 wrote to memory of 520 952 gntuud.exe 31 PID 952 wrote to memory of 520 952 gntuud.exe 31 PID 520 wrote to memory of 1752 520 cmd.exe 33 PID 520 wrote to memory of 1752 520 cmd.exe 33 PID 520 wrote to memory of 1752 520 cmd.exe 33 PID 520 wrote to memory of 1752 520 cmd.exe 33 PID 520 wrote to memory of 108 520 cmd.exe 34 PID 520 wrote to memory of 108 520 cmd.exe 34 PID 520 wrote to memory of 108 520 cmd.exe 34 PID 520 wrote to memory of 108 520 cmd.exe 34 PID 520 wrote to memory of 1884 520 cmd.exe 35 PID 520 wrote to memory of 1884 520 cmd.exe 35 PID 520 wrote to memory of 1884 520 cmd.exe 35 PID 520 wrote to memory of 1884 520 cmd.exe 35 PID 520 wrote to memory of 1876 520 cmd.exe 36 PID 520 wrote to memory of 1876 520 cmd.exe 36 PID 520 wrote to memory of 1876 520 cmd.exe 36 PID 520 wrote to memory of 1876 520 cmd.exe 36 PID 520 wrote to memory of 532 520 cmd.exe 37 PID 520 wrote to memory of 532 520 cmd.exe 37 PID 520 wrote to memory of 532 520 cmd.exe 37 PID 520 wrote to memory of 532 520 cmd.exe 37 PID 520 wrote to memory of 892 520 cmd.exe 38 PID 520 wrote to memory of 892 520 cmd.exe 38 PID 520 wrote to memory of 892 520 cmd.exe 38 PID 520 wrote to memory of 892 520 cmd.exe 38 PID 1480 wrote to memory of 1428 1480 taskeng.exe 42 PID 1480 wrote to memory of 1428 1480 taskeng.exe 42 PID 1480 wrote to memory of 1428 1480 taskeng.exe 42 PID 1480 wrote to memory of 1428 1480 taskeng.exe 42 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 952 wrote to memory of 1076 952 gntuud.exe 43 PID 1480 wrote to memory of 1748 1480 taskeng.exe 44 PID 1480 wrote to memory of 1748 1480 taskeng.exe 44 PID 1480 wrote to memory of 1748 1480 taskeng.exe 44 PID 1480 wrote to memory of 1748 1480 taskeng.exe 44 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1752
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"4⤵PID:108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E4⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1876
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:N"4⤵PID:532
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:R" /E4⤵PID:892
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1076
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FFB3F19D-01B2-4A22-9EE1-FBA43B52328C} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe2⤵
- Executes dropped EXE
PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe2⤵
- Executes dropped EXE
PID:1748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
273KB
MD5aaf6a4fdb7162f10f0e4ad630fbd9eb7
SHA11437589d6703436f9fe0c594dad6e5bea2d55cc2
SHA256293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
SHA5122ed5233900af562fbfc625ab591b38df4a588c28e80a719199e415d4470c0e4f9aa2362761c67602ac9ce3931b95dfed2253115c1bdb8d0b4711849251673b9e
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9