Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/12/2022, 14:02

General

  • Target

    file.exe

  • Size

    296KB

  • MD5

    30aeab57a77e70661d66ca1e88afd5d3

  • SHA1

    db98ab1dfe9c4ab3540518d50946cc952405b77d

  • SHA256

    7779c572be883ee37c6265b984921dd635a3ec42c75647d4459b4b90b73697de

  • SHA512

    6d46409589149f765824a8e373d8e5a99e57f0d615f719d3106c595e29a5ef198414e1720911a8925d1e33b0327dd1cdb1d31a4ca71b5d627cecf91d6d68c7d6

  • SSDEEP

    6144:ohaCLwV2dOFSbNU/yjK5QAdCHPTn58xQ3xDPkMo5zXbAc:3CE4IWU/yjK+AAHrn58xaxDPyrbA

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Amadey credential stealer module 2 IoCs
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4860
  • C:\Users\Admin\AppData\Local\Temp\C161.exe
    C:\Users\Admin\AppData\Local\Temp\C161.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"
      2⤵
      • Executes dropped EXE
      PID:4028
  • C:\Users\Admin\AppData\Local\Temp\C317.exe
    C:\Users\Admin\AppData\Local\Temp\C317.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3896
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • outlook_win_path
        PID:4276
  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
    C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
    1⤵
    • Executes dropped EXE
    PID:668
  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
    C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
    1⤵
    • Executes dropped EXE
    PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C161.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\C161.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\C317.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\C317.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

    Filesize

    235KB

    MD5

    1d641e8215a82151e8925673bfb171a1

    SHA1

    12885d250304d50920b79a00524250eaac5a7741

    SHA256

    5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

    SHA512

    b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

    Filesize

    126KB

    MD5

    70134bf4d1cd851b382b2930a2e182ea

    SHA1

    8454d476c0d36564792b49be546593af3eab29f4

    SHA256

    5e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef

    SHA512

    1af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd

  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

    Filesize

    126KB

    MD5

    70134bf4d1cd851b382b2930a2e182ea

    SHA1

    8454d476c0d36564792b49be546593af3eab29f4

    SHA256

    5e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef

    SHA512

    1af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd

  • memory/4860-133-0x0000000000560000-0x0000000000569000-memory.dmp

    Filesize

    36KB

  • memory/4860-135-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/4860-134-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/4860-132-0x000000000059F000-0x00000000005B4000-memory.dmp

    Filesize

    84KB