Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2022, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
296KB
-
MD5
30aeab57a77e70661d66ca1e88afd5d3
-
SHA1
db98ab1dfe9c4ab3540518d50946cc952405b77d
-
SHA256
7779c572be883ee37c6265b984921dd635a3ec42c75647d4459b4b90b73697de
-
SHA512
6d46409589149f765824a8e373d8e5a99e57f0d615f719d3106c595e29a5ef198414e1720911a8925d1e33b0327dd1cdb1d31a4ca71b5d627cecf91d6d68c7d6
-
SSDEEP
6144:ohaCLwV2dOFSbNU/yjK5QAdCHPTn58xQ3xDPkMo5zXbAc:3CE4IWU/yjK+AAHrn58xaxDPyrbA
Malware Config
Extracted
amadey
3.63
62.204.41.165/g8sjnd3xe/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral2/files/0x000300000001ea97-151.dat amadey_cred_module behavioral2/files/0x000300000001ea97-152.dat amadey_cred_module -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4860-133-0x0000000000560000-0x0000000000569000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 43 4276 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 4304 C161.exe 444 C317.exe 228 nbveek.exe 4028 nbveek.exe 668 nbveek.exe 952 nbveek.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C161.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C317.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation nbveek.exe -
Loads dropped DLL 1 IoCs
pid Process 4276 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 file.exe 4860 file.exe 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4860 file.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 764 Process not Found Token: SeCreatePagefilePrivilege 764 Process not Found Token: SeShutdownPrivilege 764 Process not Found Token: SeCreatePagefilePrivilege 764 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 764 wrote to memory of 4304 764 Process not Found 88 PID 764 wrote to memory of 4304 764 Process not Found 88 PID 764 wrote to memory of 4304 764 Process not Found 88 PID 764 wrote to memory of 444 764 Process not Found 89 PID 764 wrote to memory of 444 764 Process not Found 89 PID 764 wrote to memory of 444 764 Process not Found 89 PID 444 wrote to memory of 228 444 C317.exe 90 PID 444 wrote to memory of 228 444 C317.exe 90 PID 444 wrote to memory of 228 444 C317.exe 90 PID 4304 wrote to memory of 4028 4304 C161.exe 91 PID 4304 wrote to memory of 4028 4304 C161.exe 91 PID 4304 wrote to memory of 4028 4304 C161.exe 91 PID 228 wrote to memory of 3896 228 nbveek.exe 92 PID 228 wrote to memory of 3896 228 nbveek.exe 92 PID 228 wrote to memory of 3896 228 nbveek.exe 92 PID 228 wrote to memory of 4276 228 nbveek.exe 96 PID 228 wrote to memory of 4276 228 nbveek.exe 96 PID 228 wrote to memory of 4276 228 nbveek.exe 96 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4860
-
C:\Users\Admin\AppData\Local\Temp\C161.exeC:\Users\Admin\AppData\Local\Temp\C161.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"2⤵
- Executes dropped EXE
PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\C317.exeC:\Users\Admin\AppData\Local\Temp\C317.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe" /F3⤵
- Creates scheduled task(s)
PID:3896
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4276
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeC:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe1⤵
- Executes dropped EXE
PID:668
-
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exeC:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe1⤵
- Executes dropped EXE
PID:952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
235KB
MD51d641e8215a82151e8925673bfb171a1
SHA112885d250304d50920b79a00524250eaac5a7741
SHA2565882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445
SHA512b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce
-
Filesize
126KB
MD570134bf4d1cd851b382b2930a2e182ea
SHA18454d476c0d36564792b49be546593af3eab29f4
SHA2565e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef
SHA5121af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd
-
Filesize
126KB
MD570134bf4d1cd851b382b2930a2e182ea
SHA18454d476c0d36564792b49be546593af3eab29f4
SHA2565e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef
SHA5121af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd