Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2022, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
338KB
-
MD5
fe641225d44e5c64bac142415f5e2ca9
-
SHA1
bb52078f856857af809aab239b5462da2e0e9e39
-
SHA256
26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
-
SHA512
be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
-
SSDEEP
6144:CWUH4LEwjG5BeT56lcqeMy8v3lbviynvyh8slw7n1HbwZoV9J:2YowjG58ycl+lxnqh80w7
Malware Config
Extracted
amadey
3.63
62.204.41.17/8bdSvcD/index.php
Signatures
-
Detect Amadey credential stealer module 4 IoCs
resource yara_rule behavioral2/files/0x000b00000001f020-149.dat amadey_cred_module behavioral2/memory/3740-152-0x0000000000610000-0x0000000000634000-memory.dmp amadey_cred_module behavioral2/files/0x000b00000001f020-151.dat amadey_cred_module behavioral2/files/0x000b00000001f020-150.dat amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 40 3740 rundll32.exe -
Executes dropped EXE 3 IoCs
pid Process 2324 nbveek.exe 4364 nbveek.exe 3652 nbveek.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation nbveek.exe -
Loads dropped DLL 2 IoCs
pid Process 3740 rundll32.exe 3740 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
pid pid_target Process procid_target 796 4864 WerFault.exe 81 5112 4864 WerFault.exe 81 5076 4864 WerFault.exe 81 2208 4864 WerFault.exe 81 3116 4864 WerFault.exe 81 220 4864 WerFault.exe 81 3108 4864 WerFault.exe 81 1100 2324 WerFault.exe 97 3840 2324 WerFault.exe 97 3936 2324 WerFault.exe 97 3960 2324 WerFault.exe 97 4412 2324 WerFault.exe 97 3584 2324 WerFault.exe 97 4084 2324 WerFault.exe 97 920 2324 WerFault.exe 97 4228 2324 WerFault.exe 97 524 2324 WerFault.exe 97 4768 2324 WerFault.exe 97 3804 2324 WerFault.exe 97 3908 4364 WerFault.exe 130 1008 2324 WerFault.exe 97 616 2324 WerFault.exe 97 5108 2324 WerFault.exe 97 2636 3652 WerFault.exe 140 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4864 wrote to memory of 2324 4864 file.exe 97 PID 4864 wrote to memory of 2324 4864 file.exe 97 PID 4864 wrote to memory of 2324 4864 file.exe 97 PID 2324 wrote to memory of 1992 2324 nbveek.exe 117 PID 2324 wrote to memory of 1992 2324 nbveek.exe 117 PID 2324 wrote to memory of 1992 2324 nbveek.exe 117 PID 2324 wrote to memory of 3740 2324 nbveek.exe 135 PID 2324 wrote to memory of 3740 2324 nbveek.exe 135 PID 2324 wrote to memory of 3740 2324 nbveek.exe 135 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8962⤵
- Program crash
PID:796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 9242⤵
- Program crash
PID:5112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 9082⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 10762⤵
- Program crash
PID:2208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 9002⤵
- Program crash
PID:3116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 9242⤵
- Program crash
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 5843⤵
- Program crash
PID:1100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7083⤵
- Program crash
PID:3840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7843⤵
- Program crash
PID:3936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9523⤵
- Program crash
PID:3960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9523⤵
- Program crash
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9523⤵
- Program crash
PID:3584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 10203⤵
- Program crash
PID:4084
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe" /F3⤵
- Creates scheduled task(s)
PID:1992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9123⤵
- Program crash
PID:920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 6683⤵
- Program crash
PID:4228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 6523⤵
- Program crash
PID:524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 12283⤵
- Program crash
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 9883⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15123⤵
- Program crash
PID:1008
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 10043⤵
- Program crash
PID:616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 15283⤵
- Program crash
PID:5108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8642⤵
- Program crash
PID:3108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4864 -ip 48641⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4864 -ip 48641⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4864 -ip 48641⤵PID:2300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 48641⤵PID:3844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4864 -ip 48641⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4864 -ip 48641⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4864 -ip 48641⤵PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2324 -ip 23241⤵PID:812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2324 -ip 23241⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2324 -ip 23241⤵PID:4148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2324 -ip 23241⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2324 -ip 23241⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2324 -ip 23241⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2324 -ip 23241⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2324 -ip 23241⤵PID:5044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2324 -ip 23241⤵PID:2432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2324 -ip 23241⤵PID:4564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2324 -ip 23241⤵PID:1832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2324 -ip 23241⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exeC:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe1⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 3202⤵
- Program crash
PID:3908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4364 -ip 43641⤵PID:1072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2324 -ip 23241⤵PID:3928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2324 -ip 23241⤵PID:1520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2324 -ip 23241⤵PID:792
-
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exeC:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe1⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 3122⤵
- Program crash
PID:2636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3652 -ip 36521⤵PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5fe641225d44e5c64bac142415f5e2ca9
SHA1bb52078f856857af809aab239b5462da2e0e9e39
SHA25626884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
SHA512be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
-
Filesize
338KB
MD5fe641225d44e5c64bac142415f5e2ca9
SHA1bb52078f856857af809aab239b5462da2e0e9e39
SHA25626884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
SHA512be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
-
Filesize
338KB
MD5fe641225d44e5c64bac142415f5e2ca9
SHA1bb52078f856857af809aab239b5462da2e0e9e39
SHA25626884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
SHA512be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
-
Filesize
338KB
MD5fe641225d44e5c64bac142415f5e2ca9
SHA1bb52078f856857af809aab239b5462da2e0e9e39
SHA25626884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
SHA512be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
-
Filesize
126KB
MD59cb722f11d688872348be236f8e5d149
SHA1e54f80b631c1931b574baf6953a3948fe3d7d354
SHA25653bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321
SHA51252e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774
-
Filesize
126KB
MD59cb722f11d688872348be236f8e5d149
SHA1e54f80b631c1931b574baf6953a3948fe3d7d354
SHA25653bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321
SHA51252e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774
-
Filesize
126KB
MD59cb722f11d688872348be236f8e5d149
SHA1e54f80b631c1931b574baf6953a3948fe3d7d354
SHA25653bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321
SHA51252e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774