Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
03/03/2023, 17:36
General
-
Target
5014075ef48f489c4c419cf037358d559cdee48e27ca534006a30ebad7419c06.exe
-
Size
874KB
-
MD5
16310bc735af1819cf5788ce256ebd54
-
SHA1
36a3e294942c8da3f7a65f4a82eda5b76c28cda7
-
SHA256
5014075ef48f489c4c419cf037358d559cdee48e27ca534006a30ebad7419c06
-
SHA512
04314fb8c1eaad4b136818435a7fb0d7c85a654df627167bd1ab2ff87f2f8c0abefb9cece1cb0729c59c6adc7aef787c6858f788887abe205d0476ce977f12b5
-
SSDEEP
12288:AMrty90g0LAzE2OtrwLNfAqtUC9uL1LEXLzuUkaF3vF+RGlmlrHlg6x906qbNvCt:9yJqCEuNfAP5OO1slITLx9qJyaEHfF3
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5014075ef48f489c4c419cf037358d559cdee48e27ca534006a30ebad7419c06.exe"C:\Users\Admin\AppData\Local\Temp\5014075ef48f489c4c419cf037358d559cdee48e27ca534006a30ebad7419c06.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptaM9286Mv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptaM9286Mv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptlt4212Pi.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptlt4212Pi.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beKa57es06.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beKa57es06.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctMh12SP41.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctMh12SP41.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk52Wb01Gg49.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk52Wb01Gg49.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxTA89yH08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxTA89yH08.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
687KB
MD5773df361f9b163eff18972c3a897addc
SHA17a0f735e1229e7333d37a1f71db821b1eb6baf25
SHA256453b479c0f2fbe2d05243cb4655144435326ce88bdf9d4d7d95c161193407f25
SHA512236d718b00cf04e47ef98fcaa95f02a7452ca3ba1836a85d7326157188159bbe6fc52b8ec0f6bc9166c6c66e0c5428be858e18ec3655c43e4a22d29e3a93ad61
-
Filesize
687KB
MD5773df361f9b163eff18972c3a897addc
SHA17a0f735e1229e7333d37a1f71db821b1eb6baf25
SHA256453b479c0f2fbe2d05243cb4655144435326ce88bdf9d4d7d95c161193407f25
SHA512236d718b00cf04e47ef98fcaa95f02a7452ca3ba1836a85d7326157188159bbe6fc52b8ec0f6bc9166c6c66e0c5428be858e18ec3655c43e4a22d29e3a93ad61
-
Filesize
317KB
MD5951fa5356ac288731a279778680760cb
SHA1ec2e18c615f5818742d946582d64e32bb88dbfbb
SHA256f5f7055115e81907accaf5c574e871f2c009da8163df4d5930af1563f4f5b175
SHA512b8385866f94ab644ad455571866080250acb23cb1d19208ec58cf316524e0b6c419620622c0fe0591b1ff0e3ee5a8e50a39ed0bc4a792ba4b9b903b0ed83d1c4
-
Filesize
317KB
MD5951fa5356ac288731a279778680760cb
SHA1ec2e18c615f5818742d946582d64e32bb88dbfbb
SHA256f5f7055115e81907accaf5c574e871f2c009da8163df4d5930af1563f4f5b175
SHA512b8385866f94ab644ad455571866080250acb23cb1d19208ec58cf316524e0b6c419620622c0fe0591b1ff0e3ee5a8e50a39ed0bc4a792ba4b9b903b0ed83d1c4
-
Filesize
344KB
MD54d728256da5f89c697ffe3d27c45d0e2
SHA107bde721ab7f50fd58c9ebea6da91f0eaeb465a1
SHA25689f9df8c814644e956bca2e9e5e40c181110281cfa193e4c09694acf0fb3f740
SHA5121c1a2c0ba575aa304967af1994b8c6b32da78a9becdcfd0cd672bc23fa6903b450a45c82b57508e9cab5c84033e6a77f5ed559b6b842f87d0d0cae787412d5be
-
Filesize
344KB
MD54d728256da5f89c697ffe3d27c45d0e2
SHA107bde721ab7f50fd58c9ebea6da91f0eaeb465a1
SHA25689f9df8c814644e956bca2e9e5e40c181110281cfa193e4c09694acf0fb3f740
SHA5121c1a2c0ba575aa304967af1994b8c6b32da78a9becdcfd0cd672bc23fa6903b450a45c82b57508e9cab5c84033e6a77f5ed559b6b842f87d0d0cae787412d5be
-
Filesize
259KB
MD56bc8513cf7109e5ac11a3ce08bd4aa75
SHA1c3ac687b5f1622ede490ea7503900c5fa192fd25
SHA2565c740441af175fbb77d481aebd50b3598b387dabaf576e5607c0e5866f62c729
SHA512b6e62cdbb3bb1dfd09ddab7f2befdd8225c61e143adcd20a9f23e38992057e3cc89e08370a36f5f1a2c9162f3498d7d6dfe025e1c783efb75380760ecfa6ae0a
-
Filesize
259KB
MD56bc8513cf7109e5ac11a3ce08bd4aa75
SHA1c3ac687b5f1622ede490ea7503900c5fa192fd25
SHA2565c740441af175fbb77d481aebd50b3598b387dabaf576e5607c0e5866f62c729
SHA512b6e62cdbb3bb1dfd09ddab7f2befdd8225c61e143adcd20a9f23e38992057e3cc89e08370a36f5f1a2c9162f3498d7d6dfe025e1c783efb75380760ecfa6ae0a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.0MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
180KB