Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0x00080000...69.exe

windows7-x64

10

0x00080000...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2023, 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x00080000000122f6-1069.exe

  • Size

    226KB

  • MD5

    b83d2ac2529a2a414c1e45c47cefcde5

  • SHA1

    e5759ba0f2af222c68d4bf6ee988e77d0b468934

  • SHA256

    40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

  • SHA512

    b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

  • SSDEEP

    6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x00080000000122f6-1069.exe
    "C:\Users\Admin\AppData\Local\Temp\0x00080000000122f6-1069.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
      "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:1164
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "metafor.exe" /P "Admin:N"
            4⤵
              PID:1144
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "metafor.exe" /P "Admin:R" /E
              4⤵
                PID:1108
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:1680
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\5975271bda" /P "Admin:N"
                  4⤵
                    PID:880
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\5975271bda" /P "Admin:R" /E
                    4⤵
                      PID:832
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {A7982665-187D-4884-A72E-BC2BB96366FE} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1380
                • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                  C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1800
                • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                  C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                  2⤵
                  • Executes dropped EXE
                  PID:588

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit

              • \Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
                Filesize

                226KB

                MD5

                b83d2ac2529a2a414c1e45c47cefcde5

                SHA1

                e5759ba0f2af222c68d4bf6ee988e77d0b468934

                SHA256

                40c31618efd6d6a2e8cdb543c4356ba4d9b7403e15d3ef9efa8ea0ef3b6408e9

                SHA512

                b76fceffe3137ddd54318b48106911cf8c2bf0b8b1b9b3a0b1771dd6494261f2fe2530f8ddb1c2d4a71b76546eb172498eb339990a434011a667057627280570

                Download Submit