Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
26/03/2023, 15:20
General
-
Target
0x00080000000122e6-1069.exe
-
Size
226KB
-
MD5
d6e9b7a43836a7de3b47450c77eb2e12
-
SHA1
22b24298231f07c05fe057f2c5ee0e973260b6b4
-
SHA256
7c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
-
SHA512
0adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
SSDEEP
6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg
Malware Config
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00080000000122e6-1069.exe"C:\Users\Admin\AppData\Local\Temp\0x00080000000122e6-1069.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E4⤵
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CB380C0F-6EDA-44DA-B82F-FF6E4A6BDCDE} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08