Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    92s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/04/2023, 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11445b64ee1f6e8e4650851cae400ea8d75f3c31a1bec8773060b9d7a04c995e.exe

  • Size

    950KB

  • MD5

    0aa1a864e61004e985d15f40c0bcecbd

  • SHA1

    a3e319ff5929e756282569ba716d9e8269114100

  • SHA256

    11445b64ee1f6e8e4650851cae400ea8d75f3c31a1bec8773060b9d7a04c995e

  • SHA512

    d7fdd1f3c65cc8bc1224a34bd6aa8aadb373f48a164f5a08e1114c9dc6b582fee591e96a1447cff66861f7ec10960a74b8e16e5d11668ac69d7be095be6cc412

  • SSDEEP

    24576:MyO/slbW1UcBK6KZhsuCqFvdYmDpq/M5KVazjA7/:7M51UccBCIamDpqxa3A

Score
10/10
amadeydiscoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11445b64ee1f6e8e4650851cae400ea8d75f3c31a1bec8773060b9d7a04c995e.exe
    "C:\Users\Admin\AppData\Local\Temp\11445b64ee1f6e8e4650851cae400ea8d75f3c31a1bec8773060b9d7a04c995e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioN5089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioN5089.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zida1636.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zida1636.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368805.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368805.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4988
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr847244.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr847244.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp689160.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp689160.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr839897.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr839897.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:3964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 620
        3⤵
        • Program crash
        PID:2844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 700
        3⤵
        • Program crash
        PID:3984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 840
        3⤵
        • Program crash
        PID:4460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 848
        3⤵
        • Program crash
        PID:60
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 876
        3⤵
        • Program crash
        PID:2180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 884
        3⤵
        • Program crash
        PID:4988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1124
        3⤵
        • Program crash
        PID:3876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1164
        3⤵
        • Program crash
        PID:3880
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1132
        3⤵
        • Program crash
        PID:4568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr839897.exe
    Filesize

    390KB

    MD5

    5ed9270ca56d41db87987823290dfa15

    SHA1

    89f81232efb22eb536efd30fa52ed8710601b592

    SHA256

    74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

    SHA512

    e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr839897.exe
    Filesize

    390KB

    MD5

    5ed9270ca56d41db87987823290dfa15

    SHA1

    89f81232efb22eb536efd30fa52ed8710601b592

    SHA256

    74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

    SHA512

    e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioN5089.exe
    Filesize

    623KB

    MD5

    adeddafc9374aa73adb70739b442746a

    SHA1

    d746492e5f417aff78c4dbe60dd567e12178f747

    SHA256

    867c747a45050f7d3d438ec5ef6840c6c52b404f1e0cc54d7cf3082891416aed

    SHA512

    2dcc05fbbe061f20434c33c8b3089f89eebe1e9f84dd8bc7943dae6b207c32b1fc87da7966276759350a51031f71727a14be232a0fd7e1e4788736f682bc6fb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioN5089.exe
    Filesize

    623KB

    MD5

    adeddafc9374aa73adb70739b442746a

    SHA1

    d746492e5f417aff78c4dbe60dd567e12178f747

    SHA256

    867c747a45050f7d3d438ec5ef6840c6c52b404f1e0cc54d7cf3082891416aed

    SHA512

    2dcc05fbbe061f20434c33c8b3089f89eebe1e9f84dd8bc7943dae6b207c32b1fc87da7966276759350a51031f71727a14be232a0fd7e1e4788736f682bc6fb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp689160.exe
    Filesize

    136KB

    MD5

    9cb93acfb7e0e7c35bc9ca2f5dfd9d26

    SHA1

    5d19ace62f4100d0c69b913a136d7f37ca50c1ba

    SHA256

    6f1a0c1c4bf71d65261680109808c0f7748863eb25d793b22c5aecb9a778491f

    SHA512

    89a96d3013906c0da3c14c9fe3895441ee44e5e0cef38997936f7822d6bf789325347f35d8a339330e64c0c9b4b88ad5f1adff33c2a999bf9c28b93fdbbe80e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp689160.exe
    Filesize

    136KB

    MD5

    9cb93acfb7e0e7c35bc9ca2f5dfd9d26

    SHA1

    5d19ace62f4100d0c69b913a136d7f37ca50c1ba

    SHA256

    6f1a0c1c4bf71d65261680109808c0f7748863eb25d793b22c5aecb9a778491f

    SHA512

    89a96d3013906c0da3c14c9fe3895441ee44e5e0cef38997936f7822d6bf789325347f35d8a339330e64c0c9b4b88ad5f1adff33c2a999bf9c28b93fdbbe80e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zida1636.exe
    Filesize

    468KB

    MD5

    fef45942727c8f5dbb4bb1dad5cfc6fc

    SHA1

    de7017a95f6fc9912abe76661b46166a2dc6bcaf

    SHA256

    1057fb1ebf4c464e1020a0aa91e02b741d6d68a2bf3e949810a465fa96fdefe0

    SHA512

    c57b57f9b79d1f7883181d33a09d783846ade410bcc9aa6c3cc03bb6309253b916dc042ff93691de9cfb508a3ad081f1a2e3c92016795c71d64d5989ce935c28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zida1636.exe
    Filesize

    468KB

    MD5

    fef45942727c8f5dbb4bb1dad5cfc6fc

    SHA1

    de7017a95f6fc9912abe76661b46166a2dc6bcaf

    SHA256

    1057fb1ebf4c464e1020a0aa91e02b741d6d68a2bf3e949810a465fa96fdefe0

    SHA512

    c57b57f9b79d1f7883181d33a09d783846ade410bcc9aa6c3cc03bb6309253b916dc042ff93691de9cfb508a3ad081f1a2e3c92016795c71d64d5989ce935c28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368805.exe
    Filesize

    12KB

    MD5

    fcf7c6340707f582e561faaaaba95b55

    SHA1

    53dd28821a141f314bfbe2243c1561401466cc1e

    SHA256

    36474df79e8e5733dd915c62ace7d7e0a57cf3b7a68efd1df4f49d08f5800bdc

    SHA512

    f311ddcb7df9d446b7bb1ae25aa86200f9f0fd3a95dbf02233baa13548b870493bef294c05890cd15c3c5017176d08aef0154163c781aeb7b626f4c3abf6bb25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it368805.exe
    Filesize

    12KB

    MD5

    fcf7c6340707f582e561faaaaba95b55

    SHA1

    53dd28821a141f314bfbe2243c1561401466cc1e

    SHA256

    36474df79e8e5733dd915c62ace7d7e0a57cf3b7a68efd1df4f49d08f5800bdc

    SHA512

    f311ddcb7df9d446b7bb1ae25aa86200f9f0fd3a95dbf02233baa13548b870493bef294c05890cd15c3c5017176d08aef0154163c781aeb7b626f4c3abf6bb25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr847244.exe
    Filesize

    481KB

    MD5

    a0ee98cf8abe3ef95882e44e1910b288

    SHA1

    a37529d4a22b62daf175afcc265d3864106a8ba8

    SHA256

    0331e0a8a88bda4e9669c9d75039c7e25b1467058497948b19998fef4648c906

    SHA512

    9ee038c7b068bfd8ccb634e3c808d5d88355ca3cdff61e278a9ed0094809f80e9c92236a56f35c4723b81bcaee30c87af8728b5a5c72074f079d6b7604158c11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr847244.exe
    Filesize

    481KB

    MD5

    a0ee98cf8abe3ef95882e44e1910b288

    SHA1

    a37529d4a22b62daf175afcc265d3864106a8ba8

    SHA256

    0331e0a8a88bda4e9669c9d75039c7e25b1467058497948b19998fef4648c906

    SHA512

    9ee038c7b068bfd8ccb634e3c808d5d88355ca3cdff61e278a9ed0094809f80e9c92236a56f35c4723b81bcaee30c87af8728b5a5c72074f079d6b7604158c11

    Download Submit

  • memory/704-964-0x0000000000020000-0x0000000000048000-memory.dmp

    Filesize

    160KB

    Download

  • memory/704-965-0x0000000006DC0000-0x0000000006E0B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/704-966-0x0000000006D30000-0x0000000006D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2060-182-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-198-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-151-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-153-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-155-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-157-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-159-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-161-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-163-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-165-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-167-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-169-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-171-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-174-0x0000000004F50000-0x0000000004F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2060-173-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-178-0x0000000004F50000-0x0000000004F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2060-177-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-175-0x0000000004F50000-0x0000000004F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2060-180-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-149-0x0000000002A40000-0x0000000002A7A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2060-184-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-186-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-188-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-190-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-192-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-194-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-196-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-150-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-200-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-202-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-204-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-206-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-208-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-210-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-212-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-214-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-216-0x0000000002A40000-0x0000000002A75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2060-945-0x0000000007DF0000-0x00000000083F6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2060-946-0x0000000007850000-0x0000000007862000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2060-947-0x0000000007880000-0x000000000798A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2060-948-0x00000000079A0000-0x00000000079DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2060-949-0x0000000007A20000-0x0000000007A6B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2060-950-0x0000000004F50000-0x0000000004F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2060-951-0x0000000007CB0000-0x0000000007D16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2060-952-0x0000000008980000-0x0000000008A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2060-953-0x0000000008A20000-0x0000000008A70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2060-148-0x0000000004F60000-0x000000000545E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2060-147-0x0000000002880000-0x00000000028BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2060-146-0x00000000008F0000-0x0000000000936000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2060-954-0x0000000008A90000-0x0000000008B06000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2060-955-0x0000000008B70000-0x0000000008D32000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2060-956-0x0000000008D40000-0x000000000926C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2060-957-0x0000000009390000-0x00000000093AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3964-972-0x0000000000900000-0x000000000093B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4988-140-0x0000000000140000-0x000000000014A000-memory.dmp

    Filesize

    40KB

    Download