Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
04/05/2023, 19:05
General
-
Target
9c8d1052af88893b22efe30872b7ceb7c4d565edb7784085d033a0fee0907901.exe
-
Size
695KB
-
MD5
105c79010ad3256314f491bd52d1fd38
-
SHA1
e493dbfce758572d5cac732bcbe65623e7947dd6
-
SHA256
9c8d1052af88893b22efe30872b7ceb7c4d565edb7784085d033a0fee0907901
-
SHA512
a7327ec8bea5bb46ba47a555aa4cdc872eb6d75b9bb56a93225f91278173224411ffd37a44829c37616ad46901eb92833a0e5b8bba63d1a38c795b8cc748b1b2
-
SSDEEP
12288:jMr/y90Q4M46hh0NoPSFTvxW0HuZpGWCoJ0reus:MyTlPhYjlBtneus
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c8d1052af88893b22efe30872b7ceb7c4d565edb7784085d033a0fee0907901.exe"C:\Users\Admin\AppData\Local\Temp\9c8d1052af88893b22efe30872b7ceb7c4d565edb7784085d033a0fee0907901.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7613274.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7613274.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9807227.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9807227.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3883606.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3883606.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6238973.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6238973.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4420927.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4420927.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2860752.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2860752.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
229KB
MD542fbe898a1a99e4e0dfed198141ee7a3
SHA1fa57241db32a60b6fafb5c7ad9dc18f35ba495f8
SHA2564093de432311672168da6013c01d0b19fd293422b2d97e0f0294b86428cebaa7
SHA5123c7f11f6267de732d4afd515dd27b99452a0d28e5bbf75edad17f08f310121d7eff339196311f5fb5e1622d46bb878edb82dc955902cbcc03b50fcffbf2cc453
-
Filesize
512KB
MD513f87222fc09aa66ebb6b5a41bfdf428
SHA19e75796d9b717184358ec089dc9a94130e161aa0
SHA256fd253f2bd4a711cbf995e7fac4027b922b183201257e25e9c63c8c6d3d4b3a10
SHA51235fe48a042c39dd6e9b820f625468ead49c4d423410dcd682e2e4fcfd86e58105ae2f660794252f4776d8563599162e0ea8e70c4ba57ac14959b3384e5051c37
-
Filesize
512KB
MD513f87222fc09aa66ebb6b5a41bfdf428
SHA19e75796d9b717184358ec089dc9a94130e161aa0
SHA256fd253f2bd4a711cbf995e7fac4027b922b183201257e25e9c63c8c6d3d4b3a10
SHA51235fe48a042c39dd6e9b820f625468ead49c4d423410dcd682e2e4fcfd86e58105ae2f660794252f4776d8563599162e0ea8e70c4ba57ac14959b3384e5051c37
-
Filesize
176KB
MD560fafedb995db2c1c90aa34191f88376
SHA17769873b81af2a3fc7527e9b377abee4909ab43c
SHA25614aae8ef811596308657b60c7568b028ff1f0aefab2a650b4427cfafeea8c338
SHA5120f89d210a6dcb69fcd4e762aa214120cdfdc6147418d9c202408cba441ab853d82215a5c4505e38bfb283a7cf3668876bd7b0389a4a08c354479d88cea0eb15a
-
Filesize
176KB
MD560fafedb995db2c1c90aa34191f88376
SHA17769873b81af2a3fc7527e9b377abee4909ab43c
SHA25614aae8ef811596308657b60c7568b028ff1f0aefab2a650b4427cfafeea8c338
SHA5120f89d210a6dcb69fcd4e762aa214120cdfdc6147418d9c202408cba441ab853d82215a5c4505e38bfb283a7cf3668876bd7b0389a4a08c354479d88cea0eb15a
-
Filesize
308KB
MD5f78ebaf3630aac1a84f9d908a1ae2c52
SHA132e2e3dfd90d3a30ff2b930edc89fd715ea1ab3c
SHA2569115f64b5a5f93ce2609579eb6d86e06f21c6500a13bbbf99e7391ba020414d5
SHA512bda499c899fc101bc020869f7de06e0883ae0928cf9c439826b2f0b32e2cab10756d6e8599eb2014205672660921875ffa3d60fdf169fc3bd175dd1eae29dec5
-
Filesize
308KB
MD5f78ebaf3630aac1a84f9d908a1ae2c52
SHA132e2e3dfd90d3a30ff2b930edc89fd715ea1ab3c
SHA2569115f64b5a5f93ce2609579eb6d86e06f21c6500a13bbbf99e7391ba020414d5
SHA512bda499c899fc101bc020869f7de06e0883ae0928cf9c439826b2f0b32e2cab10756d6e8599eb2014205672660921875ffa3d60fdf169fc3bd175dd1eae29dec5
-
Filesize
176KB
MD57a67b299d51da76525561818e9b53050
SHA113f8a38b532a12619a7c15782afbcd983125164b
SHA256225d107ec2c2289484865196518e773a3f41c2d6d6c4308c38b7778bb723ffb5
SHA5126d0626da86c43f19996f5d7e2ff9266358913d8b4b61ef7b0b2eae507bc4549e68e1ebb5dbd33379ad5737579796c511d65b47439d96beadc0826b0525902fc4
-
Filesize
176KB
MD57a67b299d51da76525561818e9b53050
SHA113f8a38b532a12619a7c15782afbcd983125164b
SHA256225d107ec2c2289484865196518e773a3f41c2d6d6c4308c38b7778bb723ffb5
SHA5126d0626da86c43f19996f5d7e2ff9266358913d8b4b61ef7b0b2eae507bc4549e68e1ebb5dbd33379ad5737579796c511d65b47439d96beadc0826b0525902fc4
-
Filesize
176KB
MD57a67b299d51da76525561818e9b53050
SHA113f8a38b532a12619a7c15782afbcd983125164b
SHA256225d107ec2c2289484865196518e773a3f41c2d6d6c4308c38b7778bb723ffb5
SHA5126d0626da86c43f19996f5d7e2ff9266358913d8b4b61ef7b0b2eae507bc4549e68e1ebb5dbd33379ad5737579796c511d65b47439d96beadc0826b0525902fc4
-
Filesize
136KB
MD588a4ae6e9d26c8fc606d9b9c56e1eeac
SHA15c13f75b5dda79cd7084c5af1cf6b92217f22ca0
SHA2561fa04d8138b9504fe6b9008fbe5750f1359239e0259883617410d3f6a5a9bbd7
SHA512552a243bcf5b25cfd6876341e1b6ba4162f203ac9c7be30c4697bb00621c5ff5fb35550b0f026c4c39e7ac8cc821ca0aae9f8c7877ec07bdf108f951dcfcfa0b
-
Filesize
136KB
MD588a4ae6e9d26c8fc606d9b9c56e1eeac
SHA15c13f75b5dda79cd7084c5af1cf6b92217f22ca0
SHA2561fa04d8138b9504fe6b9008fbe5750f1359239e0259883617410d3f6a5a9bbd7
SHA512552a243bcf5b25cfd6876341e1b6ba4162f203ac9c7be30c4697bb00621c5ff5fb35550b0f026c4c39e7ac8cc821ca0aae9f8c7877ec07bdf108f951dcfcfa0b
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
160KB