Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/05/2023, 14:16
General
-
Target
7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe
-
Size
492KB
-
MD5
d4d6a3534bc863b09a40371057bbd90d
-
SHA1
e62075e240f1b428883886b70db9336582a1c8f6
-
SHA256
7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784
-
SHA512
b640e83e5222ec51af5dde77998a792334342a50fe4ff1f0237cee3ecf9ca03637aec271e77ad75c32a08e4706cd13c7d037c848a7940794451a330b3ec33ff5
-
SSDEEP
12288:6MrCy90KjUi+gp6urlLyPZf8rxLvVvrJJ1:sy7qM6gOJ8ZVf1
Malware Config
Extracted
redline
luna
217.196.96.101:4132
-
auth_value
3372be6f6fa192ff878fa6fe9be73f6e
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe"C:\Users\Admin\AppData\Local\Temp\7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9792631.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9792631.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2935429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2935429.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0987409.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0987409.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6023653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6023653.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
309KB
MD5cf9b74b0145ff74a32e07b447a94da0f
SHA1a47018d45280491b26b2c981a4578d98e7fd0064
SHA2568bcf3c9eaed9c1fdc34ba98db35bc8f554ecde661de6bc446048b2521fe0c28f
SHA5123df9997e8e6229a459e6361ce89083a8f34ff9619704b1ec7bd1edb58a6dd70ed0e5c893f35fd8cd90ca2066a6ef91ff5e57619ff95afff33827b1090d8c4dd1
-
Filesize
309KB
MD5cf9b74b0145ff74a32e07b447a94da0f
SHA1a47018d45280491b26b2c981a4578d98e7fd0064
SHA2568bcf3c9eaed9c1fdc34ba98db35bc8f554ecde661de6bc446048b2521fe0c28f
SHA5123df9997e8e6229a459e6361ce89083a8f34ff9619704b1ec7bd1edb58a6dd70ed0e5c893f35fd8cd90ca2066a6ef91ff5e57619ff95afff33827b1090d8c4dd1
-
Filesize
176KB
MD5e996d4c47dec1ae330eeb5ae6fd6d99a
SHA12fd688fbd8efb220272223068b3abac2d1e18398
SHA256fd0aa632acac50109d0ac13e4512d0db4e8b43fe19b9b4f4c784628274d8264c
SHA5121fe22652a6d7871c1f10330741df26cc472fc0d21894fd03a28ae983e101f3342a6639e7e5e896a16b3be1de9f5c3c413ab097b239133dacd5b240f2546a90a3
-
Filesize
176KB
MD5e996d4c47dec1ae330eeb5ae6fd6d99a
SHA12fd688fbd8efb220272223068b3abac2d1e18398
SHA256fd0aa632acac50109d0ac13e4512d0db4e8b43fe19b9b4f4c784628274d8264c
SHA5121fe22652a6d7871c1f10330741df26cc472fc0d21894fd03a28ae983e101f3342a6639e7e5e896a16b3be1de9f5c3c413ab097b239133dacd5b240f2546a90a3
-
Filesize
168KB
MD5c60c1ba8b14d11e2bab4cf22d75ca7e2
SHA1d834261dd1a29e17f8d3f30424f57d547ae41076
SHA2568f1c016219c488443cb0bf1cf3b19fc41dc366b9ade47a58ecf4f0e12039a94e
SHA512e4a8bcc967cd0733e1adbf66d39340eb4fd2cd783d6286bf3f01b6dbbce9159383965534bcc5ce8c2c89a4ee8306f1e538ec6e81b0c1b4d57854bc5d21a2c501
-
Filesize
168KB
MD5c60c1ba8b14d11e2bab4cf22d75ca7e2
SHA1d834261dd1a29e17f8d3f30424f57d547ae41076
SHA2568f1c016219c488443cb0bf1cf3b19fc41dc366b9ade47a58ecf4f0e12039a94e
SHA512e4a8bcc967cd0733e1adbf66d39340eb4fd2cd783d6286bf3f01b6dbbce9159383965534bcc5ce8c2c89a4ee8306f1e538ec6e81b0c1b4d57854bc5d21a2c501
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
192KB