Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08/05/2023, 20:42
General
-
Target
b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe
-
Size
489KB
-
MD5
aa6d03446e5c105de4417c5b50d5d6d0
-
SHA1
23e47f16d18006389189291f3b933f0105938049
-
SHA256
b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548
-
SHA512
f4aa199513011c96e502b76a69e507cc918f8f690d573598887e6fb873f34f83b238a2338f2ae3c2671a83da40d7e2d17a3e20cb2a38dbce10f9cfb194dc3bbb
-
SSDEEP
12288:xMruy90dNxb0d1P+5c1u31CTDjh5TFmNXvSQZJa3:/yk8HiXUTHTTFmNXvSQZE3
Malware Config
Extracted
redline
lamp
217.196.96.101:4132
-
auth_value
8a3e8bc22f2496c7c5339eb332073902
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe"C:\Users\Admin\AppData\Local\Temp\b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4701836.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4701836.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2893244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2893244.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2668286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2668286.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1054200.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1054200.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
307KB
MD5e76eaff8de70325df26dda3ac9203ce0
SHA1f4aa1f93ad8a60cf502b4e524db464b9190a698b
SHA256ffbb9b0f98526528ff889f803cb8c54114ae9dc6fb34add13e035c6a62942682
SHA51279572110c52b2268739a276250d9824533c4455ed9c9e8ef5cf668af822c26a20343ae8b74ca63224f10140f98c11309a769629ce38234247b37f77dbf602e2e
-
Filesize
307KB
MD5e76eaff8de70325df26dda3ac9203ce0
SHA1f4aa1f93ad8a60cf502b4e524db464b9190a698b
SHA256ffbb9b0f98526528ff889f803cb8c54114ae9dc6fb34add13e035c6a62942682
SHA51279572110c52b2268739a276250d9824533c4455ed9c9e8ef5cf668af822c26a20343ae8b74ca63224f10140f98c11309a769629ce38234247b37f77dbf602e2e
-
Filesize
179KB
MD5b6f6a993fc1e40151c3cb02718271b39
SHA13d88563df2b1604bc6d737f642bc552e3f225b75
SHA2566a698066b6d017ff3a4112c925a98ba71ebf39098025433f3e9d37fcbf5231a2
SHA5128b05b0cd66e5c4eb63ca1352b911740edb5122aba2f78f624d80fe4e10f72349c9794b9cdd0e3d537bf3ed38671154634e5fbb0e662ebe67f16c914f9135e675
-
Filesize
179KB
MD5b6f6a993fc1e40151c3cb02718271b39
SHA13d88563df2b1604bc6d737f642bc552e3f225b75
SHA2566a698066b6d017ff3a4112c925a98ba71ebf39098025433f3e9d37fcbf5231a2
SHA5128b05b0cd66e5c4eb63ca1352b911740edb5122aba2f78f624d80fe4e10f72349c9794b9cdd0e3d537bf3ed38671154634e5fbb0e662ebe67f16c914f9135e675
-
Filesize
168KB
MD5049adcc67079cc89ff23244263ba0d3a
SHA14c1b30cbf7aaa2285ac75c6d38ae23515866e856
SHA25663546851a6792f2e1e82aefd3a4c6a4999e59c34c4ede8cd63248b686d86c6f8
SHA512c405c21262a251f6ca8900623a336e18d7f300e541a4db10de52393e227f40a3cb2d5bb31173529171d82c9ccc9d344f616a9475b1ca147bb2e7ac5342e9b048
-
Filesize
168KB
MD5049adcc67079cc89ff23244263ba0d3a
SHA14c1b30cbf7aaa2285ac75c6d38ae23515866e856
SHA25663546851a6792f2e1e82aefd3a4c6a4999e59c34c4ede8cd63248b686d86c6f8
SHA512c405c21262a251f6ca8900623a336e18d7f300e541a4db10de52393e227f40a3cb2d5bb31173529171d82c9ccc9d344f616a9475b1ca147bb2e7ac5342e9b048
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
1.0MB
-
Filesize
184KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB