Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10/05/2023, 12:07
General
-
Target
9b33e68d6a02c597c1ec96254f19793883077a337ba0ff9a55f989ddf396839d.exe
-
Size
490KB
-
MD5
49d411770b1ba3956bbbb23c4e65ada9
-
SHA1
a4b2193fad68f10bd155f899a6561b53b28cdd06
-
SHA256
9b33e68d6a02c597c1ec96254f19793883077a337ba0ff9a55f989ddf396839d
-
SHA512
7ec99f66c944d4e046838ccef5c46c652ad4ad2c4dfe83dca8553266ffdc5930764842a9b84dca0e1e0e3cdbf62bd9b47f843cb0ae6e1f7578850135266655e1
-
SSDEEP
12288:9MrWy90Cuw4HwjdpMncdv1pU08Go9x7ca35Cqi:byIfH/ck9x71i
Malware Config
Extracted
redline
lirot
217.196.96.102:4132
-
auth_value
0719dc312a5ab622cdc667a6937558df
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b33e68d6a02c597c1ec96254f19793883077a337ba0ff9a55f989ddf396839d.exe"C:\Users\Admin\AppData\Local\Temp\9b33e68d6a02c597c1ec96254f19793883077a337ba0ff9a55f989ddf396839d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7475831.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7475831.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9830623.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9830623.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8862208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8862208.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7613566.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7613566.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
232KB
MD55534c8d9b096b985d650e5c92f693558
SHA14d94535579345b545bedef2bad27a32937bba517
SHA256d52a9b639b663334402cf44b92611e19f2226bb0bb29469d631a2437c3fd1fe1
SHA512a6075a96fa3e15855c7dea511162ed8200ca48376f0032119479457331d5b2b79b0c638fe19496a2670f3291b23c8cbaef9830aecfac3a4a4799ef9f9a3f4a8f
-
Filesize
307KB
MD5fca50971af16559543a4f9678a442239
SHA15854fb60cabbde3169d3ac8e7af1e5f4217adfca
SHA2565a4663ac060a9ea26a659b840b523e27b1ad2e7d57ecf55c84105e86eaa74fcc
SHA512ad33f43c1cd61082b9954ebd2fe78709dcabe66428aac36102b524c77be779b6f768eeb906d18bc4204e5d1d4c94ce1aa25b84a4621e1f0838b94ad1207e85e5
-
Filesize
307KB
MD5fca50971af16559543a4f9678a442239
SHA15854fb60cabbde3169d3ac8e7af1e5f4217adfca
SHA2565a4663ac060a9ea26a659b840b523e27b1ad2e7d57ecf55c84105e86eaa74fcc
SHA512ad33f43c1cd61082b9954ebd2fe78709dcabe66428aac36102b524c77be779b6f768eeb906d18bc4204e5d1d4c94ce1aa25b84a4621e1f0838b94ad1207e85e5
-
Filesize
182KB
MD514feafe55bebb07242db88605319663d
SHA14e63969213f728c7f5f31835f702c0913f9d1376
SHA2560392963b9d07cf383c59471abfb3512db7727d3e4b32b8bd6c47704126fdef2a
SHA512a641b9b4eb2e64c98e6b84b6843cd27f12155b8bacce684a77d4d289ec95275400dbb2bd5389ed807d172db4eb2bd45e54070bf6625aef7e46833095900f20c7
-
Filesize
182KB
MD514feafe55bebb07242db88605319663d
SHA14e63969213f728c7f5f31835f702c0913f9d1376
SHA2560392963b9d07cf383c59471abfb3512db7727d3e4b32b8bd6c47704126fdef2a
SHA512a641b9b4eb2e64c98e6b84b6843cd27f12155b8bacce684a77d4d289ec95275400dbb2bd5389ed807d172db4eb2bd45e54070bf6625aef7e46833095900f20c7
-
Filesize
168KB
MD54bbaa2010ba263704bfe8252d976ecb2
SHA1241eef19768b603c25a571ed23fb9016cf8855ed
SHA256a009c6806f118c014646d4070e22cf4788a42afb65350b5d49ae3e4bcd0b3bdc
SHA51212fce45304fb438d30e04e959968efed692b4550fb0041eeecb18eaf60f2a32693e45f0eb8827549877d613b0d8ea848526338c7d8ead2903777b443a0349ab1
-
Filesize
168KB
MD54bbaa2010ba263704bfe8252d976ecb2
SHA1241eef19768b603c25a571ed23fb9016cf8855ed
SHA256a009c6806f118c014646d4070e22cf4788a42afb65350b5d49ae3e4bcd0b3bdc
SHA51212fce45304fb438d30e04e959968efed692b4550fb0041eeecb18eaf60f2a32693e45f0eb8827549877d613b0d8ea848526338c7d8ead2903777b443a0349ab1
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
6.1MB