Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2023, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
v7229391.bin.exe
Resource
win7-20230712-en
General
-
Target
v7229391.bin.exe
-
Size
235KB
-
MD5
ee5e79d00a13fde9e96a1f9953f35fea
-
SHA1
788be8b6304f138f5c7bdf00fe98562de6f2790d
-
SHA256
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
-
SHA512
26b1209bb16d6e5ed3dabe6fc18e6ec425197ecfd26f2038d9d796cff93d25597c774ca01fec5d975457ef7e544b9d7f7d09372e391c1823b4a7e3bcf94d0c49
-
SSDEEP
6144:KCy+bnr+0p0yN90QEdHyEL9MR1SKgfYLNYs1Ul8C2N:6Mrcy90zgoYLWs6l8V
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/files/0x00090000000231e8-138.dat healer behavioral2/files/0x00090000000231e8-139.dat healer behavioral2/memory/2596-140-0x0000000000540000-0x000000000054A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6528505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6528505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6528505.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a6528505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6528505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6528505.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation danke.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation b2742260.exe -
Executes dropped EXE 5 IoCs
pid Process 2596 a6528505.exe 5096 b2742260.exe 3620 danke.exe 2620 danke.exe 4708 danke.exe -
Loads dropped DLL 1 IoCs
pid Process 1464 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6528505.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7229391.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" v7229391.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2596 a6528505.exe 2596 a6528505.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 a6528505.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5096 b2742260.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4988 wrote to memory of 2596 4988 v7229391.bin.exe 86 PID 4988 wrote to memory of 2596 4988 v7229391.bin.exe 86 PID 4988 wrote to memory of 5096 4988 v7229391.bin.exe 87 PID 4988 wrote to memory of 5096 4988 v7229391.bin.exe 87 PID 4988 wrote to memory of 5096 4988 v7229391.bin.exe 87 PID 5096 wrote to memory of 3620 5096 b2742260.exe 88 PID 5096 wrote to memory of 3620 5096 b2742260.exe 88 PID 5096 wrote to memory of 3620 5096 b2742260.exe 88 PID 3620 wrote to memory of 2000 3620 danke.exe 89 PID 3620 wrote to memory of 2000 3620 danke.exe 89 PID 3620 wrote to memory of 2000 3620 danke.exe 89 PID 3620 wrote to memory of 1552 3620 danke.exe 91 PID 3620 wrote to memory of 1552 3620 danke.exe 91 PID 3620 wrote to memory of 1552 3620 danke.exe 91 PID 1552 wrote to memory of 5108 1552 cmd.exe 93 PID 1552 wrote to memory of 5108 1552 cmd.exe 93 PID 1552 wrote to memory of 5108 1552 cmd.exe 93 PID 1552 wrote to memory of 5056 1552 cmd.exe 94 PID 1552 wrote to memory of 5056 1552 cmd.exe 94 PID 1552 wrote to memory of 5056 1552 cmd.exe 94 PID 1552 wrote to memory of 4720 1552 cmd.exe 95 PID 1552 wrote to memory of 4720 1552 cmd.exe 95 PID 1552 wrote to memory of 4720 1552 cmd.exe 95 PID 1552 wrote to memory of 3888 1552 cmd.exe 96 PID 1552 wrote to memory of 3888 1552 cmd.exe 96 PID 1552 wrote to memory of 3888 1552 cmd.exe 96 PID 1552 wrote to memory of 5076 1552 cmd.exe 97 PID 1552 wrote to memory of 5076 1552 cmd.exe 97 PID 1552 wrote to memory of 5076 1552 cmd.exe 97 PID 1552 wrote to memory of 4592 1552 cmd.exe 98 PID 1552 wrote to memory of 4592 1552 cmd.exe 98 PID 1552 wrote to memory of 4592 1552 cmd.exe 98 PID 3620 wrote to memory of 1464 3620 danke.exe 108 PID 3620 wrote to memory of 1464 3620 danke.exe 108 PID 3620 wrote to memory of 1464 3620 danke.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\v7229391.bin.exe"C:\Users\Admin\AppData\Local\Temp\v7229391.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6528505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6528505.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2742260.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2742260.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F4⤵
- Creates scheduled task(s)
PID:2000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"5⤵PID:5056
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E5⤵PID:4720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"5⤵PID:5076
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E5⤵PID:4592
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:1464
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
13KB
MD584bab76f53d09527ab0783ba2ece2e2e
SHA1bfdc2db1addb613025d32d8a288fc7b70b8b22ee
SHA2568f1eae62ef850d5a0a78054f853cbbe4c3b547bfc34ee890746405cee8bbfe95
SHA51245f0fa0cf107c116e6bd6e8145cfa5580cc007c3755e5b290f5aede15e195c83e296b90d4a6bbbbd619dfdb98168569c2efe8f2e4c9c5a7083a849ed65c670c9
-
Filesize
13KB
MD584bab76f53d09527ab0783ba2ece2e2e
SHA1bfdc2db1addb613025d32d8a288fc7b70b8b22ee
SHA2568f1eae62ef850d5a0a78054f853cbbe4c3b547bfc34ee890746405cee8bbfe95
SHA51245f0fa0cf107c116e6bd6e8145cfa5580cc007c3755e5b290f5aede15e195c83e296b90d4a6bbbbd619dfdb98168569c2efe8f2e4c9c5a7083a849ed65c670c9
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
226KB
MD5144f0c96d774f813d87132e84b2a46ed
SHA1ce04450c00f605252c5c7df6960c0a3ed0705ef1
SHA2562a9f2426bbdd99ab7326d3d174d967810fa63615c225170ea006c7efec1e4d6e
SHA5127d21efad7312382185caf26b1b62c1a10ec25fe085d0a28a9e0dd2182fcb181ee92ef658d5778cbe2914ed46423e4a0a4f14434beceed4abf34eaa28be97fcda
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59