Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2023, 21:36

General

  • Target

    NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe

  • Size

    243KB

  • MD5

    eb4f61cdbba43d2b9b567e06a981f760

  • SHA1

    b9738f36b4fb5451fa28cc23f0eff794d7b6b647

  • SHA256

    27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

  • SHA512

    433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

  • SSDEEP

    6144:LEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:LE32xpoaxBFg1ugMeS

Score
10/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3060
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    1⤵
    • Creates scheduled task(s)
    PID:2600
  • C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      2⤵
        PID:2616
      • C:\Windows\SysWOW64\cacls.exe
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        2⤵
          PID:2828
        • C:\Windows\SysWOW64\cacls.exe
          CACLS "..\fefffe8cea" /P "Admin:N"
          2⤵
            PID:2920
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            2⤵
              PID:2356
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explothe.exe" /P "Admin:N"
              2⤵
                PID:2936
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                2⤵
                  PID:2768

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                Filesize

                243KB

                MD5

                eb4f61cdbba43d2b9b567e06a981f760

                SHA1

                b9738f36b4fb5451fa28cc23f0eff794d7b6b647

                SHA256

                27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

                SHA512

                433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                Filesize

                243KB

                MD5

                eb4f61cdbba43d2b9b567e06a981f760

                SHA1

                b9738f36b4fb5451fa28cc23f0eff794d7b6b647

                SHA256

                27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

                SHA512

                433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                Filesize

                243KB

                MD5

                eb4f61cdbba43d2b9b567e06a981f760

                SHA1

                b9738f36b4fb5451fa28cc23f0eff794d7b6b647

                SHA256

                27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

                SHA512

                433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

              • \Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

                Filesize

                243KB

                MD5

                eb4f61cdbba43d2b9b567e06a981f760

                SHA1

                b9738f36b4fb5451fa28cc23f0eff794d7b6b647

                SHA256

                27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

                SHA512

                433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca