Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Resource
win7-20231215-en
General
-
Target
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
-
Size
4.4MB
-
MD5
81ed47a991b51ac416d56e87a29a9e1e
-
SHA1
0532b1052beed07bb9243e819b4dd5c3343120eb
-
SHA256
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29
-
SHA512
1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62
-
SSDEEP
98304:Weekh63DHMYli6N3ZngCekllw5HON7IZGwTT5MCMBwxQf+0b:Weu3DHJ9RplwxOqEA5MdWxQd
Malware Config
Extracted
amadey
4.13
http://185.172.128.5
-
install_dir
4fdb51ccdc
-
install_file
Utsysc.exe
-
strings_key
11bb398ff31ee80d2c37571aecd1d36d
-
url_paths
/v8sjh3hs8/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Utsysc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Utsysc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Utsysc.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 3032 rundll32.exe 9 600 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Utsysc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Utsysc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Utsysc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Utsysc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Utsysc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Utsysc.exe -
Executes dropped EXE 3 IoCs
pid Process 2696 Utsysc.exe 2184 Utsysc.exe 1212 Utsysc.exe -
Loads dropped DLL 13 IoCs
pid Process 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 600 rundll32.exe 600 rundll32.exe 600 rundll32.exe 600 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utsysc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utsysc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utsysc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 2696 Utsysc.exe 2184 Utsysc.exe 1212 Utsysc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 2696 Utsysc.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 2164 powershell.exe 2184 Utsysc.exe 1212 Utsysc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2696 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 28 PID 1612 wrote to memory of 2696 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 28 PID 1612 wrote to memory of 2696 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 28 PID 1612 wrote to memory of 2696 1612 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 28 PID 2696 wrote to memory of 2780 2696 Utsysc.exe 31 PID 2696 wrote to memory of 2780 2696 Utsysc.exe 31 PID 2696 wrote to memory of 2780 2696 Utsysc.exe 31 PID 2696 wrote to memory of 2780 2696 Utsysc.exe 31 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2696 wrote to memory of 2004 2696 Utsysc.exe 35 PID 2004 wrote to memory of 3032 2004 rundll32.exe 36 PID 2004 wrote to memory of 3032 2004 rundll32.exe 36 PID 2004 wrote to memory of 3032 2004 rundll32.exe 36 PID 2004 wrote to memory of 3032 2004 rundll32.exe 36 PID 3032 wrote to memory of 376 3032 rundll32.exe 37 PID 3032 wrote to memory of 376 3032 rundll32.exe 37 PID 3032 wrote to memory of 376 3032 rundll32.exe 37 PID 3032 wrote to memory of 2164 3032 rundll32.exe 40 PID 3032 wrote to memory of 2164 3032 rundll32.exe 40 PID 3032 wrote to memory of 2164 3032 rundll32.exe 40 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 2696 wrote to memory of 600 2696 Utsysc.exe 42 PID 1544 wrote to memory of 2184 1544 taskeng.exe 45 PID 1544 wrote to memory of 2184 1544 taskeng.exe 45 PID 1544 wrote to memory of 2184 1544 taskeng.exe 45 PID 1544 wrote to memory of 2184 1544 taskeng.exe 45 PID 1544 wrote to memory of 1212 1544 taskeng.exe 46 PID 1544 wrote to memory of 1212 1544 taskeng.exe 46 PID 1544 wrote to memory of 1212 1544 taskeng.exe 46 PID 1544 wrote to memory of 1212 1544 taskeng.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:2780
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\603059206200_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:600
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A608C7B-EF91-474B-8DC7-9D981B8D170F} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD592a41739beaf84060b62d6a2649b3111
SHA1f1afaeb927ce1b6796eb150d7cc81e17cd5ee343
SHA256cdc33f6d9d89698baabc6dd253ed695a3d111f2cf564d4c95c466161d31433ba
SHA512f0653fd4706a051ed7517241aed008d89f2bb4393229850a8d14fddc1a97c5dfa7b5c53cfa4dff155a39e9979bf55d80fcbf212dc5bb44edc249a64ca74cf49c
-
Filesize
4.4MB
MD581ed47a991b51ac416d56e87a29a9e1e
SHA10532b1052beed07bb9243e819b4dd5c3343120eb
SHA256ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29
SHA5121ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62
-
Filesize
136KB
MD52069e59a7ea4bf937d6907c991da653a
SHA1077e6a0d24cdd6beeef19b54d7472d74c09df59d
SHA2564f41b869588ffef2d35a9ea78ca7cbc6df731a5434ce7e9f5e706ddd72e992f9
SHA5125af208aa66efd6814109420afdb40145e927ae8fa909649059f25d90fb3457fdaf4659d8b9b2a187bdb5d6af310af2ec089809cd1f5625d7768e38636cee1b1a
-
Filesize
65KB
MD5536bb0fe2a6bd1bb048c3ae8dee8b08b
SHA1f6a919f756735e83e3a1eac4c64c4b7b31d393b1
SHA256fcd72d25ed815a68b88370d72e1f4f2c5c73fc19451656ad14bd06f10c280a0c
SHA512b7723e270cf4b3f161119a9d2b3118c365a57be49e3cf05082caae18b1e120aea8feb8d9fa489cea13ca238b5fb59b6c37e763dbd376ddb0c9314f292d70357e
-
Filesize
102KB
MD5c06513af505f65393b4ebcd2a11a2ee4
SHA16e9e8a6b93fc9afbcc781790881d821b0bfb0821
SHA256f5d35a2366cf13312a30c9384f1ac30d9dc9ced46fa6b1b9c2d0621493cc2495
SHA512b90b8dc0571b2dde83c5ceaa4f12f203973bc2049663c0a840fa20a900bc7018f1f392f10273a607e816ccaf8a2b4f70bbc30b354437a2c9aecf5626b7c0a5ce
-
Filesize
1.2MB
MD538d922b1364ecc07f1a933b7acb20de4
SHA182a3d4f9cf3502da8710c07f9b7b447b79519216
SHA25648c4c53425a0ee02d48f3eab2b4da3b6ed24d6d5bc45dea783e43e32b9752931
SHA512cb1ca40afc5ad7828c9ef79c8029e76ec351bbbf6697ab1ec6dd9fe7aa5273028cf9d711a9babb4444ab44266751affbb3de4f4c9572dea102b1a04e95f0d315