Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Resource
win7-20231215-en
General
-
Target
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
-
Size
4.4MB
-
MD5
81ed47a991b51ac416d56e87a29a9e1e
-
SHA1
0532b1052beed07bb9243e819b4dd5c3343120eb
-
SHA256
ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29
-
SHA512
1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62
-
SSDEEP
98304:Weekh63DHMYli6N3ZngCekllw5HON7IZGwTT5MCMBwxQf+0b:Weu3DHJ9RplwxOqEA5MdWxQd
Malware Config
Extracted
amadey
4.13
http://185.172.128.5
-
install_dir
4fdb51ccdc
-
install_file
Utsysc.exe
-
strings_key
11bb398ff31ee80d2c37571aecd1d36d
-
url_paths
/v8sjh3hs8/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1840 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1840 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe 1840 ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"2⤵PID:752
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:3332
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main3⤵PID:4376
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main4⤵PID:1928
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\815711207184_Desktop.zip' -CompressionLevel Optimal5⤵PID:1964
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main3⤵PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe1⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe1⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe1⤵PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD55d6aa016866c585c028a47339d0a3eb4
SHA12a3f5ecc670b22adad727feda9b518787ca8de55
SHA25694696796af66fa02e663bb8962ab92a766981a8ff9071e403308105c75b9f0e3
SHA512b3962b2ebfee0e1049043c09fb9c39d74f16f8451848ca8cc4aa0c33e1815f8a888595516c48d8348c21876bf5e0b68ed59c6d3312fb28da05434b8e65f9120e