Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
Resource
win10v2004-20240226-en
General
-
Target
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
-
Size
1.4MB
-
MD5
04055601abbd16ec6cc9e02450c19381
-
SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e
-
SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13
-
SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac
-
SSDEEP
24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g
Malware Config
Extracted
amadey
4.18
http://185.172.128.3
http://cdnforbusiness.com
-
install_dir
One_Dragon_Center
-
install_file
MSI.CentralServer.exe
-
strings_key
fd2f5851d3165c210396dcbe9930d294
-
url_paths
/QajE3OBS/index.php
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation MSI.CentralServer.exe -
Executes dropped EXE 3 IoCs
pid Process 1968 MSI.CentralServer.exe 2212 MSI.CentralServer.exe 704 MSI.CentralServer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2212 set thread context of 4964 2212 MSI.CentralServer.exe 113 PID 704 set thread context of 2300 704 MSI.CentralServer.exe 118 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\MSI.CentralServer.job b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2584 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 452 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2212 MSI.CentralServer.exe 2212 MSI.CentralServer.exe 4964 cmd.exe 4964 cmd.exe 704 MSI.CentralServer.exe 704 MSI.CentralServer.exe 2300 cmd.exe 2300 cmd.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2212 MSI.CentralServer.exe 704 MSI.CentralServer.exe 4964 cmd.exe 2300 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 452 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 628 b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1664 1968 MSI.CentralServer.exe 107 PID 1968 wrote to memory of 1664 1968 MSI.CentralServer.exe 107 PID 1968 wrote to memory of 1664 1968 MSI.CentralServer.exe 107 PID 1664 wrote to memory of 452 1664 cmd.exe 109 PID 1664 wrote to memory of 452 1664 cmd.exe 109 PID 1664 wrote to memory of 452 1664 cmd.exe 109 PID 1664 wrote to memory of 2584 1664 cmd.exe 110 PID 1664 wrote to memory of 2584 1664 cmd.exe 110 PID 1664 wrote to memory of 2584 1664 cmd.exe 110 PID 1664 wrote to memory of 2212 1664 cmd.exe 111 PID 1664 wrote to memory of 2212 1664 cmd.exe 111 PID 1664 wrote to memory of 2212 1664 cmd.exe 111 PID 2212 wrote to memory of 4964 2212 MSI.CentralServer.exe 113 PID 2212 wrote to memory of 4964 2212 MSI.CentralServer.exe 113 PID 2212 wrote to memory of 4964 2212 MSI.CentralServer.exe 113 PID 2212 wrote to memory of 4964 2212 MSI.CentralServer.exe 113 PID 704 wrote to memory of 2300 704 MSI.CentralServer.exe 118 PID 704 wrote to memory of 2300 704 MSI.CentralServer.exe 118 PID 704 wrote to memory of 2300 704 MSI.CentralServer.exe 118 PID 704 wrote to memory of 2300 704 MSI.CentralServer.exe 118 PID 4964 wrote to memory of 3952 4964 cmd.exe 120 PID 4964 wrote to memory of 3952 4964 cmd.exe 120 PID 4964 wrote to memory of 3952 4964 cmd.exe 120 PID 4964 wrote to memory of 3952 4964 cmd.exe 120 PID 2300 wrote to memory of 4088 2300 cmd.exe 121 PID 2300 wrote to memory of 4088 2300 cmd.exe 121 PID 2300 wrote to memory of 4088 2300 cmd.exe 121 PID 2300 wrote to memory of 4088 2300 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:628
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "MSI.CentralServer.exe" && timeout 1 && del "MSI.CentralServer.exe" && ren c36f10 MSI.CentralServer.exe && C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe && Exit"2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MSI.CentralServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵PID:3952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:4088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD58441b4b1912ca115dc675f3c24d73102
SHA1b591c89569a64dd3aa8730321376d02ba48d5ae6
SHA256930f4ac39bd395edfff5365c4044562a509b9e28d7be769f579617a244cb97dc
SHA512d704e5d5bf1873a5f08e214ced6187c3b2441d7599145faa04e0d5491d6b7e31ab233f37f1ba817f40a2612c2ce4e54c73e223305666835ec39a9e5b7b001792
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD5e9825cc51093adf353bc80d9b139f7d1
SHA13513045afb2ca88f2cde8c53d888df90e0f0aae1
SHA256a98b1c09d87359fc8f8127a888ebab712a0dd1638abfc7cd8bb25886d1dd72d8
SHA512241e6ce03e8ba411c9cc507f742fd8951b397fd2fdf1bc05eda771d4b8edfba1922ee1ec0215f751732ece3a69cc98be2fcfdf4678eb5e3e1fcc88a7c983eb67
-
Filesize
1.2MB
MD56143f9007a1b19642c76345546ba5db6
SHA1a0fdee5c5e8674235a22ff0a11c17c9648485581
SHA256062724e6361ae3b802d1a48c06d42d45e021b40a5c930ffec1d92d9a061a9b9a
SHA512dcd72334c669c58baa393351b8c0a433dbcffc2aa3a1cd209078f42c15062af85ac7f6e5df7c2570eb3137371ea8593bf9f17f742ed9e2c7ca20e95eb6dd80bc
-
Filesize
1.1MB
MD580c224056113090df0181619bcaae033
SHA1d858fd23fbc86b1da7256d9c9d5d398adeb39c29
SHA256af210a82b5bf2001fed63cdf251d21909a9dc382765e4054cb5ffd5b71db04c6
SHA512aced1034dc3bdd7ec9cbf3afa531ff4129d92b3984186f2eff110cd83871d2465cd127fe60c9be4d2c5240f843d5541a233eea1bffda75481f59d44c39eb9c02
-
Filesize
1.0MB
MD53564741bdf8a110adb67072d7e2837fb
SHA1e260038af6ef6ff8afd034cb4311edf855508ad1
SHA2569a5f68fd3e96d865fefd05c4d15560da7aa41732bffa59da8bf5af87f8779c37
SHA512a9dc1cbe50277b3d35c6e5c47aed57f91f596a1efeebf62de8971ed07125cc4f128cb14f601af39f94df98a0c0715d1b566eaa0c1a966bee0d36e9623457f23e
-
Filesize
1.4MB
MD504055601abbd16ec6cc9e02450c19381
SHA1420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e
SHA256b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13
SHA512826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac
-
Filesize
145KB
MD57a9f43248b98ad3fbbcf8723f19eb04f
SHA128edcb8423d677471e07e07fcc7df60357ff4e84
SHA2562553d4aa7edff2d95082562ab9e626f05d4b4e6d32a9448b71b6433660acb95f
SHA512388d4bc38694668ec71400add3100c7e73641f2d9492f86e73c5cfa3edaf60cf6b04cab9ffae5510d7d9518df73544bb415af63512ac6cabd31c94a8fb5d7c79
-
Filesize
3.7MB
MD580f0f67821e14dc05947471e93f0b09a
SHA13ddeea07768b3b7d50aa5f00a52a1eaeef7ede2b
SHA2567300e6a755a8606b1036b83af1bb6bbab6b10a83c93e0d5345d23c656b0a2422
SHA512b90737641176201350e44c83ce82671f57a89d8afe647968a28efa18a5cd861c5c7d055106ddb5605b1513c8123d1fb6685083a4f861063ee0f22e04349b6652