Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19/03/2024, 18:51
General
-
Target
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
-
Size
1.4MB
-
MD5
04055601abbd16ec6cc9e02450c19381
-
SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e
-
SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13
-
SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac
-
SSDEEP
24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g
Malware Config
Extracted
amadey
4.18
http://185.172.128.3
http://cdnforbusiness.com
-
install_dir
One_Dragon_Center
-
install_file
MSI.CentralServer.exe
-
strings_key
fd2f5851d3165c210396dcbe9930d294
-
url_paths
/QajE3OBS/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "MSI.CentralServer.exe" && timeout 1 && del "MSI.CentralServer.exe" && ren c36f10 MSI.CentralServer.exe && C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe && Exit"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MSI.CentralServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
Filesize
192B
MD58441b4b1912ca115dc675f3c24d73102
SHA1b591c89569a64dd3aa8730321376d02ba48d5ae6
SHA256930f4ac39bd395edfff5365c4044562a509b9e28d7be769f579617a244cb97dc
SHA512d704e5d5bf1873a5f08e214ced6187c3b2441d7599145faa04e0d5491d6b7e31ab233f37f1ba817f40a2612c2ce4e54c73e223305666835ec39a9e5b7b001792
-
Filesize
192B
MD5e9825cc51093adf353bc80d9b139f7d1
SHA13513045afb2ca88f2cde8c53d888df90e0f0aae1
SHA256a98b1c09d87359fc8f8127a888ebab712a0dd1638abfc7cd8bb25886d1dd72d8
SHA512241e6ce03e8ba411c9cc507f742fd8951b397fd2fdf1bc05eda771d4b8edfba1922ee1ec0215f751732ece3a69cc98be2fcfdf4678eb5e3e1fcc88a7c983eb67
-
Filesize
1.2MB
MD56143f9007a1b19642c76345546ba5db6
SHA1a0fdee5c5e8674235a22ff0a11c17c9648485581
SHA256062724e6361ae3b802d1a48c06d42d45e021b40a5c930ffec1d92d9a061a9b9a
SHA512dcd72334c669c58baa393351b8c0a433dbcffc2aa3a1cd209078f42c15062af85ac7f6e5df7c2570eb3137371ea8593bf9f17f742ed9e2c7ca20e95eb6dd80bc
-
Filesize
1.1MB
MD580c224056113090df0181619bcaae033
SHA1d858fd23fbc86b1da7256d9c9d5d398adeb39c29
SHA256af210a82b5bf2001fed63cdf251d21909a9dc382765e4054cb5ffd5b71db04c6
SHA512aced1034dc3bdd7ec9cbf3afa531ff4129d92b3984186f2eff110cd83871d2465cd127fe60c9be4d2c5240f843d5541a233eea1bffda75481f59d44c39eb9c02
-
Filesize
1.0MB
MD53564741bdf8a110adb67072d7e2837fb
SHA1e260038af6ef6ff8afd034cb4311edf855508ad1
SHA2569a5f68fd3e96d865fefd05c4d15560da7aa41732bffa59da8bf5af87f8779c37
SHA512a9dc1cbe50277b3d35c6e5c47aed57f91f596a1efeebf62de8971ed07125cc4f128cb14f601af39f94df98a0c0715d1b566eaa0c1a966bee0d36e9623457f23e
-
Filesize
1.4MB
MD504055601abbd16ec6cc9e02450c19381
SHA1420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e
SHA256b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13
SHA512826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac
-
Filesize
145KB
MD57a9f43248b98ad3fbbcf8723f19eb04f
SHA128edcb8423d677471e07e07fcc7df60357ff4e84
SHA2562553d4aa7edff2d95082562ab9e626f05d4b4e6d32a9448b71b6433660acb95f
SHA512388d4bc38694668ec71400add3100c7e73641f2d9492f86e73c5cfa3edaf60cf6b04cab9ffae5510d7d9518df73544bb415af63512ac6cabd31c94a8fb5d7c79
-
Filesize
3.7MB
MD580f0f67821e14dc05947471e93f0b09a
SHA13ddeea07768b3b7d50aa5f00a52a1eaeef7ede2b
SHA2567300e6a755a8606b1036b83af1bb6bbab6b10a83c93e0d5345d23c656b0a2422
SHA512b90737641176201350e44c83ce82671f57a89d8afe647968a28efa18a5cd861c5c7d055106ddb5605b1513c8123d1fb6685083a4f861063ee0f22e04349b6652
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
444KB
-
Filesize
4.2MB
-
Filesize
444KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB