Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 11:12

General

  • Target

    2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe

  • Size

    514KB

  • MD5

    90f4e7656cd4f2ff21d306e9a2127aa8

  • SHA1

    d7c5ac2b853e2ffb6281a91e1d48a652fdb4ab4b

  • SHA256

    2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7

  • SHA512

    cc4a87aab9ee3c6290dd6eefd14e2297f24f9738cad755bb462d402ab408fdbd27d196e5a44475e3a4296c0f959305d645187297fa12f76464f652d040651e15

  • SSDEEP

    12288:kMrvy90pmeitVqabcxZthOFvD2ZT58iro7:7yAitsKcxZtsvCLE

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4476
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4760
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4076
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3708
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:3328
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2296
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:640
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:728
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:2352
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2600
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1512
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3260
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3704

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe

                Filesize

                172KB

                MD5

                f3d4c9732520988f37640af8592b4d4f

                SHA1

                439c8330fafbb18ca5bfb910ba6072b0d6c344ea

                SHA256

                5308702f0f353193c42c209eb946a64d65aafb3b8543cfed37ef8b79a9477c11

                SHA512

                67d76224af187bbe39a9c7a3b6cea6becc77d887cc3ac89513d006f8331ce60506d783b2034a8a2083bda1767ea1fa9dbcc9a52a7f1fc554065ca2f1927bd2d9

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe

                Filesize

                359KB

                MD5

                1b5c60006cf65f19efde04faf393ff26

                SHA1

                79b21b5c269f61e83bded7046cac7a74c8d03a26

                SHA256

                5d444bb020b097b1a1601470bff8ed4f721ca9833ed2645d13e7bb941f933c92

                SHA512

                761a77a6ff1f8eda021d9827eb1a7af15d51ff792f1d34af0d965701e1eb756e148ace1f294cc753d1cc8469c0350b942cae76fccde6c206f5e574b22dd6662d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe

                Filesize

                35KB

                MD5

                4d10444994d8bcb46db1b0169d70408c

                SHA1

                cb75bd6e3f9a211e3f6f0edd621c4d19f3cbb932

                SHA256

                f3f96017154ef1ac7b8a8e402b1f4ec838b4cbf90b17d91fbd41c9d80fe93b73

                SHA512

                ff14d0549a3f9aae43c2535970fcb73c7287603eaed8f6ef02865d1137e6d0a83349eb19d088c162ed140e01689b62beba29a3b0081a15d6d538f5bc4836692f

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe

                Filesize

                234KB

                MD5

                fc78db6faef23ec53cf6d28a8d2413e5

                SHA1

                909012f46132d8e495fbb87aa929a34896e0abff

                SHA256

                f64c365cf9ebf6b3d3c2c5fa5d606e6108cb7cbdca2d3c5a584265cdfe86af19

                SHA512

                94da1949fb511f63aecb67cd890c6da681df8d7e8cf363547ae789c092209cb1c6f93b3f2880beca3d76b8b9ce4da397c0fd8edf1476ea4b163cfd3915e7b560

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe

                Filesize

                11KB

                MD5

                4a52f5ac63c258eb43a31d19c1ef0f10

                SHA1

                e234ac66b801fe1be51c144206a811809b2b53ef

                SHA256

                45c201511196955b077ff6d298ab9d6f10cc394dfa6f91a746d10246db41ab00

                SHA512

                15c2c18b9b19fdbd6744b81687f92263114a363b1cc32af2483676ab465c4a9f4eac35553212f331808744c7abb159b25b521556ec5a5b766b468f93d6fbcbc7

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe

                Filesize

                223KB

                MD5

                6ea3f44322a07b398f06762b5a7e09a1

                SHA1

                af77a595623910bf513a34e8308ea69efb9a2a91

                SHA256

                2ad18f623171a8873c4d292125e8b1d2421172d6ba472d49f1d2988872b87266

                SHA512

                a4edbb71f501caa94c48c7a1c0e0766eb693e138e47aad8b59a695f313cb5322dda91d95225a1034db386c186103dbfe28f3a27e9c3d40c86a2721f33a04121a

              • memory/1512-49-0x0000000009F40000-0x0000000009F52000-memory.dmp

                Filesize

                72KB

              • memory/1512-48-0x000000000A000000-0x000000000A10A000-memory.dmp

                Filesize

                1.0MB

              • memory/1512-46-0x0000000004970000-0x0000000004976000-memory.dmp

                Filesize

                24KB

              • memory/1512-47-0x000000000A510000-0x000000000AB28000-memory.dmp

                Filesize

                6.1MB

              • memory/1512-45-0x0000000000190000-0x00000000001C0000-memory.dmp

                Filesize

                192KB

              • memory/1512-50-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

                Filesize

                240KB

              • memory/1512-51-0x0000000002310000-0x000000000235C000-memory.dmp

                Filesize

                304KB

              • memory/1776-21-0x00007FFE3E773000-0x00007FFE3E775000-memory.dmp

                Filesize

                8KB

              • memory/1776-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

                Filesize

                40KB

              • memory/2600-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/2600-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB