Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 14:47

General

  • Target

    d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe

  • Size

    359KB

  • MD5

    1c2abdcc881f4bff6162de485791a3fe

  • SHA1

    7cbe151af7d6a24026efee50a585397cb0d9c516

  • SHA256

    d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578

  • SHA512

    3e39497d21fddb205ae84be7a7e8265d6fda3070a885a19b1f45e996e04eb801ace5dfcedc04874325788ec3bf75f1f5ffe79297b34f82e0c7b98218c26b21a5

  • SSDEEP

    6144:K+y+bnr+qp0yN90QEAQegx/CUYC7Fhec0EfAAYXwwLo9/cItKNR/WU1Q90b6f:mMrCy90hljYWhEjA3/ztKNNxL6f

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe
    "C:\Users\Admin\AppData\Local\Temp\d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1616978.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1616978.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6376919.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6376919.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7062692.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7062692.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:2924
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4124
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:1904
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:3960
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:380
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:2660
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:4780
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5161115.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5161115.exe
                  2⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:4244
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4384
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3988
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1592

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5161115.exe

                Filesize

                34KB

                MD5

                e94edffe362eed8baeaa80020f5548ad

                SHA1

                776cab8f4b6833f83ca82ba582677795ed881751

                SHA256

                5ba23cfcd045ec7a30c6b1c3c7e05ad6dd764e6feb4e23293982867c3b873b21

                SHA512

                4afb388548f3508294589b99953c8ef6b15dacd8bfac1ceaff0a601817cb3d75378c456f73c3a0a7bd60cbe8abf647ec8b5ccd5d29644ebb7dd1e48a06fe95d0

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1616978.exe

                Filesize

                234KB

                MD5

                3e7d88e75923b3a43c0dc45edbd01687

                SHA1

                7e2a6719ee8a4518c9586e07d2861cfc1281beb0

                SHA256

                b9c7a7b367eac344e59e867953a12db0ef2bffa4f94334a89d46d1a9269669c7

                SHA512

                ba53f9d6954573dc7342944c24a475220eb11da0061abf2ca63ac2fd7727a7e1b02f52d59172ae1a0b96c8c8bc7cee14ad0c1b5e836212b056e8da2dfd48c6e9

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6376919.exe

                Filesize

                12KB

                MD5

                4270b56d1cba3f64652be5749da3e078

                SHA1

                c416d45406184faacc5151b4ea58d5caafa1014d

                SHA256

                d2d155ac521e832b52466eeb0a22b34dec223edcd15b8ce1f9dbb9543ac2709e

                SHA512

                606411a690a5bbcf483173f601335211bda18081b71158aab6ab2bf7d2e9fd3640fe4299c2ff4b2abc6405f3a84f43167a8531b6cfe075466846f209a20b4a8d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7062692.exe

                Filesize

                229KB

                MD5

                42df4bc7fa8cfaebce73b13076cf8b25

                SHA1

                5db3580f7a851e328410833e934f41870c102b1e

                SHA256

                aead07fe023fc99f873faa9ecdfb165bc0b1a7ad795aa9c05294aa2a41609443

                SHA512

                4524ae72bd1c620da0bb90c0e83480cf933dc3f511908e0eed8cfbfbe9d8eab0bec540ec887417329195f65fbb74a6d0ccf5dc836d1c080b4596f421e12fa2b2

              • memory/4244-33-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/4684-14-0x0000000000750000-0x000000000075A000-memory.dmp

                Filesize

                40KB

              • memory/4684-15-0x00007FF9176A3000-0x00007FF9176A5000-memory.dmp

                Filesize

                8KB