Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
31d90edda9f...51.exe
windows7-x64
31d90edda9f...51.exe
windows10-2004-x64
101e44c41d8d...91.exe
windows10-2004-x64
101ed736973c...3e.exe
windows10-2004-x64
1040d54c2855...14.exe
windows10-2004-x64
1041c3e42a10...04.exe
windows10-2004-x64
10559234fc52...e2.exe
windows10-2004-x64
1055c06ba8dc...48.exe
windows10-2004-x64
1067045db960...01.exe
windows10-2004-x64
106d684b37ca...5c.exe
windows10-2004-x64
10755b6a534e...41.exe
windows10-2004-x64
1077cbabe9fe...cf.exe
windows7-x64
377cbabe9fe...cf.exe
windows10-2004-x64
10b0f8fc9921...32.exe
windows10-2004-x64
10b72cfb2517...df.exe
windows10-2004-x64
10ca6d56a637...da.exe
windows10-2004-x64
10cd303f71ad...fd.exe
windows10-2004-x64
10d7a90d1783...78.exe
windows10-2004-x64
10db14966ca7...cb.exe
windows7-x64
10db14966ca7...cb.exe
windows10-2004-x64
10e800205bb9...fd.exe
windows7-x64
3e800205bb9...fd.exe
windows10-2004-x64
10f8a2da44f9...41.exe
windows10-2004-x64
10fc8b501a18...d3.exe
windows7-x64
3fc8b501a18...d3.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:47
Static task
static1
Behavioral task
behavioral1
Sample
1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
40d54c2855f2d7fa637ffb916d28fb16513aa414f6fd1a641b34f92af0d12f14.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
41c3e42a10f8af49168bee5f6dea01eec1d5e814739aca0229cec79aa4fb5404.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
55c06ba8dc9fb792c52ed9ed716cf4f5500da9f73bb66c9ba720a9cb2b666648.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
Resource
win7-20240419-en
Behavioral task
behavioral13
Sample
77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b0f8fc992132e7592e37766b35451eaa7dfdbfd3d15abe0b8c692f700870b032.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd303f71adeaea183389fffb15fb03508d79b98f35d685735ce2273417b6d4fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
Resource
win7-20240221-en
General
-
Target
d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe
-
Size
359KB
-
MD5
1c2abdcc881f4bff6162de485791a3fe
-
SHA1
7cbe151af7d6a24026efee50a585397cb0d9c516
-
SHA256
d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578
-
SHA512
3e39497d21fddb205ae84be7a7e8265d6fda3070a885a19b1f45e996e04eb801ace5dfcedc04874325788ec3bf75f1f5ffe79297b34f82e0c7b98218c26b21a5
-
SSDEEP
6144:K+y+bnr+qp0yN90QEAQegx/CUYC7Fhec0EfAAYXwwLo9/cItKNR/WU1Q90b6f:mMrCy90hljYWhEjA3/ztKNNxL6f
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral18/files/0x000800000002340f-13.dat healer behavioral18/memory/4684-14-0x0000000000750000-0x000000000075A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a6376919.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6376919.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6376919.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6376919.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6376919.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6376919.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation danke.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation b7062692.exe -
Executes dropped EXE 8 IoCs
pid Process 2880 v1616978.exe 4684 a6376919.exe 4932 b7062692.exe 904 danke.exe 4244 c5161115.exe 4384 danke.exe 3988 danke.exe 1592 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6376919.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1616978.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5161115.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5161115.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5161115.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4684 a6376919.exe 4684 a6376919.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4684 a6376919.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4932 b7062692.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2880 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 83 PID 2724 wrote to memory of 2880 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 83 PID 2724 wrote to memory of 2880 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 83 PID 2880 wrote to memory of 4684 2880 v1616978.exe 85 PID 2880 wrote to memory of 4684 2880 v1616978.exe 85 PID 2880 wrote to memory of 4932 2880 v1616978.exe 87 PID 2880 wrote to memory of 4932 2880 v1616978.exe 87 PID 2880 wrote to memory of 4932 2880 v1616978.exe 87 PID 4932 wrote to memory of 904 4932 b7062692.exe 88 PID 4932 wrote to memory of 904 4932 b7062692.exe 88 PID 4932 wrote to memory of 904 4932 b7062692.exe 88 PID 2724 wrote to memory of 4244 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 89 PID 2724 wrote to memory of 4244 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 89 PID 2724 wrote to memory of 4244 2724 d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe 89 PID 904 wrote to memory of 2924 904 danke.exe 90 PID 904 wrote to memory of 2924 904 danke.exe 90 PID 904 wrote to memory of 2924 904 danke.exe 90 PID 904 wrote to memory of 1380 904 danke.exe 92 PID 904 wrote to memory of 1380 904 danke.exe 92 PID 904 wrote to memory of 1380 904 danke.exe 92 PID 1380 wrote to memory of 4124 1380 cmd.exe 94 PID 1380 wrote to memory of 4124 1380 cmd.exe 94 PID 1380 wrote to memory of 4124 1380 cmd.exe 94 PID 1380 wrote to memory of 1904 1380 cmd.exe 95 PID 1380 wrote to memory of 1904 1380 cmd.exe 95 PID 1380 wrote to memory of 1904 1380 cmd.exe 95 PID 1380 wrote to memory of 3960 1380 cmd.exe 96 PID 1380 wrote to memory of 3960 1380 cmd.exe 96 PID 1380 wrote to memory of 3960 1380 cmd.exe 96 PID 1380 wrote to memory of 380 1380 cmd.exe 97 PID 1380 wrote to memory of 380 1380 cmd.exe 97 PID 1380 wrote to memory of 380 1380 cmd.exe 97 PID 1380 wrote to memory of 2660 1380 cmd.exe 98 PID 1380 wrote to memory of 2660 1380 cmd.exe 98 PID 1380 wrote to memory of 2660 1380 cmd.exe 98 PID 1380 wrote to memory of 4780 1380 cmd.exe 99 PID 1380 wrote to memory of 4780 1380 cmd.exe 99 PID 1380 wrote to memory of 4780 1380 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe"C:\Users\Admin\AppData\Local\Temp\d7a90d17836776eedb35136022c7ba7fe79203cc0b8c97e790b459c0afd5e578.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1616978.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1616978.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6376919.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6376919.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7062692.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7062692.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F5⤵
- Creates scheduled task(s)
PID:2924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4124
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"6⤵PID:1904
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E6⤵PID:3960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:380
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"6⤵PID:2660
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E6⤵PID:4780
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5161115.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5161115.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4384
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:1592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e94edffe362eed8baeaa80020f5548ad
SHA1776cab8f4b6833f83ca82ba582677795ed881751
SHA2565ba23cfcd045ec7a30c6b1c3c7e05ad6dd764e6feb4e23293982867c3b873b21
SHA5124afb388548f3508294589b99953c8ef6b15dacd8bfac1ceaff0a601817cb3d75378c456f73c3a0a7bd60cbe8abf647ec8b5ccd5d29644ebb7dd1e48a06fe95d0
-
Filesize
234KB
MD53e7d88e75923b3a43c0dc45edbd01687
SHA17e2a6719ee8a4518c9586e07d2861cfc1281beb0
SHA256b9c7a7b367eac344e59e867953a12db0ef2bffa4f94334a89d46d1a9269669c7
SHA512ba53f9d6954573dc7342944c24a475220eb11da0061abf2ca63ac2fd7727a7e1b02f52d59172ae1a0b96c8c8bc7cee14ad0c1b5e836212b056e8da2dfd48c6e9
-
Filesize
12KB
MD54270b56d1cba3f64652be5749da3e078
SHA1c416d45406184faacc5151b4ea58d5caafa1014d
SHA256d2d155ac521e832b52466eeb0a22b34dec223edcd15b8ce1f9dbb9543ac2709e
SHA512606411a690a5bbcf483173f601335211bda18081b71158aab6ab2bf7d2e9fd3640fe4299c2ff4b2abc6405f3a84f43167a8531b6cfe075466846f209a20b4a8d
-
Filesize
229KB
MD542df4bc7fa8cfaebce73b13076cf8b25
SHA15db3580f7a851e328410833e934f41870c102b1e
SHA256aead07fe023fc99f873faa9ecdfb165bc0b1a7ad795aa9c05294aa2a41609443
SHA5124524ae72bd1c620da0bb90c0e83480cf933dc3f511908e0eed8cfbfbe9d8eab0bec540ec887417329195f65fbb74a6d0ccf5dc836d1c080b4596f421e12fa2b2