Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

0f3fc05fe2...99.exe

windows10-2004-x64

10

1437361c67...55.exe

windows10-2004-x64

10

23bea5b85d...33.exe

windows10-2004-x64

10

27054c4ef8...56.exe

windows10-2004-x64

10

2b700615cb...c1.exe

windows10-2004-x64

10

30fb90dbd1...b4.exe

windows10-2004-x64

10

312c299a84...a6.exe

windows7-x64

3

312c299a84...a6.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

627c0990f7...d9.exe

windows10-2004-x64

10

65db5d7052...3e.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

85594a9dff...ab.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

9a0ecac5f6...8e.exe

windows10-2004-x64

10

adaea581d9...c2.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe

  • Size

    390KB

  • MD5

    461a41b00e56b7edc7c954b28a7ab0f3

  • SHA1

    4b60bd82ddaf0916bda391168caafa6813c8d184

  • SHA256

    1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55

  • SHA512

    290ae015d12adb975cd1d5fd757e83be03d1de7e6b5b78ca06f8bab8aef88fb395d6d0b78393d1b5ab1be5b9f48146e247c09c7962d541a341f75c31fc123e46

  • SSDEEP

    6144:KXy+bnr+1p0yN90QE+susNp+TPHNPdk1deU/4KlvZimAKtvqoDbcG4hJQURF0:hMrly908MHuPHzGeUPR5AiTbQHR+

Score
10/10
amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe
    "C:\Users\Admin\AppData\Local\Temp\1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5224
        • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
          "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:2156
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:5336
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "legola.exe" /P "Admin:N"
                6⤵
                  PID:2428
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "legola.exe" /P "Admin:R" /E
                  6⤵
                    PID:5208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:6060
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\ebb444342c" /P "Admin:N"
                      6⤵
                        PID:4540
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\ebb444342c" /P "Admin:R" /E
                        6⤵
                          PID:4920
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4804
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:1280
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:4020

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
                Filesize

                172KB

                MD5

                13bfd044f0c8e0094d8d3034ab2e0799

                SHA1

                5085edca67bb69cda5293df2f6b7e4dc34d28ca2

                SHA256

                6cac6f1c34de64aee0f3c06ac59ca03dfe13ed95d54424e4324f43e1543450b3

                SHA512

                c28f3b8cf22afcdde6199fb74df2ecf4b71ada46d7ba4ac74e36d912c2d90dcc7c03784247305a2051e0d74a94abbd2dcd2613591f6cde86a8e3b9f290a26f49

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
                Filesize

                234KB

                MD5

                25cb0b8858e09d787c3ebdfedb3a3c00

                SHA1

                494d389aa2c8562749b61261c58bfd86487fe489

                SHA256

                8018e1b6a8a774d26b17404f0efd8e921ffc3d98d759b8ef4a379416bea956d2

                SHA512

                ba6d310809ffce0489777f563bcd334183dfce169e6ae55d6dc265f9c54d1faf4dd7780ee1823c28c4c91e1d12f4171a9bae4cd9078649e52089253a07710684

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
                Filesize

                11KB

                MD5

                ebc18c0930b24f701d6a53185a72939c

                SHA1

                1049cec9e7bb27d735ae447286aa18d7e1993dad

                SHA256

                b2501b84803871c8fdef2b7f65de00ac2480d84da05515f29b299cfc6585657e

                SHA512

                5ceca9604513b89dbed91f154ff4151368c686804b27cdc1acdaa9ffaddf1a32e47189a5160c22597a97fefbcc76de24e260e89bfabb0936702ebb9a411c0470

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
                Filesize

                223KB

                MD5

                4541e5a1e02ea96db339a8751deba945

                SHA1

                45169ee283e91af3450a06ca7488aee3e1541ee0

                SHA256

                76a230e48a3d7015f378a294877f2f76f7cd9345e3638d760318a1a8689d818d

                SHA512

                b43f6733b30b52d62d33a761eea3ef69d6372fc441101a3393217bd5256085296d3113e1435afbd3c362928c79cfd0608974bff71d4e5beb6443b6069808871f

                Download Submit

              • memory/3180-14-0x00007FF990463000-0x00007FF990465000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3180-15-0x0000000000F60000-0x0000000000F6A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4804-33-0x0000000000330000-0x0000000000360000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4804-34-0x0000000004C10000-0x0000000004C16000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4804-35-0x0000000005270000-0x0000000005888000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4804-36-0x0000000004D80000-0x0000000004E8A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4804-37-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4804-38-0x0000000004D20000-0x0000000004D5C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4804-39-0x0000000004E90000-0x0000000004EDC000-memory.dmp

                Filesize

                304KB

                Download