Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 17:47

General

  • Target

    6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe

  • Size

    389KB

  • MD5

    54c918a054a58d3fe6838ce4c31344ae

  • SHA1

    84132b9e7a9dfb09181d37588e2d69c9dfa7d8c7

  • SHA256

    6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1

  • SHA512

    2847ba4171fd4a050fce828595c3b066de2b69afff4f5d72877d36c24f14db541610d6260cd44c7530fc026792c1b5fae9f93b8b7dd18eaa870f9d86b14bf091

  • SSDEEP

    6144:K0y+bnr+Xp0yN90QEcHiyKnpVK7KFibk30yxOF+2SlqcK+usm64j1pSSQAJM2Y:cMrPy90GSpk7KwbbyxwMqcRusmDZG

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
    "C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
          "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3364
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:1428
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "legola.exe" /P "Admin:N"
                6⤵
                  PID:4492
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "legola.exe" /P "Admin:R" /E
                  6⤵
                    PID:1420
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:2124
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\ebb444342c" /P "Admin:N"
                      6⤵
                        PID:3384
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\ebb444342c" /P "Admin:R" /E
                        6⤵
                          PID:3336
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2404
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:1000
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:2740
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:1596

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe

                Filesize

                173KB

                MD5

                9c4c016fc3d3e33c3c40210d5662e5de

                SHA1

                eac9ecdf3df4d559837dc771a27d13897cf43f5a

                SHA256

                fa89aaf9d9d40f1eadb1b7be875c2404e2cb353b75d5cd2a773aff3174dbba60

                SHA512

                c4b490fb0b482c5f3ce5d2ac25c18d1b489ea9b21b2418c580d641f7fdd1bacd8ff6a06594835199fae16dd9ec9e352920a3b6b0fcdfa8475dbeda573e195f3e

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe

                Filesize

                234KB

                MD5

                586d8efec84ddbcd7d95fb2e3003020b

                SHA1

                a4703fec900fdb713ab3e10da5d06ca552bf41ec

                SHA256

                75a0d266a2929f38d13b530c9127aa5429d9a26651a346e695d84f7ae97f5109

                SHA512

                b52dfb27a176c061285be5709fe0127e498a7b1360d91bc02f36cd0784499e39c2f42766fd5f943d635e3d5a08aed81e6ee43770185fc969263fc0c38d0a03f3

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe

                Filesize

                11KB

                MD5

                9047f06f90f6bcfc55824596c7d9f6ed

                SHA1

                f1f3342a87a4435e82123523d1f82c65347ed2b4

                SHA256

                357f195c3f5dd7b9c25b37254b8163d60a84266b4db5fa0316043316cdf9eefe

                SHA512

                2dba7866b439eb6084979be042b0c7ab6ce93b783dceb9891a464dbdbff5ed34e69e6d10bb13c74af7919c6e73fad2b393e9c8564ffcbf8ab8ea2dd76c77cdd2

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe

                Filesize

                223KB

                MD5

                4fe9e60866f4c6480ece922aff5fd498

                SHA1

                c637eb736db34dce7786ddf20acd35a8954a635a

                SHA256

                fdf2d3f0e61d8c9e7566f585f50f465bdc8318220247c55460a117d576c35275

                SHA512

                efbb56a37935e87dea20813fadd6cf91ea0e1aea797d6f5e76fc83f64803cee5ba7b82a61858c40dfdc4ef0dae3844fd443c2e856f3a557b7d1e056bd262c08e

              • memory/2404-36-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

                Filesize

                1.0MB

              • memory/2404-33-0x0000000000F80000-0x0000000000FB0000-memory.dmp

                Filesize

                192KB

              • memory/2404-34-0x00000000057A0000-0x00000000057A6000-memory.dmp

                Filesize

                24KB

              • memory/2404-35-0x000000000B280000-0x000000000B898000-memory.dmp

                Filesize

                6.1MB

              • memory/2404-37-0x000000000AD30000-0x000000000AD42000-memory.dmp

                Filesize

                72KB

              • memory/2404-38-0x000000000AD90000-0x000000000ADCC000-memory.dmp

                Filesize

                240KB

              • memory/2404-39-0x0000000005270000-0x00000000052BC000-memory.dmp

                Filesize

                304KB

              • memory/4056-14-0x0000000000190000-0x000000000019A000-memory.dmp

                Filesize

                40KB

              • memory/4056-15-0x00007FFF846E3000-0x00007FFF846E5000-memory.dmp

                Filesize

                8KB