Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

00dd845a27...d6.exe

windows10-2004-x64

10

0e4f6fa259...f8.exe

windows10-2004-x64

10

160cf91bb4...9b.exe

windows10-2004-x64

10

2469003f42...fb.exe

windows10-2004-x64

10

37d87e8c1a...0c.exe

windows10-2004-x64

10

4c3f025b17...a7.exe

windows10-2004-x64

10

4de214f155...f2.exe

windows10-2004-x64

10

4fe5ee134e...25.exe

windows10-2004-x64

10

5bc4a6b3d5...f6.exe

windows10-2004-x64

10

62325240aa...fc.exe

windows10-2004-x64

10

77ac4e5ef8...53.exe

windows10-2004-x64

10

78a2f3c49d...66.exe

windows10-2004-x64

10

7c1372b4b0...fc.exe

windows10-2004-x64

10

7cd3eb4cd6...0e.exe

windows10-2004-x64

10

7dee432d6d...a7.exe

windows10-2004-x64

10

a277894fe9...7d.exe

windows10-2004-x64

10

cd0d56c5ce...15.exe

windows10-2004-x64

10

d304eb3331...e2.exe

windows10-2004-x64

10

d3dd28146b...8b.exe

windows10-2004-x64

10

ece19c5d5c...54.exe

windows10-2004-x64

10

f9789caac1...5f.exe

windows7-x64

10

f9789caac1...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 18:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe

  • Size

    1.2MB

  • MD5

    dcd9239b4bb709fc94e727b9ee27967c

  • SHA1

    8ef4e373ab58a741760183d789277198dfde7ba9

  • SHA256

    4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7

  • SHA512

    1c9d81725cbf5b0eec0ca4c2cd61b4e9d0da644dc6c8d64877c46f11a732f4d3467f212065eef436c9892872a832b865d7d5489a7eeeda90891330ebce036ae0

  • SSDEEP

    24576:AyUqqXwz+yZ7ocKLgR86dxL5R44FKMeeJ6qQp+iRCLP8rxk8T1fxg+n4GA:HUXwz+yZUcKLgRFdxL5WMeeJo4LEk8TX

Score
10/10
amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe
    "C:\Users\Admin\AppData\Local\Temp\4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4192
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1360
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:752
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:4196
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1388
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:4560
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:1980
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:4252
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:4680
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:2172
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:364
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
                        5⤵
                        • Executes dropped EXE
                        PID:4728
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
                      4⤵
                      • Executes dropped EXE
                      PID:4984
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1852
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1600
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:3828

              Network

              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                217.106.137.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                217.106.137.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                240.221.184.93.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                240.221.184.93.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                140.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                140.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                97.17.167.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                97.17.167.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                56.126.166.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                56.126.166.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.165.165.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.165.165.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                30.243.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                30.243.111.52.in-addr.arpa
                IN PTR
                Response
              • 77.91.68.18:80
                saves.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 77.91.68.18:80
                saves.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 77.91.68.18:80
                saves.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 77.91.124.82:19071
                n7482544.exe
                260 B
                 5
              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                 90 B
                 1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                217.106.137.52.in-addr.arpa
                dns
                73 B
                 147 B
                 1
                1

                DNS Request

                217.106.137.52.in-addr.arpa

              • 8.8.8.8:53
                240.221.184.93.in-addr.arpa
                dns
                73 B
                 144 B
                 1
                1

                DNS Request

                240.221.184.93.in-addr.arpa

              • 8.8.8.8:53
                140.32.126.40.in-addr.arpa
                dns
                72 B
                 158 B
                 1
                1

                DNS Request

                140.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                 144 B
                 1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                97.17.167.52.in-addr.arpa
                dns
                71 B
                 145 B
                 1
                1

                DNS Request

                97.17.167.52.in-addr.arpa

              • 8.8.8.8:53
                56.126.166.20.in-addr.arpa
                dns
                72 B
                 158 B
                 1
                1

                DNS Request

                56.126.166.20.in-addr.arpa

              • 8.8.8.8:53
                26.165.165.52.in-addr.arpa
                dns
                72 B
                 146 B
                 1
                1

                DNS Request

                26.165.165.52.in-addr.arpa

              • 8.8.8.8:53
                30.243.111.52.in-addr.arpa
                dns
                72 B
                 158 B
                 1
                1

                DNS Request

                30.243.111.52.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9077140.exe
                Filesize

                1.1MB

                MD5

                6c5629162c8404822ccc15b2c58ece70

                SHA1

                508a02ed32266dc74810e0a1e4820bca4ed82dc3

                SHA256

                79d234cd978fb4b1532633309a5079a8c6916791a27bae598c69a49257c72264

                SHA512

                a6fbc71a10fe3e5c056ab86915dbc2b85f823f164226f805144b40af31ad9e837f8a7e846c10ab620f2b422ea030de60dc3a749bac30cdb2b7397f923c658bfa

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3076544.exe
                Filesize

                475KB

                MD5

                0c2fc1a1074e1b48e74f671d826438c4

                SHA1

                d32d61c3b7b9d39da08e7c8564acd9f38274d730

                SHA256

                93d4e6083e31f1757777b7ccaaa9537677b632e06202c1af36dae9b7d10252a9

                SHA512

                ee782aecca70529fc292377b71aef82c650485682c1c236db3ca79eb9086605424a9dd1c85e102b064e95f4a809bc8e60a7be9547ebb9e6f49fb497de95ee498

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7482544.exe
                Filesize

                174KB

                MD5

                b841b67fe0267b0f91658e604b2d972c

                SHA1

                733d473c0c96d1b749866f63fe6c5727217d9d97

                SHA256

                fa8cd02ef80c12e3bf9b6d16317181ff7208b4c6584a9894cd270109f3a6455e

                SHA512

                6e8229fbb16e9004226ba9e7eb48b3f95dba7b6415cf17c5e6c2f4896b6e7eaba42bb37573abc271eb0f7724ec287e0ea995e9b9d41da3374cf231fe4e309fb4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0868718.exe
                Filesize

                319KB

                MD5

                cbffa97af79a8a71ace90f125bd19853

                SHA1

                8004dc02abe1891faf93fef8cfd508a890958dd1

                SHA256

                ac6327eb3c3155fa64ff851c7c07b6c07c63ac0c430c010452657657d1b6d38d

                SHA512

                778f9fe27a47741e482f9979cc799ac9dbe8724eca7d97f6648590dd43dc347e51053ef1390105bee756e529c3c6a1bb59199e54261cb00dfa079cfd68f6afd9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3349439.exe
                Filesize

                337KB

                MD5

                ec69365719ae7b104380ce1f4625cb73

                SHA1

                fabc244540a28c16c8bee3d13121559f1191fcf2

                SHA256

                1fcc7d20ba3469da25be3c7e9ad9b7f51e2a1a19af1ce00a223ec25b5501daaf

                SHA512

                163aa5d05945e63d80f42b484ba531bcec4b966b04c046c93ba1c87947f955d8aef1ef76c3095ad3a03beed4c0eb5fa98871ccf3a05ca92706d957276b716bcf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4258000.exe
                Filesize

                142KB

                MD5

                89d575bec105c59389672a253e97d0a0

                SHA1

                6cd99bc5c44a9a3783d39ba681809a98e4c03473

                SHA256

                89219073267b666e9bc4c2985b34a1639bce0fab011846bb69dc5e6a078239f3

                SHA512

                78be1fca5f43fae5f36793234244e30226c94c88c78cb6a0b77a64d8110336744f9f73a13921f5bd3ea4184cbc1f00ada6352a0f5027812d4834ac3620d3c4d6

                Download Submit

              • memory/4984-43-0x0000000000CD0000-0x0000000000D00000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4984-44-0x0000000002E80000-0x0000000002E86000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4984-45-0x0000000005C70000-0x0000000006288000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4984-46-0x0000000005760000-0x000000000586A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4984-47-0x0000000005650000-0x0000000005662000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4984-48-0x00000000056B0000-0x00000000056EC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4984-49-0x0000000005700000-0x000000000574C000-memory.dmp

                Filesize

                304KB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.