Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 09:40 UTC

General

  • Target

    9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe

  • Size

    476KB

  • MD5

    eb39a2b3c68d99216a38cb0593f82005

  • SHA1

    c50ccd4606ad7793cd469ceb9609974f942778f9

  • SHA256

    9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009

  • SHA512

    87c900f447fc115cb79ff8597fa01705ffe8bba0bfe7a8b42a51ff69a949f9d67c13ff9240946aa9d300c90ef397488762563ebb0e1120463602708d996e03db

  • SSDEEP

    12288:VMrAy90EDRCEym1LQ9KRwEXYp7G9TnJQ3Ckltu3:JytRtZQ9KqEABg3

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
    "C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
          "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3224
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:548
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:N"
                6⤵
                  PID:3964
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:R" /E
                  6⤵
                    PID:772
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4052
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:N"
                      6⤵
                        PID:4088
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:R" /E
                        6⤵
                          PID:1436
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe
                    3⤵
                    • Executes dropped EXE
                    PID:4060
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4584
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:696
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4764
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4836

                Network

                • flag-us
                  DNS
                  133.211.185.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  133.211.185.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  240.221.184.93.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  240.221.184.93.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  140.32.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  140.32.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  104.219.191.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  104.219.191.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  154.239.44.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  154.239.44.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  157.123.68.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  157.123.68.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  198.187.3.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  198.187.3.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  203.107.17.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  203.107.17.2.in-addr.arpa
                  IN PTR
                  Response
                  203.107.17.2.in-addr.arpa
                  IN PTR
                  a2-17-107-203deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  48.229.111.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  48.229.111.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  172.210.232.199.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  172.210.232.199.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  26.173.189.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  26.173.189.20.in-addr.arpa
                  IN PTR
                  Response
                • 77.91.68.18:80
                  saves.exe
                  260 B
                  5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                  5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                  5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                  5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                  5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                  5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                  5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                  5
                • 8.8.8.8:53
                  133.211.185.52.in-addr.arpa
                  dns
                  73 B
                  147 B
                  1
                  1

                  DNS Request

                  133.211.185.52.in-addr.arpa

                • 8.8.8.8:53
                  240.221.184.93.in-addr.arpa
                  dns
                  73 B
                  144 B
                  1
                  1

                  DNS Request

                  240.221.184.93.in-addr.arpa

                • 8.8.8.8:53
                  140.32.126.40.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  140.32.126.40.in-addr.arpa

                • 8.8.8.8:53
                  104.219.191.52.in-addr.arpa
                  dns
                  73 B
                  147 B
                  1
                  1

                  DNS Request

                  104.219.191.52.in-addr.arpa

                • 8.8.8.8:53
                  154.239.44.20.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  154.239.44.20.in-addr.arpa

                • 8.8.8.8:53
                  157.123.68.40.in-addr.arpa
                  dns
                  72 B
                  146 B
                  1
                  1

                  DNS Request

                  157.123.68.40.in-addr.arpa

                • 8.8.8.8:53
                  198.187.3.20.in-addr.arpa
                  dns
                  71 B
                  157 B
                  1
                  1

                  DNS Request

                  198.187.3.20.in-addr.arpa

                • 8.8.8.8:53
                  203.107.17.2.in-addr.arpa
                  dns
                  71 B
                  135 B
                  1
                  1

                  DNS Request

                  203.107.17.2.in-addr.arpa

                • 8.8.8.8:53
                  48.229.111.52.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  48.229.111.52.in-addr.arpa

                • 8.8.8.8:53
                  172.210.232.199.in-addr.arpa
                  dns
                  74 B
                  128 B
                  1
                  1

                  DNS Request

                  172.210.232.199.in-addr.arpa

                • 8.8.8.8:53
                  26.173.189.20.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  26.173.189.20.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe

                  Filesize

                  174KB

                  MD5

                  ee9b4f0c162d2daa941050ab28499d58

                  SHA1

                  18ada0317d2aa4b1446f0ee4ab6f008c513efa0e

                  SHA256

                  5a1202d3c20b0701f7a5c8f95431f5836ff2ac3958508fd32b2a9cfff3e013aa

                  SHA512

                  056f38c7a1ca30985b2d8e8d4c0d3f9eae742476e71f572b36a26f40417ac989705456259fa71bb64f4b6da2a139cfc3987ea8fee653cbf93f4cb9aaf8fa8a8b

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe

                  Filesize

                  320KB

                  MD5

                  47966dd7fc1929878cb7fec97ba46736

                  SHA1

                  70b2b993bcfed20db87549635cb3d333ed442c9b

                  SHA256

                  a17608af12c75b7086160347860c305a4d6b972f59003a1a32dfc0944f59b5be

                  SHA512

                  3367d77ee57e831554a317f74c35854c41bc4de251d5de29b4994f7a988ce44c46ff74ebdbf86a1f8e88094a3188711a129cb9e6ddd8e16446b1648f591fb8a6

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe

                  Filesize

                  337KB

                  MD5

                  b11b64c53b6dafda0597379aa918212a

                  SHA1

                  8f10a2e0747799ece273508956c7829dd84b96dc

                  SHA256

                  a8b1de07b3dcaf27a2c37493054ea9b84d53bb39ab24dcb5ec00fc17a48a8602

                  SHA512

                  02dfb9d333db53cd5dd67ab6069d9161a025ebd9a5856f4a6775c15849dafc5b492a04cc4cc995174b027b8989d9f9dc502c6997c0f513fc364573d3d9fa6850

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe

                  Filesize

                  142KB

                  MD5

                  f353dd9e5ffac243ec089584fb80a650

                  SHA1

                  5f36dbc06d2bf9b99aebe1aff740f39d8f320a00

                  SHA256

                  2518994c7c3b1c100264cedb61df7f96495917883f2a7c7d18e46f3fcca5f390

                  SHA512

                  839f3d00a144f956e178865ecddc1439dda8562ffac0072682cb89588a6473cea77ed71b637400b9203aedc4641cbce872675b12eb8b6ae45de0b9e3d03f6ecd

                • memory/4584-29-0x0000000000510000-0x0000000000540000-memory.dmp

                  Filesize

                  192KB

                • memory/4584-30-0x0000000004CF0000-0x0000000004CF6000-memory.dmp

                  Filesize

                  24KB

                • memory/4584-31-0x000000000A800000-0x000000000AE18000-memory.dmp

                  Filesize

                  6.1MB

                • memory/4584-32-0x000000000A380000-0x000000000A48A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/4584-33-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

                  Filesize

                  72KB

                • memory/4584-34-0x000000000A310000-0x000000000A34C000-memory.dmp

                  Filesize

                  240KB

                • memory/4584-35-0x000000000A490000-0x000000000A4DC000-memory.dmp

                  Filesize

                  304KB

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.