Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0848e1e7e1...63.exe

windows10-2004-x64

10

1106a57fdf...a5.exe

windows10-2004-x64

10

185a521367...e2.exe

windows10-2004-x64

10

1a2ed241f7...81.exe

windows10-2004-x64

10

3933af1a19...66.exe

windows10-2004-x64

10

4046412564...e5.exe

windows10-2004-x64

10

48b2c44ad3...cf.exe

windows10-2004-x64

10

6fdb50a007...59.exe

windows10-2004-x64

10

708b7d578b...65.exe

windows10-2004-x64

10

73dc042440...3f.exe

windows10-2004-x64

10

9a45e9c206...55.exe

windows10-2004-x64

10

9a8f8e9a46...09.exe

windows10-2004-x64

10

9ab135934b...fe.exe

windows10-2004-x64

10

ab010a807d...38.exe

windows10-2004-x64

10

b85fd724a0...c4.exe

windows10-2004-x64

10

d940f9b9c6...49.exe

windows10-2004-x64

10

dc87cba915...e1.exe

windows10-2004-x64

10

e7bd826b7a...05.exe

windows10-2004-x64

10

ffbf9f9530...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 09:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe

  • Size

    476KB

  • MD5

    eb39a2b3c68d99216a38cb0593f82005

  • SHA1

    c50ccd4606ad7793cd469ceb9609974f942778f9

  • SHA256

    9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009

  • SHA512

    87c900f447fc115cb79ff8597fa01705ffe8bba0bfe7a8b42a51ff69a949f9d67c13ff9240946aa9d300c90ef397488762563ebb0e1120463602708d996e03db

  • SSDEEP

    12288:VMrAy90EDRCEym1LQ9KRwEXYp7G9TnJQ3Ckltu3:JytRtZQ9KqEABg3

Score
10/10
amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
    "C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
          "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3224
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:548
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:N"
                6⤵
                  PID:3964
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:R" /E
                  6⤵
                    PID:772
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4052
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:N"
                      6⤵
                        PID:4088
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:R" /E
                        6⤵
                          PID:1436
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe
                    3⤵
                    • Executes dropped EXE
                    PID:4060
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4584
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:696
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4764
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4836

                Network

                • flag-us
                  DNS
                  133.211.185.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  133.211.185.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  240.221.184.93.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  240.221.184.93.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  140.32.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  140.32.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  104.219.191.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  104.219.191.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  154.239.44.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  154.239.44.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  157.123.68.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  157.123.68.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  198.187.3.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  198.187.3.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  203.107.17.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  203.107.17.2.in-addr.arpa
                  IN PTR
                  Response
                  203.107.17.2.in-addr.arpa
                  IN PTR
                  a2-17-107-203deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  48.229.111.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  48.229.111.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  172.210.232.199.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  172.210.232.199.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  26.173.189.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  26.173.189.20.in-addr.arpa
                  IN PTR
                  Response
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                   5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                   5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  t4662464.exe
                  260 B
                   5
                • 8.8.8.8:53
                  133.211.185.52.in-addr.arpa
                  dns
                  73 B
                   147 B
                   1
                  1

                  DNS Request

                  133.211.185.52.in-addr.arpa

                • 8.8.8.8:53
                  240.221.184.93.in-addr.arpa
                  dns
                  73 B
                   144 B
                   1
                  1

                  DNS Request

                  240.221.184.93.in-addr.arpa

                • 8.8.8.8:53
                  140.32.126.40.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  140.32.126.40.in-addr.arpa

                • 8.8.8.8:53
                  104.219.191.52.in-addr.arpa
                  dns
                  73 B
                   147 B
                   1
                  1

                  DNS Request

                  104.219.191.52.in-addr.arpa

                • 8.8.8.8:53
                  154.239.44.20.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  154.239.44.20.in-addr.arpa

                • 8.8.8.8:53
                  157.123.68.40.in-addr.arpa
                  dns
                  72 B
                   146 B
                   1
                  1

                  DNS Request

                  157.123.68.40.in-addr.arpa

                • 8.8.8.8:53
                  198.187.3.20.in-addr.arpa
                  dns
                  71 B
                   157 B
                   1
                  1

                  DNS Request

                  198.187.3.20.in-addr.arpa

                • 8.8.8.8:53
                  203.107.17.2.in-addr.arpa
                  dns
                  71 B
                   135 B
                   1
                  1

                  DNS Request

                  203.107.17.2.in-addr.arpa

                • 8.8.8.8:53
                  48.229.111.52.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  48.229.111.52.in-addr.arpa

                • 8.8.8.8:53
                  172.210.232.199.in-addr.arpa
                  dns
                  74 B
                   128 B
                   1
                  1

                  DNS Request

                  172.210.232.199.in-addr.arpa

                • 8.8.8.8:53
                  26.173.189.20.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  26.173.189.20.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe
                  Filesize

                  174KB

                  MD5

                  ee9b4f0c162d2daa941050ab28499d58

                  SHA1

                  18ada0317d2aa4b1446f0ee4ab6f008c513efa0e

                  SHA256

                  5a1202d3c20b0701f7a5c8f95431f5836ff2ac3958508fd32b2a9cfff3e013aa

                  SHA512

                  056f38c7a1ca30985b2d8e8d4c0d3f9eae742476e71f572b36a26f40417ac989705456259fa71bb64f4b6da2a139cfc3987ea8fee653cbf93f4cb9aaf8fa8a8b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe
                  Filesize

                  320KB

                  MD5

                  47966dd7fc1929878cb7fec97ba46736

                  SHA1

                  70b2b993bcfed20db87549635cb3d333ed442c9b

                  SHA256

                  a17608af12c75b7086160347860c305a4d6b972f59003a1a32dfc0944f59b5be

                  SHA512

                  3367d77ee57e831554a317f74c35854c41bc4de251d5de29b4994f7a988ce44c46ff74ebdbf86a1f8e88094a3188711a129cb9e6ddd8e16446b1648f591fb8a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe
                  Filesize

                  337KB

                  MD5

                  b11b64c53b6dafda0597379aa918212a

                  SHA1

                  8f10a2e0747799ece273508956c7829dd84b96dc

                  SHA256

                  a8b1de07b3dcaf27a2c37493054ea9b84d53bb39ab24dcb5ec00fc17a48a8602

                  SHA512

                  02dfb9d333db53cd5dd67ab6069d9161a025ebd9a5856f4a6775c15849dafc5b492a04cc4cc995174b027b8989d9f9dc502c6997c0f513fc364573d3d9fa6850

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe
                  Filesize

                  142KB

                  MD5

                  f353dd9e5ffac243ec089584fb80a650

                  SHA1

                  5f36dbc06d2bf9b99aebe1aff740f39d8f320a00

                  SHA256

                  2518994c7c3b1c100264cedb61df7f96495917883f2a7c7d18e46f3fcca5f390

                  SHA512

                  839f3d00a144f956e178865ecddc1439dda8562ffac0072682cb89588a6473cea77ed71b637400b9203aedc4641cbce872675b12eb8b6ae45de0b9e3d03f6ecd

                  Download Submit

                • memory/4584-29-0x0000000000510000-0x0000000000540000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/4584-30-0x0000000004CF0000-0x0000000004CF6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/4584-31-0x000000000A800000-0x000000000AE18000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/4584-32-0x000000000A380000-0x000000000A48A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4584-33-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4584-34-0x000000000A310000-0x000000000A34C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4584-35-0x000000000A490000-0x000000000A4DC000-memory.dmp

                  Filesize

                  304KB

                  Download

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.