Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 10:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe

  • Size

    540KB

  • MD5

    3a43d1c96176e1bcf74d3c2263044759

  • SHA1

    9107fc9c7479bf1c4ddeffc52518583917603b95

  • SHA256

    68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5

  • SHA512

    74197247630636db39089573b49beb6daecef1834e9b4c69e7a7a560e3f7f0a8e3ab3fa591c6a4baaed4d397173c4b8e686daccd923482575ed90bdc582849f3

  • SSDEEP

    12288:cMrsy90R6ibrrpOS4kHIMBz9NMdgCOKoRF2ePk5:wyZibxOS44IaTCYJ+

Score
10/10
amadeyredline59b440mrakevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe
    "C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
          "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3520
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:1008
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:1000
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:N"
                6⤵
                  PID:4412
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:R" /E
                  6⤵
                    PID:4508
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3748
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:N"
                      6⤵
                        PID:1960
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:R" /E
                        6⤵
                          PID:2552
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4024
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3912
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2840

                Network

                • flag-us
                  DNS
                  196.249.167.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  196.249.167.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  240.221.184.93.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  240.221.184.93.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  64.159.190.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  64.159.190.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  56.94.73.104.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  56.94.73.104.in-addr.arpa
                  IN PTR
                  Response
                  56.94.73.104.in-addr.arpa
                  IN PTR
                  a104-73-94-56deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  86.23.85.13.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  86.23.85.13.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  86.23.85.13.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  86.23.85.13.in-addr.arpa
                  IN PTR
                • flag-us
                  DNS
                  206.23.85.13.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  206.23.85.13.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  22.236.111.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  22.236.111.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  105.246.116.51.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  105.246.116.51.in-addr.arpa
                  IN PTR
                  Response
                • 142.250.187.234:443
                  46 B
                   40 B
                   1
                  1
                • 13.107.246.64:443
                  92 B
                   40 B
                   2
                  1
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  i5208464.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  i5208464.exe
                  260 B
                   5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  i5208464.exe
                  260 B
                   5
                • 77.91.68.18:80
                  saves.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  i5208464.exe
                  260 B
                   5
                • 77.91.124.82:19071
                  i5208464.exe
                  208 B
                   4
                • 8.8.8.8:53
                  196.249.167.52.in-addr.arpa
                  dns
                  73 B
                   147 B
                   1
                  1

                  DNS Request

                  196.249.167.52.in-addr.arpa

                • 8.8.8.8:53
                  240.221.184.93.in-addr.arpa
                  dns
                  73 B
                   144 B
                   1
                  1

                  DNS Request

                  240.221.184.93.in-addr.arpa

                • 8.8.8.8:53
                  64.159.190.20.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  64.159.190.20.in-addr.arpa

                • 8.8.8.8:53
                  56.94.73.104.in-addr.arpa
                  dns
                  71 B
                   135 B
                   1
                  1

                  DNS Request

                  56.94.73.104.in-addr.arpa

                • 8.8.8.8:53
                  86.23.85.13.in-addr.arpa
                  dns
                  140 B
                   144 B
                   2
                  1

                  DNS Request

                  86.23.85.13.in-addr.arpa

                  DNS Request

                  86.23.85.13.in-addr.arpa

                • 8.8.8.8:53
                  206.23.85.13.in-addr.arpa
                  dns
                  71 B
                   145 B
                   1
                  1

                  DNS Request

                  206.23.85.13.in-addr.arpa

                • 8.8.8.8:53
                  22.236.111.52.in-addr.arpa
                  dns
                  72 B
                   158 B
                   1
                  1

                  DNS Request

                  22.236.111.52.in-addr.arpa

                • 8.8.8.8:53
                  105.246.116.51.in-addr.arpa
                  dns
                  73 B
                   159 B
                   1
                  1

                  DNS Request

                  105.246.116.51.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  Filesize

                  174KB

                  MD5

                  83d201fab8d323c26aebf61f4edab894

                  SHA1

                  0951a1c6ef9d8ea2f2a38f0b1e5d51faa55432b8

                  SHA256

                  549b21b8653360d2f6b749eb2358e58a996a35c8f85bde4d7740296bd0bc5e33

                  SHA512

                  a4a7c3ece46c6d33214d56f08d8a9d214f312b6d3f6c6bb90012a917eca56387c0645fdda94778eed3049a0e3f6cf7c499de7f3d6218dffceee565ee4c38afca

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
                  Filesize

                  384KB

                  MD5

                  c0f7a5d560b531fd3bab55cc63236a23

                  SHA1

                  9c5a14c3967d7ad535a733918c790906e210cc1c

                  SHA256

                  858e0c098977fc7da667404bce45320ad01b73848fcb411a64bb482b15c28881

                  SHA512

                  e7179ca343d9a56085b8eade536be7abfb7662436d13aaddcc21e020b5319a893b4c248092d5e07d91a2acec0ee7648f8615ea34179294603f00ff475321a2ab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
                  Filesize

                  202KB

                  MD5

                  ed3eafff4705be9e483b93379ff54f8f

                  SHA1

                  6b16c88ae0157be7649469ec2baa13193af8f2b7

                  SHA256

                  91e35f49cdd48b97c1c6bacc5d2ee7a1c84e29facb1d9b5d3d2e84e3a8759626

                  SHA512

                  f8e02531f40468ed632b562e439d150d7949d5fe0e6355414dd1701d491283daf6f38ad73782eee71d8db53975916f6e8d57edf0ce95e27a41f5869a65f5f7d0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
                  Filesize

                  337KB

                  MD5

                  251aa9e034465b49c7aeabaa9e675211

                  SHA1

                  c415e234bf8ff36c6e24e9b4c84247399e49b674

                  SHA256

                  3089ab919d4f5b5942e0beb13d3209fd34e783d0658b0170a14642078fb5775f

                  SHA512

                  c04cff04f0b32e0013fe50ff88acbad93f75feeff8e14096b24ba4420604617d118deec656f4a899e7ef6bdbc9357d7cf8510fdfe0ea12f102adebc0a9398abe

                  Download Submit

                • memory/2324-39-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-32-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-18-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-19-0x0000000004BF0000-0x0000000005194000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2324-20-0x0000000002540000-0x000000000255C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2324-21-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-24-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-48-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-47-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-44-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-43-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-40-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-16-0x00000000022B0000-0x00000000022CE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2324-36-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-35-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-17-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-30-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-28-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-26-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-22-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-49-0x000000007468E000-0x000000007468F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2324-51-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-15-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-14-0x000000007468E000-0x000000007468F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4024-67-0x0000000000DD0000-0x0000000000E00000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/4024-68-0x0000000002FC0000-0x0000000002FC6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/4024-69-0x0000000005D00000-0x0000000006318000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/4024-70-0x0000000005820000-0x000000000592A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4024-71-0x0000000005750000-0x0000000005762000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4024-72-0x00000000057B0000-0x00000000057EC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4024-73-0x0000000005930000-0x000000000597C000-memory.dmp

                  Filesize

                  304KB

                  Download

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.