Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    269s
  • max time network
    286s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/07/2024, 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe

  • Size

    9.6MB

  • MD5

    4a0b3c363eeb8dfc1e9154dbc6a03a7b

  • SHA1

    2e8077211e187d4add47910bacb888e66649bcec

  • SHA256

    c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1

  • SHA512

    db8b6abb8f6907f8ab86cc3f240aa1bed980ad615f6bc60ac256ff14c516d84bd384d8fac410297dc7f6206fe4da61ef751ec13018122486374ddf0f6ecd05b3

  • SSDEEP

    196608:jdo9nDnuwjlN2gpqjZenSR/Y6inpMnb3rn0jAtIE8Xtz9:jinDuklkZiSR/QnGnb3r0jeIEKz

Score
10/10
amadeypovertystealer9ca5d0executionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9ca5d0

C2

http://77.91.77.140

Attributes
  • install_dir

    674c1801fe

  • install_file

    Hkbsse.exe

  • strings_key

    89fcde63d3a4658c6be472c7647616bc

  • url_paths

    /g9bkfkWf/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Poverty Stealer Payload 1 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe
    "C:\Users\Admin\AppData\Local\Temp\c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1244
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\604470191232_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4984
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:2968
      • C:\Users\Admin\AppData\Local\Temp\1000001001\expert.exe
        "C:\Users\Admin\AppData\Local\Temp\1000001001\expert.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4244
      • C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2700
  • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
  • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1368
  • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:608
  • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1000005001\ash.exe
    Filesize

    9.5MB

    MD5

    7e10bd91154eca00420a74abb9967915

    SHA1

    4b59eec6aee1919dd17df3c4809689c5265a7077

    SHA256

    27ae0c25472fe22bbf6b33c2abc2ff061a540ccee039cbcda77c39ab4f0b9479

    SHA512

    58153a0f33a2d0dc1a6c033a6a67ef3ff5f4714a0911cfc4aa008468e714d0d771748ab61346ad56d2652a7c0f6b44937915d84b0a2bdad2794919bbfae13cdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\604470191232
    Filesize

    74KB

    MD5

    781c6f731bfc66f4d3af23fcf9a44e6e

    SHA1

    0d668a44082606a05e01aa1f0ebc2145d5b03f90

    SHA256

    19fbcf2a768d4ef756fba3622ee02383504e412c8586355773b67a8d1493ae62

    SHA512

    1813ca0cef30541df3f1753a013688e6dbf9439f0349ece9c3fed6ac9ea5ec3cb249ebe3b4d4397ca7e2af25270f51ed4327c2823d87f47f509982f1ad5083d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\674c1801fe\Hkbsse.exe
    Filesize

    9.6MB

    MD5

    4a0b3c363eeb8dfc1e9154dbc6a03a7b

    SHA1

    2e8077211e187d4add47910bacb888e66649bcec

    SHA256

    c62556c0c10d5441a43119bdc9ea3e5a0b92d2546ad0ad0b9cba482da8430bf1

    SHA512

    db8b6abb8f6907f8ab86cc3f240aa1bed980ad615f6bc60ac256ff14c516d84bd384d8fac410297dc7f6206fe4da61ef751ec13018122486374ddf0f6ecd05b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpsrjbsa.do5.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\clip64.dll
    Filesize

    127KB

    MD5

    8910655137f435fa57c2e0ea33a9891d

    SHA1

    91668d0b1215e2256d94a693e0856a017d58c7ab

    SHA256

    a4f61ffd3ab84471ac9d21e6d196d9e69b26d79005cc9f5e102eeb3265074597

    SHA512

    01946ee79d7ed545a0a332d15edb0410f4424078e415317e2af6bd395ab6c0ab566c84e8fee1fd157a9e48e164add40686c5e2724c5cd410a124c2af568a630a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8ed54a5ebdec82\cred64.dll
    Filesize

    1.2MB

    MD5

    b179c992937daa9db2eb93c7d1aee21d

    SHA1

    5d2467cfba55fde65522779efd84f3a5e3980146

    SHA256

    5b5b914c69a2b8320c367795349914e531e16b44a56fd31665c797197fa94474

    SHA512

    31db1c209bf83f723dc668e873b7653561ec4b563c19b106e30df1e6b5a152bcc18ebcb818f1a98e88c355514d9b1dbdeb348b73a3df12c69dd745d6fd585bf2

    Download Submit

  • memory/608-178-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/608-176-0x00000000014A0000-0x00000000014A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1368-173-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/1440-18-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/1968-137-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/1968-135-0x00000000015B0000-0x00000000015B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-167-0x0000000001370000-0x0000000001371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-168-0x00000000000E0000-0x0000000000F9D000-memory.dmp

    Filesize

    14.7MB

    Download

  • memory/4240-16-0x000000000046D000-0x00000000009B7000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4240-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4240-5-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/4240-7-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/4240-15-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/4240-0-0x000000000046D000-0x00000000009B7000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4244-153-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/4244-151-0x00000000014B0000-0x00000000014B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4696-190-0x0000000001460000-0x0000000001461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4696-192-0x0000000000400000-0x0000000001350000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/4984-102-0x000002A035FB0000-0x000002A035FC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4984-65-0x000002A01DDF0000-0x000002A01DE12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4984-68-0x000002A036130000-0x000002A0361A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4984-115-0x000002A035FA0000-0x000002A035FAA000-memory.dmp

    Filesize

    40KB

    Download