Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2c6e6b28c4...03.exe

windows7-x64

10

2c6e6b28c4...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe

  • Size

    1.8MB

  • MD5

    91a0d71b8aa56eddc7557dee31b7792f

  • SHA1

    7a9f89e76fe95d5d489ba74311521dbae2ccc610

  • SHA256

    2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03

  • SHA512

    8d809f16f1de54f573ae6e747c2a7b80a40a6dd39135f66511b2869ada2c8ec2fbede0732242b5ab7912ffb9a07a0c55b824e565c0b5673d9d33e740eb07d2b7

  • SSDEEP

    24576:5N1TUHB62u86R25Fm/DxBnGlL/Rr0GiivVfTCQhzLt5f1M4iRFu63Jrlliq:1UHBx6Rom/a/1/JTCGjfHCHJrl

Score
10/10
amadeyredlinestealc@cloudytteamdefault2fed3aacredential_accessdiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe
    "C:\Users\Admin\AppData\Local\Temp\2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Users\Admin\AppData\Roaming\dsP83GNMIP.exe
            "C:\Users\Admin\AppData\Roaming\dsP83GNMIP.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3512
          • C:\Users\Admin\AppData\Roaming\rDPsr7izAk.exe
            "C:\Users\Admin\AppData\Roaming\rDPsr7izAk.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            PID:3976
      • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
          "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4332
      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3508
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3484
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3020
  • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    PID:2788
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    Filesize

    32KB

    MD5

    fc545ed1a563c0c8b23e8ac278500c6c

    SHA1

    89cadfdfc4993b06bd7d836dcaab1b721de9f6d2

    SHA256

    16052197ac22bd21e174e22e437bfa717337ebf80587c262cb7132ccb7b41784

    SHA512

    a85cdeaf455f6f414cf37b90d4754db068cb2ce548d911dc2929da85d7c885848f100df8cbe3147a4a4b387a09b9fdf7ac20b4783dfb37dffac6e93a44dd76e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
    Filesize

    1.1MB

    MD5

    8e74497aff3b9d2ddb7e7f819dfc69ba

    SHA1

    1d18154c206083ead2d30995ce2847cbeb6cdbc1

    SHA256

    d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

    SHA512

    9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
    Filesize

    416KB

    MD5

    f5d7b79ee6b6da6b50e536030bcc3b59

    SHA1

    751b555a8eede96d55395290f60adc43b28ba5e2

    SHA256

    2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

    SHA512

    532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    Filesize

    187KB

    MD5

    7a02aa17200aeac25a375f290a4b4c95

    SHA1

    7cc94ca64268a9a9451fb6b682be42374afc22fd

    SHA256

    836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

    SHA512

    f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.8MB

    MD5

    91a0d71b8aa56eddc7557dee31b7792f

    SHA1

    7a9f89e76fe95d5d489ba74311521dbae2ccc610

    SHA256

    2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03

    SHA512

    8d809f16f1de54f573ae6e747c2a7b80a40a6dd39135f66511b2869ada2c8ec2fbede0732242b5ab7912ffb9a07a0c55b824e565c0b5673d9d33e740eb07d2b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TmpE1DF.tmp
    Filesize

    2KB

    MD5

    1420d30f964eac2c85b2ccfe968eebce

    SHA1

    bdf9a6876578a3e38079c4f8cf5d6c79687ad750

    SHA256

    f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

    SHA512

    6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dsP83GNMIP.exe
    Filesize

    544KB

    MD5

    88367533c12315805c059e688e7cdfe9

    SHA1

    64a107adcbac381c10bd9c5271c2087b7aa369ec

    SHA256

    c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

    SHA512

    7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rDPsr7izAk.exe
    Filesize

    304KB

    MD5

    30f46f4476cdc27691c7fdad1c255037

    SHA1

    b53415af5d01f8500881c06867a49a5825172e36

    SHA256

    3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

    SHA512

    271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

    Download Submit

  • memory/2228-99-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2228-78-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2228-79-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2228-74-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2228-76-0x0000000000400000-0x000000000050D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2440-70-0x0000000000B80000-0x0000000000C92000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2932-224-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2932-225-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2992-1-0x0000000077414000-0x0000000077416000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2992-2-0x0000000000E91000-0x0000000000EBF000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-3-0x0000000000E90000-0x000000000132F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2992-4-0x0000000000E90000-0x000000000132F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2992-0-0x0000000000E90000-0x000000000132F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2992-18-0x0000000000E90000-0x000000000132F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3020-72-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3020-51-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-25-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-32-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-226-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-50-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-24-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-34-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-22-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-21-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-33-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-16-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-20-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-19-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-221-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-220-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-186-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-185-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-31-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-30-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-184-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3124-183-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3484-27-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3484-26-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3484-29-0x0000000000AD0000-0x0000000000F6F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3508-187-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3508-174-0x0000000000320000-0x0000000000563000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3512-179-0x000000000AA90000-0x000000000AFBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3512-107-0x0000000000F10000-0x0000000000F9E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/3512-177-0x0000000008AD0000-0x0000000008B36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3512-178-0x000000000A390000-0x000000000A552000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3976-140-0x0000000006720000-0x000000000673E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3976-182-0x0000000006E10000-0x0000000006E60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3976-145-0x00000000069B0000-0x0000000006ABA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3976-132-0x0000000005DA0000-0x0000000005E16000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3976-144-0x0000000006E60000-0x0000000007478000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3976-106-0x0000000005350000-0x000000000535A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3976-150-0x0000000006AC0000-0x0000000006B0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3976-104-0x00000000051A0000-0x0000000005232000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3976-103-0x0000000005670000-0x0000000005C14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3976-102-0x0000000000880000-0x00000000008D2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/3976-147-0x0000000006950000-0x000000000698C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3976-146-0x00000000068F0000-0x0000000006902000-memory.dmp

    Filesize

    72KB

    Download