Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/11/2024, 09:21
General
-
Target
def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361.exe
-
Size
3.1MB
-
MD5
80780678447355a2bc3157723d80033b
-
SHA1
3ca0030f2582c21959f2b5d25cf57a926a4314a1
-
SHA256
def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361
-
SHA512
90fade4ec430ffd1f165d6cbef9ae8d4d9f93f17200c0907f85e5c653484d72e0c7471a32bd42544dff4350e96a4c16521c87e5779b8b068f9f8c85a662ee546
-
SSDEEP
49152:tRCiNmW7ggey/6JYzvfqTkGkJHi9Eu+0yp++IhT/W/oa/EiS:6sj9eM6JYzvfYkGkJC2u+08++IaDEi
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 7 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361.exe"C:\Users\Admin\AppData\Local\Temp\def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1004321001\e01c565f16.exe"C:\Users\Admin\AppData\Local\Temp\1004321001\e01c565f16.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1004322001\14455f7f5b.exe"C:\Users\Admin\AppData\Local\Temp\1004322001\14455f7f5b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1004324001\9ea3eb6027.exe"C:\Users\Admin\AppData\Local\Temp\1004324001\9ea3eb6027.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5d76cb29d3e2e46571502ac53cce294fd
SHA1892254128a918ef30a0619b1ad57d13d9833431b
SHA256a277eaaf64425b7183487a5ffbfa828ff67cc2c499c51a94fb87d438ca8015be
SHA512976d55930ab19f3dbb971cb50c66523843c160ddb0d80baac2f1d05510b61fdae77475fc2a2cd438cfb1678720e3340ca3dee9a9131c9942f99d04ee7103727c
-
Filesize
2.1MB
MD57a6fb3221e1a7c6c17fdfedfe627a427
SHA13761f898656c79d8564248c9817400e5f8080b09
SHA256a63fcb0e8ed99f42ff8269e524321434af557140d82fc02e1a444316e7231aa5
SHA51269760b7878f6877c12779a479ec3c9bfb63dc3f3d631727d8a5820fe2d701e6af533426b8f8a4aaf0d127be27a34d4444c034f21bf3cf236ffae81f67a4d9d1c
-
Filesize
2.7MB
MD5e61f71ea2723ee4f31906f3628d3e380
SHA178111d2404a0dd86291203e80648d454d63789f5
SHA2567ee4e5f1ced524a4907c22207ce79668112eae18ee32d5111ef0b7c35ccec49d
SHA5129c23f37efb00aef228988dc582814dfa6f525de78f9a0e1890ab59e140de8ad6a38c20b2a27a342cf27dcdb6e3a7a6c2983b2cdd4b41738c8d65d6a958cdda33
-
Filesize
3.1MB
MD580780678447355a2bc3157723d80033b
SHA13ca0030f2582c21959f2b5d25cf57a926a4314a1
SHA256def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361
SHA51290fade4ec430ffd1f165d6cbef9ae8d4d9f93f17200c0907f85e5c653484d72e0c7471a32bd42544dff4350e96a4c16521c87e5779b8b068f9f8c85a662ee546
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.3MB
-
Filesize
7.3MB