Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 01:34
General
-
Target
756e848510a3e819f79e761868b44b630c098847daef6a30f6e0353de54dd0b3.exe
-
Size
1.1MB
-
MD5
4e2d3bc406835e8cab91f7305d9e242e
-
SHA1
7e88a7a6a52eb9e0221bf96bd927898f63704fb7
-
SHA256
756e848510a3e819f79e761868b44b630c098847daef6a30f6e0353de54dd0b3
-
SHA512
bc87f0af69b47dc31ab07a6e3d63e92f090380ff0b5b7526e55b1535cc974cab793b861a159a99c5034cac47c84dc5bc45fd4f60594315d26ae78765ee56f1c5
-
SSDEEP
24576:VyDkbHWTQgBM7utSpOwIwJUQc9JgrJXFYDcBcOu7ikcu5MHFUY:wgyTQgBKutfkiCrJXODcBPk/MH
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\756e848510a3e819f79e761868b44b630c098847daef6a30f6e0353de54dd0b3.exe"C:\Users\Admin\AppData\Local\Temp\756e848510a3e819f79e761868b44b630c098847daef6a30f6e0353de54dd0b3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ll239098.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ll239098.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC418394.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zC418394.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tC375236.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tC375236.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141727283.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141727283.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232750921.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232750921.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 10806⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306733318.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306733318.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\433813983.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\433813983.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 39401⤵
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
939KB
MD5238116b0254b2f358ff9a2d4e743220e
SHA10cb3863866ffb1146db3e945c09829945df60a6a
SHA256ae017eeb87ff25b5f747beb5e66cc1e1463ff1b4dcfb29f6edfbd0f7c49975f0
SHA51239823ff1b35cc09456915f534cc323b6470f6ba2a5be21a69767e00a1a460afb9e06dfca75021321117dd86fdd9d683f4caa609b5d9c231f0ffd54f7b24baad4
-
Filesize
341KB
MD5362d76b00c6bb00eac968432c4ab1513
SHA11271748ab764e131f4a038d3eb0d436158d17fb8
SHA256b562cd4cb01e71f065abed907b0f7e869d196921ee5235e226aa9dabdf2d6bc4
SHA51262e78a5c22bf09323fd152c7beb0cf8016c55e22b27f1587dcd6ba2ddbd61091a1dd3b8f6526622086bf7819cc8ff7c2a35ba865c36abcdf4ad086e4f4764549
-
Filesize
586KB
MD53fd115738c5533d982462b774c589870
SHA1d1447120109bf617c9cab7bc18b5ca3ef824df44
SHA2566fa43073068c0817b38b64eb8489de50c74af0bcda403adca2ddc0d976967ed2
SHA5127cde6e516e4ea9de4d1ce2349863a6abef92dedfb2f98d69fc848ff79ca2c6e0f96d3633898f6dcc1cb4ddbed123cff4040edc38045593022c7e0847b6b738d3
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD54ff1399cdce110f4779fa4ae58a3f84a
SHA10a25bc30bceea4c7a8a609a99138e618d9d5fd0f
SHA2560b0580821344bb808ee4ba7aa430147f61f08b7f28aa132f073d6912004b3ab8
SHA51231410bd0019afa85719be897b7bb31301cff3bacdd0512e06388321b156315c6287c5522a492013f1b0bcbe0d552d659f67819680d3de5d097a6538c0ea4484c
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
259KB
MD5257c4feeb3a8d860f1d35441f71c8dcb
SHA1fc4e496ba84f9b6029766944cb27d492b2ec3646
SHA256d2a457d3e1eb3b8bf15b7b6e64e28ddae7ef97987342b8f8219283dafe3ead80
SHA5126436dea99037ee7eeaa69b7f6e9adeb71b6870707945d063dda54a999c013371f1640006381a161be4346b86d603642937ab07928614b6c708d043a30414d37f
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
232KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
96KB
-
Filesize
340KB
-
Filesize
340KB