Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
Resource
win7-20241010-en
General
-
Target
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
-
Size
1.3MB
-
MD5
db04aa6e158c5d52c20fc855f5285905
-
SHA1
822416dfa3f094aa6776ed0cad77fb9083db29a3
-
SHA256
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
-
SHA512
cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
SSDEEP
24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ
Malware Config
Extracted
amadey
4.18
1cc3fe
http://vitantgroup.com
-
install_dir
431a343abc
-
install_file
Dctooux.exe
-
strings_key
5a2387e2bfef84adb686c856b4155237
-
url_paths
/xmlrpc.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Executes dropped EXE 3 IoCs
pid Process 2728 Dctooux.exe 4592 Dctooux.exe 4668 Dctooux.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 4592 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 4668 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe 2728 Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 2728 Dctooux.exe 4592 Dctooux.exe 4668 Dctooux.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2728 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82 PID 2400 wrote to memory of 2728 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82 PID 2400 wrote to memory of 2728 2400 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4592
-
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5db04aa6e158c5d52c20fc855f5285905
SHA1822416dfa3f094aa6776ed0cad77fb9083db29a3
SHA256ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
SHA512cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
Filesize
84KB
MD5f4f8aa07d6d7bca3dd6c35b105c6257f
SHA113c7489ecdd75fee2629c54dfc78564c34db6c99
SHA2565a326fed8031432d2306740b6ef35ca103e73ad76987e3ca8203d7e92c84ed05
SHA512d3dac7baa1a1a6bf504971e40ed2701e3d050fe27372c17bd246af8522980a7d76db3768b0289fa44dfaf0caba10951f874ff5d74932067708d0522c8c1bad93
-
Filesize
4KB
MD57e2b3acd059341acbb2d8e7cf96ed2f4
SHA13a1c6045fdcf1a899c35170dddcf60133381ce24
SHA256a00ebe1e948fcd60feb83e51b7f379c8b4bca99bce0cc33013e5ec7462bc6902
SHA512f4fd0bef8bdd2030e1aeee6a003ca446f13b5aee6bdf68c8cb9a079018398517072d4e1f49d2c9234a683c3f7ce93f57dbdfe927e966ce0c5ff8ec4506ab0826