Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
13/01/2022, 13:19
220113-qkhx6sade2 412/09/2021, 07:40
210912-jhysaacbd3 1012/09/2021, 07:40
210912-jhp55sfbbr 1012/09/2021, 07:39
210912-jhc6kscbd2 1012/09/2021, 07:39
210912-jg161sfbbp 1012/09/2021, 07:38
210912-jgmnmafbbn 10Analysis
-
max time kernel
1443s -
max time network
1447s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12/09/2021, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
Resource
win11
Behavioral task
behavioral3
Sample
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
Resource
win10v20210408
Behavioral task
behavioral4
Sample
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
Resource
win10-en
General
-
Target
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
-
Size
6.2MB
-
MD5
0cb3efeb5d9312e068c57e7e55affed7
-
SHA1
aad1c65d257c7d2929ffb916114bc532feba0a16
-
SHA256
a974231d8889e05fedfbe73b5cc58e414de6fd5031765c998a24ac326f35b0b2
-
SHA512
236ce9aa9e71f279e7833c4f0afbad15a2de4aaf62e78a82f1132224951f25f0a184aacfe5c963a20481c20cdb12e1a56e6aaf662f4a07c756abe0c539488898
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
newmixnew
94.140.115.194:31858
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/972-119-0x0000000002040000-0x0000000002062000-memory.dmp family_redline behavioral1/memory/972-120-0x00000000020F0000-0x0000000002110000-memory.dmp family_redline -
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 1396 keygen-pr.exe 512 keygen-step-1.exe 1320 keygen-step-6.exe 1632 keygen-step-3.exe 1680 keygen-step-4.exe 1608 key.exe 1964 KiffAppE2.exe 972 PlsWnEU2.exe -
Loads dropped DLL 15 IoCs
pid Process 1620 cmd.exe 1620 cmd.exe 1620 cmd.exe 1620 cmd.exe 1620 cmd.exe 1620 cmd.exe 1396 keygen-pr.exe 1396 keygen-pr.exe 1396 keygen-pr.exe 1396 keygen-pr.exe 1680 keygen-step-4.exe 1680 keygen-step-4.exe 1680 keygen-step-4.exe 1680 keygen-step-4.exe 1608 key.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 keygen-step-6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 KiffAppE2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 KiffAppE2.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 272 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 972 PlsWnEU2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1964 KiffAppE2.exe Token: SeDebugPrivilege 972 PlsWnEU2.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1620 1096 Dot.Tk.123.ticket.keygen.by.CORE.bin.exe 29 PID 1096 wrote to memory of 1620 1096 Dot.Tk.123.ticket.keygen.by.CORE.bin.exe 29 PID 1096 wrote to memory of 1620 1096 Dot.Tk.123.ticket.keygen.by.CORE.bin.exe 29 PID 1096 wrote to memory of 1620 1096 Dot.Tk.123.ticket.keygen.by.CORE.bin.exe 29 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 1396 1620 cmd.exe 31 PID 1620 wrote to memory of 512 1620 cmd.exe 33 PID 1620 wrote to memory of 512 1620 cmd.exe 33 PID 1620 wrote to memory of 512 1620 cmd.exe 33 PID 1620 wrote to memory of 512 1620 cmd.exe 33 PID 1620 wrote to memory of 1320 1620 cmd.exe 32 PID 1620 wrote to memory of 1320 1620 cmd.exe 32 PID 1620 wrote to memory of 1320 1620 cmd.exe 32 PID 1620 wrote to memory of 1320 1620 cmd.exe 32 PID 1620 wrote to memory of 1632 1620 cmd.exe 35 PID 1620 wrote to memory of 1632 1620 cmd.exe 35 PID 1620 wrote to memory of 1632 1620 cmd.exe 35 PID 1620 wrote to memory of 1632 1620 cmd.exe 35 PID 1620 wrote to memory of 1680 1620 cmd.exe 34 PID 1620 wrote to memory of 1680 1620 cmd.exe 34 PID 1620 wrote to memory of 1680 1620 cmd.exe 34 PID 1620 wrote to memory of 1680 1620 cmd.exe 34 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1396 wrote to memory of 1608 1396 keygen-pr.exe 36 PID 1680 wrote to memory of 1964 1680 keygen-step-4.exe 38 PID 1680 wrote to memory of 1964 1680 keygen-step-4.exe 38 PID 1680 wrote to memory of 1964 1680 keygen-step-4.exe 38 PID 1680 wrote to memory of 1964 1680 keygen-step-4.exe 38 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1608 wrote to memory of 428 1608 key.exe 39 PID 1964 wrote to memory of 972 1964 KiffAppE2.exe 42 PID 1964 wrote to memory of 972 1964 KiffAppE2.exe 42 PID 1964 wrote to memory of 972 1964 KiffAppE2.exe 42 PID 1964 wrote to memory of 972 1964 KiffAppE2.exe 42 PID 1320 wrote to memory of 948 1320 keygen-step-6.exe 44 PID 1320 wrote to memory of 948 1320 keygen-step-6.exe 44 PID 1320 wrote to memory of 948 1320 keygen-step-6.exe 44 PID 1320 wrote to memory of 948 1320 keygen-step-6.exe 44 PID 948 wrote to memory of 272 948 cmd.exe 46 PID 948 wrote to memory of 272 948 cmd.exe 46 PID 948 wrote to memory of 272 948 cmd.exe 46 PID 948 wrote to memory of 272 948 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵PID:428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL4⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\Documents\PlsWnEU2.exe"C:\Users\Admin\Documents\PlsWnEU2.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
PID:1632
-
-