Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
12/04/2022, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
209609199e47fecdd76a96dabf1f9cf5.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
209609199e47fecdd76a96dabf1f9cf5.exe
Resource
win10v2004-20220331-en
General
-
Target
209609199e47fecdd76a96dabf1f9cf5.exe
-
Size
372KB
-
MD5
209609199e47fecdd76a96dabf1f9cf5
-
SHA1
4ad578096b72f376bd012d3f3ba6a6cd7f162432
-
SHA256
217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
-
SHA512
b8893d5d367afb465420e1c0671510db6b1f4603458a0bd416f5ded0f670f7ccdef37133ddf0049dccd822d6b42b0565a94f7f0530d6093d80cedc4638ae08d9
Malware Config
Extracted
redline
123
188.68.205.12:7053
-
auth_value
cba3087b3c1a6a9c43b3f96591452ea2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000021e47-131.dat family_redline behavioral2/files/0x0008000000021e47-135.dat family_redline behavioral2/memory/4580-137-0x00000000009C0000-0x00000000009E0000-memory.dmp family_redline -
LoaderBot executable 3 IoCs
resource yara_rule behavioral2/files/0x0007000000021e73-168.dat loaderbot behavioral2/files/0x0007000000021e73-169.dat loaderbot behavioral2/memory/2056-170-0x0000000000190000-0x0000000000590000-memory.dmp loaderbot -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 4852 1.exe 4580 M3gJNbpqWpct.exe 4588 BEgHvre3gJNc.exe 3416 5d0aad9e.exe 5116 94a20494585a4036.exe 2056 MinerFull.exe 4528 Driver.exe 4108 Driver.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation MinerFull.exe Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation 209609199e47fecdd76a96dabf1f9cf5.exe Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation 94a20494585a4036.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerFull.exe" MinerFull.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 checkip.amazonaws.com 80 ipinfo.io 81 ipinfo.io 82 ip-api.com 87 checkip.amazonaws.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1908 4528 WerFault.exe 108 -
Delays execution with timeout.exe 1 IoCs
pid Process 2752 timeout.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4580 M3gJNbpqWpct.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe 2056 MinerFull.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3352 209609199e47fecdd76a96dabf1f9cf5.exe Token: SeDebugPrivilege 4588 BEgHvre3gJNc.exe Token: SeDebugPrivilege 4580 M3gJNbpqWpct.exe Token: SeDebugPrivilege 3416 5d0aad9e.exe Token: SeDebugPrivilege 5116 94a20494585a4036.exe Token: SeDebugPrivilege 2056 MinerFull.exe Token: SeLockMemoryPrivilege 4528 Driver.exe Token: SeLockMemoryPrivilege 4528 Driver.exe Token: SeLockMemoryPrivilege 4108 Driver.exe Token: SeLockMemoryPrivilege 4108 Driver.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3352 wrote to memory of 4852 3352 209609199e47fecdd76a96dabf1f9cf5.exe 82 PID 3352 wrote to memory of 4852 3352 209609199e47fecdd76a96dabf1f9cf5.exe 82 PID 3352 wrote to memory of 4852 3352 209609199e47fecdd76a96dabf1f9cf5.exe 82 PID 4852 wrote to memory of 4580 4852 1.exe 83 PID 4852 wrote to memory of 4580 4852 1.exe 83 PID 4852 wrote to memory of 4580 4852 1.exe 83 PID 4852 wrote to memory of 4588 4852 1.exe 84 PID 4852 wrote to memory of 4588 4852 1.exe 84 PID 4588 wrote to memory of 4216 4588 BEgHvre3gJNc.exe 101 PID 4588 wrote to memory of 4216 4588 BEgHvre3gJNc.exe 101 PID 4216 wrote to memory of 4440 4216 cmd.exe 103 PID 4216 wrote to memory of 4440 4216 cmd.exe 103 PID 4216 wrote to memory of 2752 4216 cmd.exe 104 PID 4216 wrote to memory of 2752 4216 cmd.exe 104 PID 4216 wrote to memory of 3416 4216 cmd.exe 105 PID 4216 wrote to memory of 3416 4216 cmd.exe 105 PID 3416 wrote to memory of 5116 3416 5d0aad9e.exe 106 PID 3416 wrote to memory of 5116 3416 5d0aad9e.exe 106 PID 5116 wrote to memory of 2056 5116 94a20494585a4036.exe 107 PID 5116 wrote to memory of 2056 5116 94a20494585a4036.exe 107 PID 5116 wrote to memory of 2056 5116 94a20494585a4036.exe 107 PID 2056 wrote to memory of 4528 2056 MinerFull.exe 108 PID 2056 wrote to memory of 4528 2056 MinerFull.exe 108 PID 2056 wrote to memory of 4108 2056 MinerFull.exe 113 PID 2056 wrote to memory of 4108 2056 MinerFull.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\ProgramData\1.exe"C:\ProgramData\1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Public\M3gJNbpqWpct.exe"C:\Users\Public\M3gJNbpqWpct.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Users\Public\BEgHvre3gJNc.exe"C:\Users\Public\BEgHvre3gJNc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Graphics Status v3.7.1"5⤵PID:4440
-
-
C:\Windows\system32\timeout.exetimeout 45⤵
- Delays execution with timeout.exe
PID:2752
-
-
C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe"C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\94a20494585a4036.exe"C:\Users\Admin\AppData\Local\Temp\94a20494585a4036.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\ProgramData\MinerFull.exe"C:\ProgramData\MinerFull.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4528 -s 7609⤵
- Program crash
PID:1908
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 4528 -ip 45281⤵PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD5a9d9617466a30b874b80d4fd6465f46b
SHA1b6e42e3a1fbc20c78e003b065440733fb1cafe84
SHA25615791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
SHA512ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89
-
Filesize
233KB
MD5a9d9617466a30b874b80d4fd6465f46b
SHA1b6e42e3a1fbc20c78e003b065440733fb1cafe84
SHA25615791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
SHA512ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.0MB
MD545ccdc665b047ab84fc2d04ddcf6729b
SHA15d7bc4689fef8615b143038f7ba67a1104e79fda
SHA2566b583db54753e31f22ad81e127a69bd38ca35570bc6f248dd303644b71cf0c60
SHA51220ec94993497c3eea667872d51ad2c4aca341dd80b4110159000b5d5738bfdf72cade5cb90da4b30aead9b01003c668de551c0c64bc63a4741173b84e8662450
-
Filesize
4.0MB
MD545ccdc665b047ab84fc2d04ddcf6729b
SHA15d7bc4689fef8615b143038f7ba67a1104e79fda
SHA2566b583db54753e31f22ad81e127a69bd38ca35570bc6f248dd303644b71cf0c60
SHA51220ec94993497c3eea667872d51ad2c4aca341dd80b4110159000b5d5738bfdf72cade5cb90da4b30aead9b01003c668de551c0c64bc63a4741173b84e8662450
-
Filesize
346B
MD51aabe58057931febee95da6f05880cf5
SHA169069ae88256bcfa9284264fdbe68bea0f286033
SHA2567244ba55190d019272fdb6be80babb40c1536adea7676c70469c9a807e820d74
SHA512d37d85e235387659dddf505cafc9cab25573fa8c9abd923fe7e41b3085f5bd1186b4801f13343f1ed21436a54aaa5e87ec4ddc9d5b67be498f145c8aca477100
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439