Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
12/04/2022, 08:28
General
-
Target
209609199e47fecdd76a96dabf1f9cf5.exe
-
Size
372KB
-
MD5
209609199e47fecdd76a96dabf1f9cf5
-
SHA1
4ad578096b72f376bd012d3f3ba6a6cd7f162432
-
SHA256
217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
-
SHA512
b8893d5d367afb465420e1c0671510db6b1f4603458a0bd416f5ded0f670f7ccdef37133ddf0049dccd822d6b42b0565a94f7f0530d6093d80cedc4638ae08d9
Malware Config
Extracted
redline
123
188.68.205.12:7053
-
auth_value
cba3087b3c1a6a9c43b3f96591452ea2
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
LoaderBot executable 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\1.exe"C:\ProgramData\1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\M3gJNbpqWpct.exe"C:\Users\Public\M3gJNbpqWpct.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\BEgHvre3gJNc.exe"C:\Users\Public\BEgHvre3gJNc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Graphics Status v3.7.1"5⤵
-
-
C:\Windows\system32\timeout.exetimeout 45⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe"C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\94a20494585a4036.exe"C:\Users\Admin\AppData\Local\Temp\94a20494585a4036.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\MinerFull.exe"C:\ProgramData\MinerFull.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4528 -s 7609⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 4528 -ip 45281⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD5a9d9617466a30b874b80d4fd6465f46b
SHA1b6e42e3a1fbc20c78e003b065440733fb1cafe84
SHA25615791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
SHA512ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89
-
Filesize
233KB
MD5a9d9617466a30b874b80d4fd6465f46b
SHA1b6e42e3a1fbc20c78e003b065440733fb1cafe84
SHA25615791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
SHA512ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.0MB
MD55c7bc4cc56f6e6acb801210bc6eda798
SHA1541b6f50091fdc17c2bc8d596c0e202b854fb991
SHA25648f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9
SHA51266558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d
-
Filesize
4.0MB
MD545ccdc665b047ab84fc2d04ddcf6729b
SHA15d7bc4689fef8615b143038f7ba67a1104e79fda
SHA2566b583db54753e31f22ad81e127a69bd38ca35570bc6f248dd303644b71cf0c60
SHA51220ec94993497c3eea667872d51ad2c4aca341dd80b4110159000b5d5738bfdf72cade5cb90da4b30aead9b01003c668de551c0c64bc63a4741173b84e8662450
-
Filesize
4.0MB
MD545ccdc665b047ab84fc2d04ddcf6729b
SHA15d7bc4689fef8615b143038f7ba67a1104e79fda
SHA2566b583db54753e31f22ad81e127a69bd38ca35570bc6f248dd303644b71cf0c60
SHA51220ec94993497c3eea667872d51ad2c4aca341dd80b4110159000b5d5738bfdf72cade5cb90da4b30aead9b01003c668de551c0c64bc63a4741173b84e8662450
-
Filesize
346B
MD51aabe58057931febee95da6f05880cf5
SHA169069ae88256bcfa9284264fdbe68bea0f286033
SHA2567244ba55190d019272fdb6be80babb40c1536adea7676c70469c9a807e820d74
SHA512d37d85e235387659dddf505cafc9cab25573fa8c9abd923fe7e41b3085f5bd1186b4801f13343f1ed21436a54aaa5e87ec4ddc9d5b67be498f145c8aca477100
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
42KB
MD5c523d423234494eeb7b60a892d7a4bea
SHA1db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA25698c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA5120aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439
-
Filesize
106KB
MD564eeb5ab677596ec8516a8414428b5d7
SHA14c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA2562ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA51216012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439
-
Filesize
4.0MB
-
Filesize
8KB
-
Filesize
392KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
392KB