Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
277s -
max time network
257s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
30/12/2022, 22:17
Behavioral task
behavioral1
Sample
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe
Resource
win10-20220901-en
General
-
Target
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe
-
Size
235KB
-
MD5
5e445faf7b08cf2ffcac7b38c5d70d5d
-
SHA1
877098531fb4049581a7c81353fc3c7d7dd2083a
-
SHA256
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
-
SHA512
9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
SSDEEP
6144:IkwjBO99g6779r0psUhmiIuVyD2NgCJgN:1TrOh2uVyCNnS
Malware Config
Extracted
amadey
3.63
62.204.41.91/8kcnjd3da3/index.php
Extracted
redline
letgo
80.66.87.13:22346
-
auth_value
9a4217b7e3f4309698e5e6d932e3545e
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ac18-767.dat amadey_cred_module behavioral2/files/0x000600000001ac18-766.dat amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 4716 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 3972 nbveek.exe 1564 pypfhc2o51o.exe 4276 nbveek.exe 96 nbveek.exe 3904 nbveek.exe 2608 nbveek.exe 4892 nbveek.exe -
Loads dropped DLL 1 IoCs
pid Process 4716 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1564 set thread context of 4968 1564 pypfhc2o51o.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3168 1564 WerFault.exe 69 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4968 vbc.exe 4968 vbc.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4968 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3972 2796 4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe 66 PID 2796 wrote to memory of 3972 2796 4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe 66 PID 2796 wrote to memory of 3972 2796 4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe 66 PID 3972 wrote to memory of 4364 3972 nbveek.exe 67 PID 3972 wrote to memory of 4364 3972 nbveek.exe 67 PID 3972 wrote to memory of 4364 3972 nbveek.exe 67 PID 3972 wrote to memory of 1564 3972 nbveek.exe 69 PID 3972 wrote to memory of 1564 3972 nbveek.exe 69 PID 3972 wrote to memory of 1564 3972 nbveek.exe 69 PID 1564 wrote to memory of 4968 1564 pypfhc2o51o.exe 71 PID 1564 wrote to memory of 4968 1564 pypfhc2o51o.exe 71 PID 1564 wrote to memory of 4968 1564 pypfhc2o51o.exe 71 PID 1564 wrote to memory of 4968 1564 pypfhc2o51o.exe 71 PID 1564 wrote to memory of 4968 1564 pypfhc2o51o.exe 71 PID 3972 wrote to memory of 4716 3972 nbveek.exe 76 PID 3972 wrote to memory of 4716 3972 nbveek.exe 76 PID 3972 wrote to memory of 4716 3972 nbveek.exe 76 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe"C:\Users\Admin\AppData\Local\Temp\4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe" /F3⤵
- Creates scheduled task(s)
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\1000001001\pypfhc2o51o.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\pypfhc2o51o.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 2364⤵
- Program crash
PID:3168
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exeC:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe1⤵
- Executes dropped EXE
PID:4276
-
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exeC:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe1⤵
- Executes dropped EXE
PID:96
-
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exeC:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe1⤵
- Executes dropped EXE
PID:3904
-
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exeC:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe1⤵
- Executes dropped EXE
PID:2608
-
C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exeC:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe1⤵
- Executes dropped EXE
PID:4892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD5114738737463a73a549ac1221afd045c
SHA170feebd89e898537d4ccfe2522e29af1568d4e68
SHA25632551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f
SHA512b52490e2c5dd34779715580d5eb885011eee17994a104afb6e1f4a10ba629d09494d89748bf18171ae95cd43a7e02211c8bace8c34343b0e889a6c0ed2d8e135
-
Filesize
356KB
MD5114738737463a73a549ac1221afd045c
SHA170feebd89e898537d4ccfe2522e29af1568d4e68
SHA25632551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f
SHA512b52490e2c5dd34779715580d5eb885011eee17994a104afb6e1f4a10ba629d09494d89748bf18171ae95cd43a7e02211c8bace8c34343b0e889a6c0ed2d8e135
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
235KB
MD55e445faf7b08cf2ffcac7b38c5d70d5d
SHA1877098531fb4049581a7c81353fc3c7d7dd2083a
SHA2564414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
SHA5129874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31
-
Filesize
126KB
MD54a9e02f2913522b55571d2644800e15b
SHA19167a2b50bd7357737cf3b06686260736c318f2a
SHA2564a48124561b1a5c5f3c80fc5f5a71d520dc6961f85c9162bd282b5acf4dd3ecc
SHA512844087e9980860ca957bcd6f7d51b9e26d603f61c4cd49d4bd7a33afe6f4f78baf1e483dcef775d908e6a12e43204874a011da44f9ff059edfb44ede541e562b
-
Filesize
126KB
MD54a9e02f2913522b55571d2644800e15b
SHA19167a2b50bd7357737cf3b06686260736c318f2a
SHA2564a48124561b1a5c5f3c80fc5f5a71d520dc6961f85c9162bd282b5acf4dd3ecc
SHA512844087e9980860ca957bcd6f7d51b9e26d603f61c4cd49d4bd7a33afe6f4f78baf1e483dcef775d908e6a12e43204874a011da44f9ff059edfb44ede541e562b