Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
90s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
06/02/2023, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe
Resource
win10-20220812-en
General
-
Target
8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe
-
Size
632KB
-
MD5
26e1ee357629a742f4a783747168b0a9
-
SHA1
8c351d9900a92c942f9f771a2c21c2a6f318999b
-
SHA256
8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941
-
SHA512
d622df15b8a41cd16deb54d29acf332e33939d3ab8094bc6d1638e57d2b730ccb7b9063e91300393f48db82eaf6c494996eec9c317832541dae9a02b03b603e7
-
SSDEEP
12288:GMryy90DLHoVxn+NBngVMoI3ySO1rTiajKoKurQ5uYf:oy6IVxnQnoqySOViajiurQRf
Malware Config
Extracted
redline
zaur
62.204.41.170:4172
-
auth_value
8f24dad16e6d64e3d692e48d05640734
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/4328-266-0x0000000002520000-0x0000000002566000-memory.dmp family_redline behavioral1/memory/4328-275-0x00000000025A0000-0x00000000025E4000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 4424 rocku.exe 4328 arZz.exe 4556 mika.exe 4592 vona.exe 3204 mnolyk.exe 4900 mnolyk.exe 4536 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4192 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce rocku.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" rocku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4328 arZz.exe 4328 arZz.exe 4556 mika.exe 4556 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4328 arZz.exe Token: SeDebugPrivilege 4556 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2660 wrote to memory of 4424 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 66 PID 2660 wrote to memory of 4424 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 66 PID 2660 wrote to memory of 4424 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 66 PID 4424 wrote to memory of 4328 4424 rocku.exe 67 PID 4424 wrote to memory of 4328 4424 rocku.exe 67 PID 4424 wrote to memory of 4328 4424 rocku.exe 67 PID 4424 wrote to memory of 4556 4424 rocku.exe 69 PID 4424 wrote to memory of 4556 4424 rocku.exe 69 PID 2660 wrote to memory of 4592 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 70 PID 2660 wrote to memory of 4592 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 70 PID 2660 wrote to memory of 4592 2660 8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe 70 PID 4592 wrote to memory of 3204 4592 vona.exe 71 PID 4592 wrote to memory of 3204 4592 vona.exe 71 PID 4592 wrote to memory of 3204 4592 vona.exe 71 PID 3204 wrote to memory of 496 3204 mnolyk.exe 72 PID 3204 wrote to memory of 496 3204 mnolyk.exe 72 PID 3204 wrote to memory of 496 3204 mnolyk.exe 72 PID 3204 wrote to memory of 1892 3204 mnolyk.exe 73 PID 3204 wrote to memory of 1892 3204 mnolyk.exe 73 PID 3204 wrote to memory of 1892 3204 mnolyk.exe 73 PID 1892 wrote to memory of 2208 1892 cmd.exe 76 PID 1892 wrote to memory of 2208 1892 cmd.exe 76 PID 1892 wrote to memory of 2208 1892 cmd.exe 76 PID 1892 wrote to memory of 2204 1892 cmd.exe 77 PID 1892 wrote to memory of 2204 1892 cmd.exe 77 PID 1892 wrote to memory of 2204 1892 cmd.exe 77 PID 1892 wrote to memory of 4420 1892 cmd.exe 78 PID 1892 wrote to memory of 4420 1892 cmd.exe 78 PID 1892 wrote to memory of 4420 1892 cmd.exe 78 PID 1892 wrote to memory of 4748 1892 cmd.exe 79 PID 1892 wrote to memory of 4748 1892 cmd.exe 79 PID 1892 wrote to memory of 4748 1892 cmd.exe 79 PID 1892 wrote to memory of 4764 1892 cmd.exe 80 PID 1892 wrote to memory of 4764 1892 cmd.exe 80 PID 1892 wrote to memory of 4764 1892 cmd.exe 80 PID 1892 wrote to memory of 1212 1892 cmd.exe 81 PID 1892 wrote to memory of 1212 1892 cmd.exe 81 PID 1892 wrote to memory of 1212 1892 cmd.exe 81 PID 3204 wrote to memory of 4192 3204 mnolyk.exe 83 PID 3204 wrote to memory of 4192 3204 mnolyk.exe 83 PID 3204 wrote to memory of 4192 3204 mnolyk.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe"C:\Users\Admin\AppData\Local\Temp\8116bc0e187a8096b28830226868b95b91c89a2aa9ad4c78f864603cc4a7c941.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rocku.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rocku.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arZz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arZz.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:496
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2208
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:2204
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:4420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4748
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:4764
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:1212
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4900
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
445KB
MD5aa93bc544bbddec94129ddea5454f2c8
SHA168ca7cdfd1cd5a3752a27aed0d1a21d26723cc0d
SHA256d8206ecfd2a5a7ec83a7d3f5f7ffd08865408e43836aad5ba18795de8e1c9979
SHA51224c59a0a519fc4ea3fee4e6c2a19b4ea5bcc9b78d9085bd7faab5089425ac8bc107b4509492e9891051813c23ebb7bfd845e8db9273f87101e7cc81b08cf613a
-
Filesize
445KB
MD5aa93bc544bbddec94129ddea5454f2c8
SHA168ca7cdfd1cd5a3752a27aed0d1a21d26723cc0d
SHA256d8206ecfd2a5a7ec83a7d3f5f7ffd08865408e43836aad5ba18795de8e1c9979
SHA51224c59a0a519fc4ea3fee4e6c2a19b4ea5bcc9b78d9085bd7faab5089425ac8bc107b4509492e9891051813c23ebb7bfd845e8db9273f87101e7cc81b08cf613a
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
405KB
MD510ff7a078f497951440ad324057eba7f
SHA108bbc2a155a1dcb015b5d1e4c01c169025883aaf
SHA2563cdb7553fb4a23c8a8fbe15269794d9883fc0db9cd2b77eb440c1ea33c32aea6
SHA512d9b4166281042c0088a0885077fc4f86e8c9b6da85d490d71691a6d6b0ee38c5bd9a1bb407f424e00848319af9f11849052ba0ec92f870ac5868eeaed5180d1d
-
Filesize
405KB
MD510ff7a078f497951440ad324057eba7f
SHA108bbc2a155a1dcb015b5d1e4c01c169025883aaf
SHA2563cdb7553fb4a23c8a8fbe15269794d9883fc0db9cd2b77eb440c1ea33c32aea6
SHA512d9b4166281042c0088a0885077fc4f86e8c9b6da85d490d71691a6d6b0ee38c5bd9a1bb407f424e00848319af9f11849052ba0ec92f870ac5868eeaed5180d1d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3