Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
10/02/2023, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe
Resource
win10-20220812-en
General
-
Target
823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe
-
Size
783KB
-
MD5
242f4f5467d7ce3175f4297d160abb5b
-
SHA1
6d20d85f04c40343ef8262ad898a7425f162d49b
-
SHA256
823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c
-
SHA512
fda6882f118a02dd1c29999362855edd82d2c7dfba51113d6edb2b37194ae910bb2258904f723f9d77aeeba0aa4ab135ad356b2bd69ffdf2fa4709d8c2bf0ecf
-
SSDEEP
12288:qMrtGy90Z359uiA6AmnY2c/0BhUfJqKW66RC6WBkVUYIk9X4:yy+Gi/AmzC0YJI6r6WkVF/l4
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Extracted
redline
romka
193.233.20.11:4131
-
auth_value
fcbb3247051f5290e8ac5b1a841af67b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/4212-639-0x0000000002420000-0x0000000002466000-memory.dmp family_redline behavioral1/memory/4212-645-0x00000000024C0000-0x0000000002504000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3500 cxp91BD.exe 4672 cDO57Th.exe 4652 cIo98.exe 2464 mnolyk.exe 4212 tnp76lQ.exe 4828 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4036 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cxp91BD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cxp91BD.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cDO57Th.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" cDO57Th.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3216 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4212 tnp76lQ.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3500 2780 823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe 66 PID 2780 wrote to memory of 3500 2780 823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe 66 PID 2780 wrote to memory of 3500 2780 823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe 66 PID 3500 wrote to memory of 4672 3500 cxp91BD.exe 67 PID 3500 wrote to memory of 4672 3500 cxp91BD.exe 67 PID 3500 wrote to memory of 4672 3500 cxp91BD.exe 67 PID 4672 wrote to memory of 4652 4672 cDO57Th.exe 68 PID 4672 wrote to memory of 4652 4672 cDO57Th.exe 68 PID 4672 wrote to memory of 4652 4672 cDO57Th.exe 68 PID 4652 wrote to memory of 2464 4652 cIo98.exe 69 PID 4652 wrote to memory of 2464 4652 cIo98.exe 69 PID 4652 wrote to memory of 2464 4652 cIo98.exe 69 PID 4672 wrote to memory of 4212 4672 cDO57Th.exe 70 PID 4672 wrote to memory of 4212 4672 cDO57Th.exe 70 PID 4672 wrote to memory of 4212 4672 cDO57Th.exe 70 PID 2464 wrote to memory of 3216 2464 mnolyk.exe 71 PID 2464 wrote to memory of 3216 2464 mnolyk.exe 71 PID 2464 wrote to memory of 3216 2464 mnolyk.exe 71 PID 2464 wrote to memory of 1004 2464 mnolyk.exe 72 PID 2464 wrote to memory of 1004 2464 mnolyk.exe 72 PID 2464 wrote to memory of 1004 2464 mnolyk.exe 72 PID 1004 wrote to memory of 1848 1004 cmd.exe 75 PID 1004 wrote to memory of 1848 1004 cmd.exe 75 PID 1004 wrote to memory of 1848 1004 cmd.exe 75 PID 1004 wrote to memory of 2164 1004 cmd.exe 76 PID 1004 wrote to memory of 2164 1004 cmd.exe 76 PID 1004 wrote to memory of 2164 1004 cmd.exe 76 PID 1004 wrote to memory of 2852 1004 cmd.exe 77 PID 1004 wrote to memory of 2852 1004 cmd.exe 77 PID 1004 wrote to memory of 2852 1004 cmd.exe 77 PID 1004 wrote to memory of 4344 1004 cmd.exe 78 PID 1004 wrote to memory of 4344 1004 cmd.exe 78 PID 1004 wrote to memory of 4344 1004 cmd.exe 78 PID 1004 wrote to memory of 4984 1004 cmd.exe 79 PID 1004 wrote to memory of 4984 1004 cmd.exe 79 PID 1004 wrote to memory of 4984 1004 cmd.exe 79 PID 1004 wrote to memory of 4680 1004 cmd.exe 80 PID 1004 wrote to memory of 4680 1004 cmd.exe 80 PID 1004 wrote to memory of 4680 1004 cmd.exe 80 PID 2464 wrote to memory of 4036 2464 mnolyk.exe 81 PID 2464 wrote to memory of 4036 2464 mnolyk.exe 81 PID 2464 wrote to memory of 4036 2464 mnolyk.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe"C:\Users\Admin\AppData\Local\Temp\823ffd3278c8a81b3c07e04b3b7dcb0335a4eb8f68de27b17fae60e676bc548c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxp91BD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxp91BD.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cDO57Th.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cDO57Th.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cIo98.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cIo98.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:3216
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:2164
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4344
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"7⤵PID:4984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E7⤵PID:4680
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tnp76lQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tnp76lQ.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
679KB
MD5c1667d9ae6b382de3c5317ab8f9f190a
SHA1c78c7c48685e86f3d276221ff15e7a4eaa54bfcd
SHA25690d9a1f09ce3c645c4a44f6e206d85a9ee44da3241f59f4f546a60cf04f49f38
SHA512463fc655004451ec141e6a4eaf351d2a1c46d09e7dcbdaccdb4e96afe5d5f7ce3a43a1f8c3ac468cb38bb643743ae1712386f6d2a37b55b6be788fac2e821465
-
Filesize
679KB
MD5c1667d9ae6b382de3c5317ab8f9f190a
SHA1c78c7c48685e86f3d276221ff15e7a4eaa54bfcd
SHA25690d9a1f09ce3c645c4a44f6e206d85a9ee44da3241f59f4f546a60cf04f49f38
SHA512463fc655004451ec141e6a4eaf351d2a1c46d09e7dcbdaccdb4e96afe5d5f7ce3a43a1f8c3ac468cb38bb643743ae1712386f6d2a37b55b6be788fac2e821465
-
Filesize
534KB
MD5327a673661dd1d97298bf7e2744bdca1
SHA1158106add1accd5dd18c95d034d5c1e582e66c4d
SHA25689afce55d3cad1c55b87e494f13b30b2b651e22fddbdb8ca016bd23eba62705b
SHA51248fbd4df5b6bd978bfe71ba90816d0375b3f11a454487c02d587650bf712b76e1977f000dff170115e067a1bb245a8959cd3d50790169982fe6f9625be5db3a6
-
Filesize
534KB
MD5327a673661dd1d97298bf7e2744bdca1
SHA1158106add1accd5dd18c95d034d5c1e582e66c4d
SHA25689afce55d3cad1c55b87e494f13b30b2b651e22fddbdb8ca016bd23eba62705b
SHA51248fbd4df5b6bd978bfe71ba90816d0375b3f11a454487c02d587650bf712b76e1977f000dff170115e067a1bb245a8959cd3d50790169982fe6f9625be5db3a6
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
457KB
MD5d133d935024e27148ff6f13a0f8a8b88
SHA16b4f786b29cf717793a96f0b9e45e90668105b44
SHA2561860a7903b15326d3fc0e90215561ff6a0c8f7f6cf739d88736e8e320503250b
SHA51280f4b2a92d2fdf750ca991d9f4405c0188eebeb6fc3edd3de8a802cce1530f5b0ceb4840e8485138c2da9d01b5b57d539e44f916b512dad54c688c719511e44a
-
Filesize
457KB
MD5d133d935024e27148ff6f13a0f8a8b88
SHA16b4f786b29cf717793a96f0b9e45e90668105b44
SHA2561860a7903b15326d3fc0e90215561ff6a0c8f7f6cf739d88736e8e320503250b
SHA51280f4b2a92d2fdf750ca991d9f4405c0188eebeb6fc3edd3de8a802cce1530f5b0ceb4840e8485138c2da9d01b5b57d539e44f916b512dad54c688c719511e44a
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3