Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
180s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
719KB
-
MD5
f6c3529489c9b14e03cc0d5737262b81
-
SHA1
cc633f31c664b6da84180c2521755413fe041ed1
-
SHA256
14f00b3509a0ab5830b0a7e673c27d5032642741bf990312038ca2cb2068954d
-
SHA512
5aa6a01fe5da9627de1ab03c1a3561d1806b0747501f578f858c698352bdb726ae2639520fed73a23a84d46c0e4a47b20cb10c68b23bc74be595423ba80959b4
-
SSDEEP
12288:wMrQy90nZWVuDiFNuQu96UXdSeNeJgqdRDqBPsMG+uIwzhSu1l8nG7:wyFVii/uQVodS9gcSPsMG7lcuTd7
Malware Config
Extracted
redline
dunm
193.233.20.12:4132
-
auth_value
352959e3707029296ec94306d74e2334
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation bkj20Qx.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 4968 gwk12rF.exe 4924 gCU54tH.exe 4992 agv94ut.exe 4336 bkj20Qx.exe 1992 mnolyk.exe 2696 dMS4925.exe 4964 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4768 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce gwk12rF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" gwk12rF.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce gCU54tH.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" gCU54tH.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2376 2696 WerFault.exe 86 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4992 agv94ut.exe 4992 agv94ut.exe 2696 dMS4925.exe 2696 dMS4925.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4992 agv94ut.exe Token: SeDebugPrivilege 2696 dMS4925.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4360 wrote to memory of 4968 4360 file.exe 80 PID 4360 wrote to memory of 4968 4360 file.exe 80 PID 4360 wrote to memory of 4968 4360 file.exe 80 PID 4968 wrote to memory of 4924 4968 gwk12rF.exe 81 PID 4968 wrote to memory of 4924 4968 gwk12rF.exe 81 PID 4968 wrote to memory of 4924 4968 gwk12rF.exe 81 PID 4924 wrote to memory of 4992 4924 gCU54tH.exe 82 PID 4924 wrote to memory of 4992 4924 gCU54tH.exe 82 PID 4924 wrote to memory of 4992 4924 gCU54tH.exe 82 PID 4924 wrote to memory of 4336 4924 gCU54tH.exe 84 PID 4924 wrote to memory of 4336 4924 gCU54tH.exe 84 PID 4924 wrote to memory of 4336 4924 gCU54tH.exe 84 PID 4336 wrote to memory of 1992 4336 bkj20Qx.exe 85 PID 4336 wrote to memory of 1992 4336 bkj20Qx.exe 85 PID 4336 wrote to memory of 1992 4336 bkj20Qx.exe 85 PID 4968 wrote to memory of 2696 4968 gwk12rF.exe 86 PID 4968 wrote to memory of 2696 4968 gwk12rF.exe 86 PID 4968 wrote to memory of 2696 4968 gwk12rF.exe 86 PID 1992 wrote to memory of 3592 1992 mnolyk.exe 87 PID 1992 wrote to memory of 3592 1992 mnolyk.exe 87 PID 1992 wrote to memory of 3592 1992 mnolyk.exe 87 PID 1992 wrote to memory of 4516 1992 mnolyk.exe 89 PID 1992 wrote to memory of 4516 1992 mnolyk.exe 89 PID 1992 wrote to memory of 4516 1992 mnolyk.exe 89 PID 4516 wrote to memory of 3312 4516 cmd.exe 91 PID 4516 wrote to memory of 3312 4516 cmd.exe 91 PID 4516 wrote to memory of 3312 4516 cmd.exe 91 PID 4516 wrote to memory of 3128 4516 cmd.exe 92 PID 4516 wrote to memory of 3128 4516 cmd.exe 92 PID 4516 wrote to memory of 3128 4516 cmd.exe 92 PID 4516 wrote to memory of 1196 4516 cmd.exe 93 PID 4516 wrote to memory of 1196 4516 cmd.exe 93 PID 4516 wrote to memory of 1196 4516 cmd.exe 93 PID 4516 wrote to memory of 4228 4516 cmd.exe 94 PID 4516 wrote to memory of 4228 4516 cmd.exe 94 PID 4516 wrote to memory of 4228 4516 cmd.exe 94 PID 4516 wrote to memory of 5108 4516 cmd.exe 95 PID 4516 wrote to memory of 5108 4516 cmd.exe 95 PID 4516 wrote to memory of 5108 4516 cmd.exe 95 PID 4516 wrote to memory of 1284 4516 cmd.exe 96 PID 4516 wrote to memory of 1284 4516 cmd.exe 96 PID 4516 wrote to memory of 1284 4516 cmd.exe 96 PID 1992 wrote to memory of 4768 1992 mnolyk.exe 107 PID 1992 wrote to memory of 4768 1992 mnolyk.exe 107 PID 1992 wrote to memory of 4768 1992 mnolyk.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gwk12rF.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gwk12rF.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gCU54tH.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gCU54tH.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\agv94ut.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\agv94ut.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bkj20Qx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bkj20Qx.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:3592
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3312
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:3128
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:1196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4228
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"7⤵PID:5108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E7⤵PID:1284
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4768
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMS4925.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMS4925.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 9724⤵
- Program crash
PID:2376
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2696 -ip 26961⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
615KB
MD5d1a3cc18907a9943c4e49e6c20caa393
SHA1190086e8c733b2d5091a63ffa136ca9841ef598c
SHA256eafe1b363ec786254523726b93943b55a203c1b8a794d2c7d8da6e84b716a569
SHA5120756b550dc9b1ed0d5ec88f1864aaccb1f92bdff6ddd43b869a74e94424a1bb7e7c75eca1fccfd41c3287690cfba2f5d0c80d65986cc98f3fe83bbb44883c5f2
-
Filesize
615KB
MD5d1a3cc18907a9943c4e49e6c20caa393
SHA1190086e8c733b2d5091a63ffa136ca9841ef598c
SHA256eafe1b363ec786254523726b93943b55a203c1b8a794d2c7d8da6e84b716a569
SHA5120756b550dc9b1ed0d5ec88f1864aaccb1f92bdff6ddd43b869a74e94424a1bb7e7c75eca1fccfd41c3287690cfba2f5d0c80d65986cc98f3fe83bbb44883c5f2
-
Filesize
289KB
MD5f342f2a8fe360afdc2dc03c5d8ccc0c7
SHA1b574324d34bac92df9b656b64b25e59ac3e2e111
SHA256f10ded8a5ec704dd5bc919c2e992aa30c246b30d3e6109ab83fe7d801248f1ef
SHA512444ecb4f34553747e3581285cccb354f996e96cbb1dfc16534ad801e23ab9fba22bec06fab00cd4e96586899a93968405e4db9f064f3d9cff6d9b4ea6516479a
-
Filesize
289KB
MD5f342f2a8fe360afdc2dc03c5d8ccc0c7
SHA1b574324d34bac92df9b656b64b25e59ac3e2e111
SHA256f10ded8a5ec704dd5bc919c2e992aa30c246b30d3e6109ab83fe7d801248f1ef
SHA512444ecb4f34553747e3581285cccb354f996e96cbb1dfc16534ad801e23ab9fba22bec06fab00cd4e96586899a93968405e4db9f064f3d9cff6d9b4ea6516479a
-
Filesize
286KB
MD5ead871a4bb43c6fbbe717033c9fc9bef
SHA1cd9d4a44a3bedfb7e658e4afd831e374fb41e9fa
SHA256776089de463a96fe4b1cf3761855e15f2bbdf4407f36bc4ce9dbad96a89cabc1
SHA512554cfdd60bc709083e343a963cb212a82e25974e7b2d0ef04df97f5b1fc7a3ca39e5c5567793b3956e5bbb0d760b09299cd2a843ef5cdcb8bed9391a03c4c1af
-
Filesize
286KB
MD5ead871a4bb43c6fbbe717033c9fc9bef
SHA1cd9d4a44a3bedfb7e658e4afd831e374fb41e9fa
SHA256776089de463a96fe4b1cf3761855e15f2bbdf4407f36bc4ce9dbad96a89cabc1
SHA512554cfdd60bc709083e343a963cb212a82e25974e7b2d0ef04df97f5b1fc7a3ca39e5c5567793b3956e5bbb0d760b09299cd2a843ef5cdcb8bed9391a03c4c1af
-
Filesize
175KB
MD569f79e05d0c83aee310d9adfe5aa7f2b
SHA1485c490180380051a14316564fbda07723be11b1
SHA256c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2
SHA512f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42
-
Filesize
175KB
MD569f79e05d0c83aee310d9adfe5aa7f2b
SHA1485c490180380051a14316564fbda07723be11b1
SHA256c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2
SHA512f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba