Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe
Resource
win10v2004-20221111-en
General
-
Target
11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe
-
Size
715KB
-
MD5
63f2def49618354ddb422f5fd0d49d43
-
SHA1
8a351282dd836f98b97aa6f22708d82971a242f1
-
SHA256
11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2
-
SHA512
07387a1daf2ab041bc4229457ba47f26c15ed03af19e78512d2050b88c331527570695fee30560b986550902b079fc239c4393a627b5e9d28aebb90bfa0e8ffe
-
SSDEEP
12288:zMrky900aZdBPXvWKHFVi1hsWjMvDXSJI4Cpbf88WfQdehXwb9Wo3+Oe:jy7S3xH/6suMvDXW+po8WLXwbIo33e
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mBC36.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 1476 syq25ph.exe 400 sqN33mf.exe 1256 kwl57Cv.exe 3416 mBC36.exe 3580 mnolyk.exe 2316 nLJ18uC.exe 1676 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3996 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" syq25ph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sqN33mf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sqN33mf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce syq25ph.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1256 kwl57Cv.exe 1256 kwl57Cv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1256 kwl57Cv.exe Token: SeDebugPrivilege 2316 nLJ18uC.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1476 2320 11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe 83 PID 2320 wrote to memory of 1476 2320 11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe 83 PID 2320 wrote to memory of 1476 2320 11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe 83 PID 1476 wrote to memory of 400 1476 syq25ph.exe 84 PID 1476 wrote to memory of 400 1476 syq25ph.exe 84 PID 1476 wrote to memory of 400 1476 syq25ph.exe 84 PID 400 wrote to memory of 1256 400 sqN33mf.exe 85 PID 400 wrote to memory of 1256 400 sqN33mf.exe 85 PID 400 wrote to memory of 1256 400 sqN33mf.exe 85 PID 400 wrote to memory of 3416 400 sqN33mf.exe 87 PID 400 wrote to memory of 3416 400 sqN33mf.exe 87 PID 400 wrote to memory of 3416 400 sqN33mf.exe 87 PID 3416 wrote to memory of 3580 3416 mBC36.exe 88 PID 3416 wrote to memory of 3580 3416 mBC36.exe 88 PID 3416 wrote to memory of 3580 3416 mBC36.exe 88 PID 1476 wrote to memory of 2316 1476 syq25ph.exe 89 PID 1476 wrote to memory of 2316 1476 syq25ph.exe 89 PID 1476 wrote to memory of 2316 1476 syq25ph.exe 89 PID 3580 wrote to memory of 2372 3580 mnolyk.exe 90 PID 3580 wrote to memory of 2372 3580 mnolyk.exe 90 PID 3580 wrote to memory of 2372 3580 mnolyk.exe 90 PID 3580 wrote to memory of 4872 3580 mnolyk.exe 92 PID 3580 wrote to memory of 4872 3580 mnolyk.exe 92 PID 3580 wrote to memory of 4872 3580 mnolyk.exe 92 PID 4872 wrote to memory of 4400 4872 cmd.exe 94 PID 4872 wrote to memory of 4400 4872 cmd.exe 94 PID 4872 wrote to memory of 4400 4872 cmd.exe 94 PID 4872 wrote to memory of 3780 4872 cmd.exe 95 PID 4872 wrote to memory of 3780 4872 cmd.exe 95 PID 4872 wrote to memory of 3780 4872 cmd.exe 95 PID 4872 wrote to memory of 4156 4872 cmd.exe 96 PID 4872 wrote to memory of 4156 4872 cmd.exe 96 PID 4872 wrote to memory of 4156 4872 cmd.exe 96 PID 4872 wrote to memory of 2028 4872 cmd.exe 97 PID 4872 wrote to memory of 2028 4872 cmd.exe 97 PID 4872 wrote to memory of 2028 4872 cmd.exe 97 PID 4872 wrote to memory of 4408 4872 cmd.exe 98 PID 4872 wrote to memory of 4408 4872 cmd.exe 98 PID 4872 wrote to memory of 4408 4872 cmd.exe 98 PID 4872 wrote to memory of 1060 4872 cmd.exe 99 PID 4872 wrote to memory of 1060 4872 cmd.exe 99 PID 4872 wrote to memory of 1060 4872 cmd.exe 99 PID 3580 wrote to memory of 3996 3580 mnolyk.exe 108 PID 3580 wrote to memory of 3996 3580 mnolyk.exe 108 PID 3580 wrote to memory of 3996 3580 mnolyk.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe"C:\Users\Admin\AppData\Local\Temp\11eea129a22df67775e7f40644807e1263717c016010d62f3d771e602c0daee2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\syq25ph.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\syq25ph.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sqN33mf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sqN33mf.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kwl57Cv.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kwl57Cv.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mBC36.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mBC36.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:2372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4400
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:3780
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:4156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"7⤵PID:4408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E7⤵PID:1060
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:3996
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLJ18uC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLJ18uC.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:1676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
611KB
MD59a831896918eb7a0ded2510a96162c0b
SHA120f30eb28f2cdaab9d4bd65c3dbe3ffb800d3b5c
SHA256d579ebc73ef1240757e682c66d34ab22ba00b75e9a4c10d6257fe2927d1b0037
SHA512a2f227bbd68d90e1cdf0bb82fd6b5be29c083fc10b007e9f034b2087649be03be6a4764169b0777847a3b0c7960b891004245447f6d748a4103f590b7392b2d2
-
Filesize
611KB
MD59a831896918eb7a0ded2510a96162c0b
SHA120f30eb28f2cdaab9d4bd65c3dbe3ffb800d3b5c
SHA256d579ebc73ef1240757e682c66d34ab22ba00b75e9a4c10d6257fe2927d1b0037
SHA512a2f227bbd68d90e1cdf0bb82fd6b5be29c083fc10b007e9f034b2087649be03be6a4764169b0777847a3b0c7960b891004245447f6d748a4103f590b7392b2d2
-
Filesize
279KB
MD56f4ba7e3bbd5b5c19332a451db43f013
SHA1724620092ed22c9e67d0b3582e794af41caee1cd
SHA2567197b7df5d3c14ff9d490409aa1eaa8d2171a01e55e19879350ae4bee22a7f50
SHA512102c23f4b27bbaab2a75a3b27a27643e817fe012d40656a1d597a5078f83986e0fbc700819bfa5888ae6a8fd90b7024f3d8fd9ba2655bfd324e5c99883f30d6f
-
Filesize
279KB
MD56f4ba7e3bbd5b5c19332a451db43f013
SHA1724620092ed22c9e67d0b3582e794af41caee1cd
SHA2567197b7df5d3c14ff9d490409aa1eaa8d2171a01e55e19879350ae4bee22a7f50
SHA512102c23f4b27bbaab2a75a3b27a27643e817fe012d40656a1d597a5078f83986e0fbc700819bfa5888ae6a8fd90b7024f3d8fd9ba2655bfd324e5c99883f30d6f
-
Filesize
286KB
MD5cee0daf0f0a1b618ccb327373a2922d6
SHA1699fab4c4eeca96de4e19828971de29c8efbb2ae
SHA25602d2002545047001290cc666922dd4361ec12fbaf45104f280a1e98b82744398
SHA512be8e0bbf55b8a12d970f9c8189b82774a7ff7de8aa3f2d05ac431eb0d52540efff4d6a41232ac8959b720139152d74505eecedfb10c49a3d4e6322a712021614
-
Filesize
286KB
MD5cee0daf0f0a1b618ccb327373a2922d6
SHA1699fab4c4eeca96de4e19828971de29c8efbb2ae
SHA25602d2002545047001290cc666922dd4361ec12fbaf45104f280a1e98b82744398
SHA512be8e0bbf55b8a12d970f9c8189b82774a7ff7de8aa3f2d05ac431eb0d52540efff4d6a41232ac8959b720139152d74505eecedfb10c49a3d4e6322a712021614
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3