Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
4103ec6f4d261f5048bb2be55e34d70b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4103ec6f4d261f5048bb2be55e34d70b.exe
Resource
win10v2004-20221111-en
General
-
Target
4103ec6f4d261f5048bb2be55e34d70b.exe
-
Size
725KB
-
MD5
4103ec6f4d261f5048bb2be55e34d70b
-
SHA1
02b24db9232a446ef3a26263a36eda915c101743
-
SHA256
1c7c5ce03a60a68effe4997c8d6117eed669d3230e601097e22d99da49d0bcdd
-
SHA512
a8f798ef59831e6650a55cd9e2fef8f5f53e1aff4963c882e86dd39144a69118a5038659bbcef3d1decc4e0e6267275a706b84cb6552e18434e49bf55f0cc6db
-
SSDEEP
12288:xMrTy90KrboGQdL1fiqznHAaD0vDL6JupLuF4K+KRjUN3PD6QH+LVSmd+XRb:Oyjfo3dLtnHAaD0vDLu0LuF4KKP+QYS/
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mgE04.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 8 IoCs
pid Process 2716 sek87TA.exe 3924 scB29hK.exe 2036 kBN13Pu.exe 3276 mgE04.exe 216 mnolyk.exe 2140 ntd03Aq.exe 4260 mnolyk.exe 536 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4664 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4103ec6f4d261f5048bb2be55e34d70b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4103ec6f4d261f5048bb2be55e34d70b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sek87TA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sek87TA.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce scB29hK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" scB29hK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2036 kBN13Pu.exe 2036 kBN13Pu.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2036 kBN13Pu.exe Token: SeDebugPrivilege 2140 ntd03Aq.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3788 wrote to memory of 2716 3788 4103ec6f4d261f5048bb2be55e34d70b.exe 79 PID 3788 wrote to memory of 2716 3788 4103ec6f4d261f5048bb2be55e34d70b.exe 79 PID 3788 wrote to memory of 2716 3788 4103ec6f4d261f5048bb2be55e34d70b.exe 79 PID 2716 wrote to memory of 3924 2716 sek87TA.exe 80 PID 2716 wrote to memory of 3924 2716 sek87TA.exe 80 PID 2716 wrote to memory of 3924 2716 sek87TA.exe 80 PID 3924 wrote to memory of 2036 3924 scB29hK.exe 81 PID 3924 wrote to memory of 2036 3924 scB29hK.exe 81 PID 3924 wrote to memory of 2036 3924 scB29hK.exe 81 PID 3924 wrote to memory of 3276 3924 scB29hK.exe 85 PID 3924 wrote to memory of 3276 3924 scB29hK.exe 85 PID 3924 wrote to memory of 3276 3924 scB29hK.exe 85 PID 3276 wrote to memory of 216 3276 mgE04.exe 86 PID 3276 wrote to memory of 216 3276 mgE04.exe 86 PID 3276 wrote to memory of 216 3276 mgE04.exe 86 PID 2716 wrote to memory of 2140 2716 sek87TA.exe 87 PID 2716 wrote to memory of 2140 2716 sek87TA.exe 87 PID 2716 wrote to memory of 2140 2716 sek87TA.exe 87 PID 216 wrote to memory of 3712 216 mnolyk.exe 88 PID 216 wrote to memory of 3712 216 mnolyk.exe 88 PID 216 wrote to memory of 3712 216 mnolyk.exe 88 PID 216 wrote to memory of 3964 216 mnolyk.exe 90 PID 216 wrote to memory of 3964 216 mnolyk.exe 90 PID 216 wrote to memory of 3964 216 mnolyk.exe 90 PID 3964 wrote to memory of 3776 3964 cmd.exe 92 PID 3964 wrote to memory of 3776 3964 cmd.exe 92 PID 3964 wrote to memory of 3776 3964 cmd.exe 92 PID 3964 wrote to memory of 5076 3964 cmd.exe 93 PID 3964 wrote to memory of 5076 3964 cmd.exe 93 PID 3964 wrote to memory of 5076 3964 cmd.exe 93 PID 3964 wrote to memory of 1020 3964 cmd.exe 94 PID 3964 wrote to memory of 1020 3964 cmd.exe 94 PID 3964 wrote to memory of 1020 3964 cmd.exe 94 PID 3964 wrote to memory of 1468 3964 cmd.exe 95 PID 3964 wrote to memory of 1468 3964 cmd.exe 95 PID 3964 wrote to memory of 1468 3964 cmd.exe 95 PID 3964 wrote to memory of 4156 3964 cmd.exe 96 PID 3964 wrote to memory of 4156 3964 cmd.exe 96 PID 3964 wrote to memory of 4156 3964 cmd.exe 96 PID 3964 wrote to memory of 3512 3964 cmd.exe 97 PID 3964 wrote to memory of 3512 3964 cmd.exe 97 PID 3964 wrote to memory of 3512 3964 cmd.exe 97 PID 216 wrote to memory of 4664 216 mnolyk.exe 103 PID 216 wrote to memory of 4664 216 mnolyk.exe 103 PID 216 wrote to memory of 4664 216 mnolyk.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4103ec6f4d261f5048bb2be55e34d70b.exe"C:\Users\Admin\AppData\Local\Temp\4103ec6f4d261f5048bb2be55e34d70b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sek87TA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sek87TA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\scB29hK.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\scB29hK.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kBN13Pu.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kBN13Pu.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mgE04.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mgE04.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:3712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3776
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:5076
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:1020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1468
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"7⤵PID:4156
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E7⤵PID:3512
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntd03Aq.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntd03Aq.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4260
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
622KB
MD5e43d8d9f7a9cbbb6912fc34f56672895
SHA1f975a4cb7186e4a0209ca444dc04c6a4a4f214e8
SHA2567610d88af8bb6f43841892d350729b838898aa7b94e598f20fb163972538fff1
SHA5123236869f888adc438a4aa4ea17a3a3901c221bb21836f085f5762f19aba9e45993b0b63aed754c3526719b91a41846383d068bedf3ba5be93a5915d281b650e4
-
Filesize
622KB
MD5e43d8d9f7a9cbbb6912fc34f56672895
SHA1f975a4cb7186e4a0209ca444dc04c6a4a4f214e8
SHA2567610d88af8bb6f43841892d350729b838898aa7b94e598f20fb163972538fff1
SHA5123236869f888adc438a4aa4ea17a3a3901c221bb21836f085f5762f19aba9e45993b0b63aed754c3526719b91a41846383d068bedf3ba5be93a5915d281b650e4
-
Filesize
305KB
MD5a97676767e51104d57e1d0ad956e4274
SHA1518c54685f9d461424f96247c32d1d9db20fea32
SHA256c5ab3172fb7e5ced3b6d009742e00e48698714a2c54f887eb80d15c12b8a6558
SHA5120fad6360d1ac0f729181738ee02fa242ff925de13f64deea9bd0af4b2ee1e1891dfa952698fa1d8318e468c4a30908ef33ad592fb675d0521f5296828aafb87d
-
Filesize
305KB
MD5a97676767e51104d57e1d0ad956e4274
SHA1518c54685f9d461424f96247c32d1d9db20fea32
SHA256c5ab3172fb7e5ced3b6d009742e00e48698714a2c54f887eb80d15c12b8a6558
SHA5120fad6360d1ac0f729181738ee02fa242ff925de13f64deea9bd0af4b2ee1e1891dfa952698fa1d8318e468c4a30908ef33ad592fb675d0521f5296828aafb87d
-
Filesize
286KB
MD51772f7bf55bf4640daf4b29c2c934e65
SHA1a84ec109816381d16e691793d304232180f2100e
SHA2567ad7b805ccd0575d396b0b68715b2011f125c24bb15afe3926a6f086215a376d
SHA51278fcab65ea6ce8537652382a89350577c0341ade76619433c985b9eb2adfac5824a8ebefb4635864570d95d8aacfcb8b377bad5a3537f4d726123f0cd9282f6a
-
Filesize
286KB
MD51772f7bf55bf4640daf4b29c2c934e65
SHA1a84ec109816381d16e691793d304232180f2100e
SHA2567ad7b805ccd0575d396b0b68715b2011f125c24bb15afe3926a6f086215a376d
SHA51278fcab65ea6ce8537652382a89350577c0341ade76619433c985b9eb2adfac5824a8ebefb4635864570d95d8aacfcb8b377bad5a3537f4d726123f0cd9282f6a
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3