Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
714KB
-
MD5
6296af9aef65a94e105b976457c107b3
-
SHA1
77af8edcee2b76a7f2901ea2ba160423a805cbb3
-
SHA256
0ca4af290ff2840e78ff74a632b6534f1fe8aed9bde564911993ceb569a4d76b
-
SHA512
661ed4925004d312ec36c9c3e948ba1ff41cf44c0378881d144f9a8e7a1a5fd91ad44109fad81fdcc5e0be3c045a6dd40584a997f57c97b7c335ce79b0d337df
-
SSDEEP
12288:nMr5y90RxxY7yJAOBQTbI+TmImNPS6FA4v1PfEfMoMlUnaSF+AD8rcex+:iyUJJAiQTbdlKvBfDoyp8NDqN+
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Extracted
amadey
3.66
193.233.20.2/Bn89hku/index.php
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection fcQ64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" fcQ64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" fcQ64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" fcQ64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" fcQ64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" fcQ64.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation bzw28ij.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 9 IoCs
pid Process 4940 giB65Jf.exe 4844 giL68iH.exe 4828 aNo79Ur.exe 4620 bzw28ij.exe 4532 mnolyk.exe 4852 dso8159.exe 3924 mnolyk.exe 4140 fcQ64.exe 1836 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4472 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" fcQ64.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" giL68iH.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce giB65Jf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" giB65Jf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce giL68iH.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4496 4852 WerFault.exe 93 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4828 aNo79Ur.exe 4828 aNo79Ur.exe 4852 dso8159.exe 4852 dso8159.exe 4140 fcQ64.exe 4140 fcQ64.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4828 aNo79Ur.exe Token: SeDebugPrivilege 4852 dso8159.exe Token: SeDebugPrivilege 4140 fcQ64.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 3912 wrote to memory of 4940 3912 file.exe 81 PID 3912 wrote to memory of 4940 3912 file.exe 81 PID 3912 wrote to memory of 4940 3912 file.exe 81 PID 4940 wrote to memory of 4844 4940 giB65Jf.exe 82 PID 4940 wrote to memory of 4844 4940 giB65Jf.exe 82 PID 4940 wrote to memory of 4844 4940 giB65Jf.exe 82 PID 4844 wrote to memory of 4828 4844 giL68iH.exe 83 PID 4844 wrote to memory of 4828 4844 giL68iH.exe 83 PID 4844 wrote to memory of 4828 4844 giL68iH.exe 83 PID 4844 wrote to memory of 4620 4844 giL68iH.exe 91 PID 4844 wrote to memory of 4620 4844 giL68iH.exe 91 PID 4844 wrote to memory of 4620 4844 giL68iH.exe 91 PID 4620 wrote to memory of 4532 4620 bzw28ij.exe 92 PID 4620 wrote to memory of 4532 4620 bzw28ij.exe 92 PID 4620 wrote to memory of 4532 4620 bzw28ij.exe 92 PID 4940 wrote to memory of 4852 4940 giB65Jf.exe 93 PID 4940 wrote to memory of 4852 4940 giB65Jf.exe 93 PID 4940 wrote to memory of 4852 4940 giB65Jf.exe 93 PID 4532 wrote to memory of 1164 4532 mnolyk.exe 94 PID 4532 wrote to memory of 1164 4532 mnolyk.exe 94 PID 4532 wrote to memory of 1164 4532 mnolyk.exe 94 PID 4532 wrote to memory of 4484 4532 mnolyk.exe 96 PID 4532 wrote to memory of 4484 4532 mnolyk.exe 96 PID 4532 wrote to memory of 4484 4532 mnolyk.exe 96 PID 4484 wrote to memory of 2804 4484 cmd.exe 98 PID 4484 wrote to memory of 2804 4484 cmd.exe 98 PID 4484 wrote to memory of 2804 4484 cmd.exe 98 PID 4484 wrote to memory of 2540 4484 cmd.exe 99 PID 4484 wrote to memory of 2540 4484 cmd.exe 99 PID 4484 wrote to memory of 2540 4484 cmd.exe 99 PID 4484 wrote to memory of 2328 4484 cmd.exe 100 PID 4484 wrote to memory of 2328 4484 cmd.exe 100 PID 4484 wrote to memory of 2328 4484 cmd.exe 100 PID 4484 wrote to memory of 980 4484 cmd.exe 101 PID 4484 wrote to memory of 980 4484 cmd.exe 101 PID 4484 wrote to memory of 980 4484 cmd.exe 101 PID 4484 wrote to memory of 3472 4484 cmd.exe 102 PID 4484 wrote to memory of 3472 4484 cmd.exe 102 PID 4484 wrote to memory of 3472 4484 cmd.exe 102 PID 4484 wrote to memory of 1592 4484 cmd.exe 103 PID 4484 wrote to memory of 1592 4484 cmd.exe 103 PID 4484 wrote to memory of 1592 4484 cmd.exe 103 PID 3912 wrote to memory of 4140 3912 file.exe 107 PID 3912 wrote to memory of 4140 3912 file.exe 107 PID 4532 wrote to memory of 4472 4532 mnolyk.exe 108 PID 4532 wrote to memory of 4472 4532 mnolyk.exe 108 PID 4532 wrote to memory of 4472 4532 mnolyk.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\giB65Jf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\giB65Jf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\giL68iH.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\giL68iH.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aNo79Ur.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aNo79Ur.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bzw28ij.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bzw28ij.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2804
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:2540
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:2328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:980
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"7⤵PID:3472
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E7⤵PID:1592
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4472
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dso8159.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dso8159.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 13284⤵
- Program crash
PID:4496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fcQ64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fcQ64.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 48521⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:3924
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
610KB
MD56b49d1a7b00574eda6714dc1f0269e01
SHA173927e876865f6bb1a0cf9758e8c82e87fb15e2d
SHA25654cbbb699f4c89c1c24edf174d100fc95d5b7a04464757c55a6ac26630886960
SHA51237d6e9bf5232b46ee2ee906c4b1e70e433261e16e645966adb8bfc302f6fa2038f786c960890727c39114f3866bcb6b0850c9232adf38feb495f6b0769137b81
-
Filesize
610KB
MD56b49d1a7b00574eda6714dc1f0269e01
SHA173927e876865f6bb1a0cf9758e8c82e87fb15e2d
SHA25654cbbb699f4c89c1c24edf174d100fc95d5b7a04464757c55a6ac26630886960
SHA51237d6e9bf5232b46ee2ee906c4b1e70e433261e16e645966adb8bfc302f6fa2038f786c960890727c39114f3866bcb6b0850c9232adf38feb495f6b0769137b81
-
Filesize
277KB
MD5fb82c4087f33ef1500be09b2c64edd7e
SHA1f3bc3a8bc794198f45c88e4e7f209301a7319247
SHA256a49071caacb938f2602eab78925d1cb38ce8fe180d3db37a91a58b49c912f265
SHA512f0692f8a1c5c835c600ea33bfaa38246970db8ec2c82b49bdcdbf57423c7e220aa48e8f03c107fbc69b4826e4a7f8723e614f7cfa0642f9231677c9a20065184
-
Filesize
277KB
MD5fb82c4087f33ef1500be09b2c64edd7e
SHA1f3bc3a8bc794198f45c88e4e7f209301a7319247
SHA256a49071caacb938f2602eab78925d1cb38ce8fe180d3db37a91a58b49c912f265
SHA512f0692f8a1c5c835c600ea33bfaa38246970db8ec2c82b49bdcdbf57423c7e220aa48e8f03c107fbc69b4826e4a7f8723e614f7cfa0642f9231677c9a20065184
-
Filesize
285KB
MD5d1ff25fb4cf1633dd4889d0f84d2d4c5
SHA1b6df0fe704b5cf3569bd82d6c2dbf6e5cb53569c
SHA256ac7daadef10c3a8de431112576465fd268f381591cee1190285b846f4b4128b2
SHA512110e5be459e9ef789cab7b4e4cf05f01aba42f995ffc00d126534824e9640cb642f483b0aaac6aa213c6a3b8341012d0796af240d6f59964a87c7304bb926898
-
Filesize
285KB
MD5d1ff25fb4cf1633dd4889d0f84d2d4c5
SHA1b6df0fe704b5cf3569bd82d6c2dbf6e5cb53569c
SHA256ac7daadef10c3a8de431112576465fd268f381591cee1190285b846f4b4128b2
SHA512110e5be459e9ef789cab7b4e4cf05f01aba42f995ffc00d126534824e9640cb642f483b0aaac6aa213c6a3b8341012d0796af240d6f59964a87c7304bb926898
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
236KB
MD552fca4d08faccbd7d3f9a487158ed24a
SHA1999297fae9adaaca1f2163e45aa4100ebe2a27f6
SHA2566ef9b879049e0e8490811b7a90ccd47de82b17ba7e9850485e035780e474ff14
SHA5127669fca02637a8d02b53837b0bc62025625d7615c275414412ecd0d4f0d6377c588a401e11d637abd1b10269ba813555a6600cebe8657ec78f104f350d4a0368
-
Filesize
89KB
MD58c5b3a2beac24f9a4878c50ce26c4623
SHA1e223a25b65a685c5be974ab1865e03497f64bda0
SHA256c33434b1f889a5351cbe18ec31b424d224772303ebdb7331e1fd9f973d8661c4
SHA512b2028e8cbdb105e79e4c86665ae26f47a2c479740e136b250c0587064de974563c380f1efb272dfef593ad8d2daaf32b484ddc17dbf5c5501287be76610cb0f6
-
Filesize
89KB
MD58c5b3a2beac24f9a4878c50ce26c4623
SHA1e223a25b65a685c5be974ab1865e03497f64bda0
SHA256c33434b1f889a5351cbe18ec31b424d224772303ebdb7331e1fd9f973d8661c4
SHA512b2028e8cbdb105e79e4c86665ae26f47a2c479740e136b250c0587064de974563c380f1efb272dfef593ad8d2daaf32b484ddc17dbf5c5501287be76610cb0f6