Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
15/02/2023, 10:03
Static task
static1
General
-
Target
66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe
-
Size
724KB
-
MD5
cec39b14d774e8d5580c6c6dcb8a033a
-
SHA1
79da3c673d29c2b8e984b8376abbcf61bd17e892
-
SHA256
66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2
-
SHA512
6848f844c08aa0a0e1712a5a83f4973103d2609cce0e93c9b71a1a9fc5d71da9c2485b3d0bf3f3e942f406149a6868fe97a9adfbc70e50d7d32ed888ba9c442d
-
SSDEEP
12288:NMrNy90kpEsp40UI8nt+oiDghJDIVCx3rzN6dThUYxZlBxo:oybEUHkLzIS36h9xJG
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iti32VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iti32VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iti32VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iti32VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iti32VU.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/764-418-0x0000000002530000-0x0000000002576000-memory.dmp family_redline behavioral1/memory/764-423-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline -
Executes dropped EXE 8 IoCs
pid Process 4584 sAE67zy.exe 1508 svg22kO.exe 4788 iti32VU.exe 3764 kDs85Jx.exe 764 lbJ66FG.exe 3172 ndx33aT.exe 3692 mnolyk.exe 192 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 1440 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iti32VU.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sAE67zy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sAE67zy.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svg22kO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" svg22kO.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4788 iti32VU.exe 4788 iti32VU.exe 3764 kDs85Jx.exe 3764 kDs85Jx.exe 764 lbJ66FG.exe 764 lbJ66FG.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4788 iti32VU.exe Token: SeDebugPrivilege 3764 kDs85Jx.exe Token: SeDebugPrivilege 764 lbJ66FG.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1524 wrote to memory of 4584 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 66 PID 1524 wrote to memory of 4584 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 66 PID 1524 wrote to memory of 4584 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 66 PID 4584 wrote to memory of 1508 4584 sAE67zy.exe 67 PID 4584 wrote to memory of 1508 4584 sAE67zy.exe 67 PID 4584 wrote to memory of 1508 4584 sAE67zy.exe 67 PID 1508 wrote to memory of 4788 1508 svg22kO.exe 68 PID 1508 wrote to memory of 4788 1508 svg22kO.exe 68 PID 1508 wrote to memory of 3764 1508 svg22kO.exe 69 PID 1508 wrote to memory of 3764 1508 svg22kO.exe 69 PID 1508 wrote to memory of 3764 1508 svg22kO.exe 69 PID 4584 wrote to memory of 764 4584 sAE67zy.exe 71 PID 4584 wrote to memory of 764 4584 sAE67zy.exe 71 PID 4584 wrote to memory of 764 4584 sAE67zy.exe 71 PID 1524 wrote to memory of 3172 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 72 PID 1524 wrote to memory of 3172 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 72 PID 1524 wrote to memory of 3172 1524 66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe 72 PID 3172 wrote to memory of 3692 3172 ndx33aT.exe 73 PID 3172 wrote to memory of 3692 3172 ndx33aT.exe 73 PID 3172 wrote to memory of 3692 3172 ndx33aT.exe 73 PID 3692 wrote to memory of 3664 3692 mnolyk.exe 74 PID 3692 wrote to memory of 3664 3692 mnolyk.exe 74 PID 3692 wrote to memory of 3664 3692 mnolyk.exe 74 PID 3692 wrote to memory of 3700 3692 mnolyk.exe 75 PID 3692 wrote to memory of 3700 3692 mnolyk.exe 75 PID 3692 wrote to memory of 3700 3692 mnolyk.exe 75 PID 3700 wrote to memory of 3832 3700 cmd.exe 78 PID 3700 wrote to memory of 3832 3700 cmd.exe 78 PID 3700 wrote to memory of 3832 3700 cmd.exe 78 PID 3700 wrote to memory of 4124 3700 cmd.exe 79 PID 3700 wrote to memory of 4124 3700 cmd.exe 79 PID 3700 wrote to memory of 4124 3700 cmd.exe 79 PID 3700 wrote to memory of 920 3700 cmd.exe 80 PID 3700 wrote to memory of 920 3700 cmd.exe 80 PID 3700 wrote to memory of 920 3700 cmd.exe 80 PID 3700 wrote to memory of 528 3700 cmd.exe 81 PID 3700 wrote to memory of 528 3700 cmd.exe 81 PID 3700 wrote to memory of 528 3700 cmd.exe 81 PID 3700 wrote to memory of 3876 3700 cmd.exe 82 PID 3700 wrote to memory of 3876 3700 cmd.exe 82 PID 3700 wrote to memory of 3876 3700 cmd.exe 82 PID 3700 wrote to memory of 1540 3700 cmd.exe 83 PID 3700 wrote to memory of 1540 3700 cmd.exe 83 PID 3700 wrote to memory of 1540 3700 cmd.exe 83 PID 3692 wrote to memory of 1440 3692 mnolyk.exe 85 PID 3692 wrote to memory of 1440 3692 mnolyk.exe 85 PID 3692 wrote to memory of 1440 3692 mnolyk.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe"C:\Users\Admin\AppData\Local\Temp\66d4e5a4a47b4c7fbdf3e6b6cbb86f481a833a08c8a5dd20f28b1492ce354bf2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sAE67zy.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sAE67zy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\svg22kO.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\svg22kO.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iti32VU.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iti32VU.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kDs85Jx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kDs85Jx.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lbJ66FG.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lbJ66FG.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ndx33aT.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ndx33aT.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3832
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:4124
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:528
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:3876
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:1540
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:1440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
538KB
MD5140714c9f0ba91d50344aab8e754f910
SHA1a592cf5ca2f1ea7e978f7d877be758c4e9794ae4
SHA25671da7065748bea3c567ec22b160b3e066840b61f2c3730e37571cfc954678f40
SHA5125c53cd2466b87479b14997b47cb7760e17400a4508f498d9a276903c151a0a1812e476ec30ba08860a8af7d953b2d987086b462ccb5ee6060a806b97441e8715
-
Filesize
538KB
MD5140714c9f0ba91d50344aab8e754f910
SHA1a592cf5ca2f1ea7e978f7d877be758c4e9794ae4
SHA25671da7065748bea3c567ec22b160b3e066840b61f2c3730e37571cfc954678f40
SHA5125c53cd2466b87479b14997b47cb7760e17400a4508f498d9a276903c151a0a1812e476ec30ba08860a8af7d953b2d987086b462ccb5ee6060a806b97441e8715
-
Filesize
306KB
MD50bdf7901be49e053cb6b88e9e1d4a805
SHA180bb92261e5405f2a100740673d365251e70f9a6
SHA256ceae18ce869f741fb9f5cf755cc5e79c0b2d509aef739236ff5bc24662a74a9a
SHA5128fed6f65db29f0c1ab4cb36e83f003c241ed601a67fd8c520f3e7a13c6192a778e461dc827df6ec91454f562f7d70e4bf00dc945cf214fb22aa5acffb8813428
-
Filesize
306KB
MD50bdf7901be49e053cb6b88e9e1d4a805
SHA180bb92261e5405f2a100740673d365251e70f9a6
SHA256ceae18ce869f741fb9f5cf755cc5e79c0b2d509aef739236ff5bc24662a74a9a
SHA5128fed6f65db29f0c1ab4cb36e83f003c241ed601a67fd8c520f3e7a13c6192a778e461dc827df6ec91454f562f7d70e4bf00dc945cf214fb22aa5acffb8813428
-
Filesize
202KB
MD5f0911baa17f9ef95ad1d5b379ad2a7b1
SHA11df2586056d6441c369996a78bb76d09ae159bfe
SHA25647411eb92ffb764a4c241744528d05448da4a9955469f0431202f067074d1256
SHA512b9b85575946138029c9df0f1f63920407d765b4d3f5c607db4480ce2c7c7a0f5ee9ed21ab910b7946dfafce6feaa523bcdac8fde2247da68f371d9b19ffc2f36
-
Filesize
202KB
MD5f0911baa17f9ef95ad1d5b379ad2a7b1
SHA11df2586056d6441c369996a78bb76d09ae159bfe
SHA25647411eb92ffb764a4c241744528d05448da4a9955469f0431202f067074d1256
SHA512b9b85575946138029c9df0f1f63920407d765b4d3f5c607db4480ce2c7c7a0f5ee9ed21ab910b7946dfafce6feaa523bcdac8fde2247da68f371d9b19ffc2f36
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38