Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
16/02/2023, 13:20
Static task
static1
General
-
Target
220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe
-
Size
743KB
-
MD5
177324162d1243281aa900f85cb9972c
-
SHA1
b3a46236010157b880ac2540f0090dfe6a12aa85
-
SHA256
220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b
-
SHA512
0ac219d4ea74f141d8aa5337742fafe35cc520651a6f7e0733756b0ee3f41d3c41cf92f987bc780df1b11f21426c8d769268eee1d66e7bf8a526da4dcf68b856
-
SSDEEP
12288:RMrgy90RfkA0sXibkDsSujmn6dp036UBcOi5gQprr8CKm6URITOy18Hge:py0fkaiIwSujmnDpBMgAUCh6Uu8v
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iVw92Gg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iVw92Gg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iVw92Gg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iVw92Gg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iVw92Gg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1016-425-0x0000000002460000-0x00000000024A6000-memory.dmp family_redline behavioral1/memory/1016-430-0x00000000024E0000-0x0000000002524000-memory.dmp family_redline -
Executes dropped EXE 9 IoCs
pid Process 3776 sVX47sI.exe 4612 soW30Bo.exe 2420 iVw92Gg.exe 4752 kpM33sG.exe 1016 lPg04Tx.exe 3988 nHE05Si.exe 4820 mnolyk.exe 2008 mnolyk.exe 1356 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 96 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iVw92Gg.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sVX47sI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sVX47sI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce soW30Bo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" soW30Bo.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2420 iVw92Gg.exe 2420 iVw92Gg.exe 4752 kpM33sG.exe 4752 kpM33sG.exe 1016 lPg04Tx.exe 1016 lPg04Tx.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2420 iVw92Gg.exe Token: SeDebugPrivilege 4752 kpM33sG.exe Token: SeDebugPrivilege 1016 lPg04Tx.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3776 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 66 PID 1980 wrote to memory of 3776 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 66 PID 1980 wrote to memory of 3776 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 66 PID 3776 wrote to memory of 4612 3776 sVX47sI.exe 67 PID 3776 wrote to memory of 4612 3776 sVX47sI.exe 67 PID 3776 wrote to memory of 4612 3776 sVX47sI.exe 67 PID 4612 wrote to memory of 2420 4612 soW30Bo.exe 68 PID 4612 wrote to memory of 2420 4612 soW30Bo.exe 68 PID 4612 wrote to memory of 4752 4612 soW30Bo.exe 69 PID 4612 wrote to memory of 4752 4612 soW30Bo.exe 69 PID 4612 wrote to memory of 4752 4612 soW30Bo.exe 69 PID 3776 wrote to memory of 1016 3776 sVX47sI.exe 71 PID 3776 wrote to memory of 1016 3776 sVX47sI.exe 71 PID 3776 wrote to memory of 1016 3776 sVX47sI.exe 71 PID 1980 wrote to memory of 3988 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 72 PID 1980 wrote to memory of 3988 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 72 PID 1980 wrote to memory of 3988 1980 220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe 72 PID 3988 wrote to memory of 4820 3988 nHE05Si.exe 73 PID 3988 wrote to memory of 4820 3988 nHE05Si.exe 73 PID 3988 wrote to memory of 4820 3988 nHE05Si.exe 73 PID 4820 wrote to memory of 1300 4820 mnolyk.exe 74 PID 4820 wrote to memory of 1300 4820 mnolyk.exe 74 PID 4820 wrote to memory of 1300 4820 mnolyk.exe 74 PID 4820 wrote to memory of 3424 4820 mnolyk.exe 75 PID 4820 wrote to memory of 3424 4820 mnolyk.exe 75 PID 4820 wrote to memory of 3424 4820 mnolyk.exe 75 PID 3424 wrote to memory of 4792 3424 cmd.exe 78 PID 3424 wrote to memory of 4792 3424 cmd.exe 78 PID 3424 wrote to memory of 4792 3424 cmd.exe 78 PID 3424 wrote to memory of 4224 3424 cmd.exe 79 PID 3424 wrote to memory of 4224 3424 cmd.exe 79 PID 3424 wrote to memory of 4224 3424 cmd.exe 79 PID 3424 wrote to memory of 4776 3424 cmd.exe 80 PID 3424 wrote to memory of 4776 3424 cmd.exe 80 PID 3424 wrote to memory of 4776 3424 cmd.exe 80 PID 3424 wrote to memory of 4892 3424 cmd.exe 81 PID 3424 wrote to memory of 4892 3424 cmd.exe 81 PID 3424 wrote to memory of 4892 3424 cmd.exe 81 PID 3424 wrote to memory of 4904 3424 cmd.exe 82 PID 3424 wrote to memory of 4904 3424 cmd.exe 82 PID 3424 wrote to memory of 4904 3424 cmd.exe 82 PID 3424 wrote to memory of 872 3424 cmd.exe 83 PID 3424 wrote to memory of 872 3424 cmd.exe 83 PID 3424 wrote to memory of 872 3424 cmd.exe 83 PID 4820 wrote to memory of 96 4820 mnolyk.exe 85 PID 4820 wrote to memory of 96 4820 mnolyk.exe 85 PID 4820 wrote to memory of 96 4820 mnolyk.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe"C:\Users\Admin\AppData\Local\Temp\220c771de272ad4e8ef1880beb948dd1569c8fd5a7865844d792f7bc0857984b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVX47sI.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVX47sI.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\soW30Bo.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\soW30Bo.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iVw92Gg.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iVw92Gg.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kpM33sG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kpM33sG.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lPg04Tx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lPg04Tx.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHE05Si.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHE05Si.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:1300
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4792
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:4224
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4892
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:4904
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:872
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:96
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:2008
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:1356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
557KB
MD55725acb2cf697753bc6e058d97a45086
SHA1e1199b5ece346f6a2e16b182a41f8d7a47594c39
SHA25664080bf64b67bc3a70bae6257559f2cddff362a45d60a04167c3f04b576d01de
SHA512199c367571e14368546c162006c672df31a15486b17b425f61a007953cccdf46f41bafe0e94ad43f8eb537b5f4342855b61e41822d40215d84c2f0b90ce2033e
-
Filesize
557KB
MD55725acb2cf697753bc6e058d97a45086
SHA1e1199b5ece346f6a2e16b182a41f8d7a47594c39
SHA25664080bf64b67bc3a70bae6257559f2cddff362a45d60a04167c3f04b576d01de
SHA512199c367571e14368546c162006c672df31a15486b17b425f61a007953cccdf46f41bafe0e94ad43f8eb537b5f4342855b61e41822d40215d84c2f0b90ce2033e
-
Filesize
352KB
MD5df7d202d9b57eda6183ee678d9424ccd
SHA1614ba684060c40c7d6022a37d066e578e1982513
SHA256f93557efd3fa8e2c6c0caad37b3e5ba5951f1c6e73568316e966283aaa618c5a
SHA51225092eb83de6d8a5e3bb79469e9147bf2bb48b5b6bc74892ed16d4c5529c3ec73f2a86cca5319f91778b656a3396fff7d2cae6c738d7504f0bd8f97b2ed0e843
-
Filesize
352KB
MD5df7d202d9b57eda6183ee678d9424ccd
SHA1614ba684060c40c7d6022a37d066e578e1982513
SHA256f93557efd3fa8e2c6c0caad37b3e5ba5951f1c6e73568316e966283aaa618c5a
SHA51225092eb83de6d8a5e3bb79469e9147bf2bb48b5b6bc74892ed16d4c5529c3ec73f2a86cca5319f91778b656a3396fff7d2cae6c738d7504f0bd8f97b2ed0e843
-
Filesize
202KB
MD5a6bb6567d6fd59dfb4842d2ea1027b8c
SHA1688c6f07f7aa90e4c5af77b506e72468950f061f
SHA2560095c0bebd6daebfb4e88dd81689495a1c4ee05de3309f2a8239e86fae98fd9f
SHA51253e9bd954b67e759f71d6b5864b45f13ddb0d2f4d2a1b6ce1bbf0e6f376fd96e9248e2e774dd5bfc4b06ca4d6eae571222e13d431a5ad42431345bcff83a45b5
-
Filesize
202KB
MD5a6bb6567d6fd59dfb4842d2ea1027b8c
SHA1688c6f07f7aa90e4c5af77b506e72468950f061f
SHA2560095c0bebd6daebfb4e88dd81689495a1c4ee05de3309f2a8239e86fae98fd9f
SHA51253e9bd954b67e759f71d6b5864b45f13ddb0d2f4d2a1b6ce1bbf0e6f376fd96e9248e2e774dd5bfc4b06ca4d6eae571222e13d431a5ad42431345bcff83a45b5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38