Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/02/2023, 13:31
Static task
static1
Behavioral task
behavioral1
Sample
5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe
Resource
win10v2004-20220812-en
General
-
Target
5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe
-
Size
1000KB
-
MD5
aa3b7d5d30e9d83ff9805720c85477a8
-
SHA1
b4801ae2959676c8d1be2241add63bf430774dde
-
SHA256
5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57
-
SHA512
1914ca05877158fe6c241a45065ecd1425e8f1c16396d764726f72a7d2606178e0d15e4e99df9d6ea975ea54573c0651f7c26d5248b4ab88a4284f74586f0b37
-
SSDEEP
24576:tyDoV47qXQ660Nk13mhs4d6IshIL9QI8so97CTQ:IDpev60Nm2htduyxU
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Extracted
redline
nock
176.113.115.17:4132
-
auth_value
f32d3c6ff0a9a7632c60a2b045a9cde6
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mOu51OV.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mOu51OV.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mOu51OV.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" koj16wk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" koj16wk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" koj16wk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" koj16wk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mOu51OV.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mOu51OV.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection koj16wk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" koj16wk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mOu51OV.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 8 IoCs
pid Process 4860 dYB9935.exe 4356 dPS3777.exe 4284 dav3638.exe 5064 koj16wk.exe 4292 mOu51OV.exe 2028 nhr98kE.exe 3460 ojx34Tn.exe 2932 pQW92Pn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" koj16wk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mOu51OV.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mOu51OV.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" dav3638.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dYB9935.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dYB9935.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dPS3777.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" dPS3777.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dav3638.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4788 4292 WerFault.exe 84 3356 3460 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5064 koj16wk.exe 5064 koj16wk.exe 4292 mOu51OV.exe 4292 mOu51OV.exe 2028 nhr98kE.exe 2028 nhr98kE.exe 3460 ojx34Tn.exe 3460 ojx34Tn.exe 2932 pQW92Pn.exe 2932 pQW92Pn.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5064 koj16wk.exe Token: SeDebugPrivilege 4292 mOu51OV.exe Token: SeDebugPrivilege 2028 nhr98kE.exe Token: SeDebugPrivilege 3460 ojx34Tn.exe Token: SeDebugPrivilege 2932 pQW92Pn.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4860 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 80 PID 2424 wrote to memory of 4860 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 80 PID 2424 wrote to memory of 4860 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 80 PID 4860 wrote to memory of 4356 4860 dYB9935.exe 81 PID 4860 wrote to memory of 4356 4860 dYB9935.exe 81 PID 4860 wrote to memory of 4356 4860 dYB9935.exe 81 PID 4356 wrote to memory of 4284 4356 dPS3777.exe 82 PID 4356 wrote to memory of 4284 4356 dPS3777.exe 82 PID 4356 wrote to memory of 4284 4356 dPS3777.exe 82 PID 4284 wrote to memory of 5064 4284 dav3638.exe 83 PID 4284 wrote to memory of 5064 4284 dav3638.exe 83 PID 4284 wrote to memory of 4292 4284 dav3638.exe 84 PID 4284 wrote to memory of 4292 4284 dav3638.exe 84 PID 4284 wrote to memory of 4292 4284 dav3638.exe 84 PID 4356 wrote to memory of 2028 4356 dPS3777.exe 88 PID 4356 wrote to memory of 2028 4356 dPS3777.exe 88 PID 4356 wrote to memory of 2028 4356 dPS3777.exe 88 PID 4860 wrote to memory of 3460 4860 dYB9935.exe 91 PID 4860 wrote to memory of 3460 4860 dYB9935.exe 91 PID 4860 wrote to memory of 3460 4860 dYB9935.exe 91 PID 2424 wrote to memory of 2932 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 94 PID 2424 wrote to memory of 2932 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 94 PID 2424 wrote to memory of 2932 2424 5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe"C:\Users\Admin\AppData\Local\Temp\5182f47a62c2d19e7ec69af9c805ecf714ea07453d7b14a6d7341c6d15a58e57.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYB9935.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYB9935.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPS3777.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPS3777.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dav3638.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dav3638.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koj16wk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koj16wk.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mOu51OV.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mOu51OV.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 10806⤵
- Program crash
PID:4788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nhr98kE.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nhr98kE.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ojx34Tn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ojx34Tn.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 13644⤵
- Program crash
PID:3356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pQW92Pn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pQW92Pn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4292 -ip 42921⤵PID:4888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3460 -ip 34601⤵PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
855KB
MD5c9272a88fbd9e65e0a101b397f35d11b
SHA132cb51c0be1ad2e494f4a591988d9fdcf7c376a2
SHA2566070c3cb6661b8e7ee20041419f5e4304d0d952203f7d4516ac2128497ecdf26
SHA512f250a19ce63c964ef4a9273efa5e9e6a3ac4f2c5b00bd65b546cc5a0d82ab74b59be8127f840660fe90100dbdc1609d6cd1039601b1188ffb4a6e5c209eb5686
-
Filesize
855KB
MD5c9272a88fbd9e65e0a101b397f35d11b
SHA132cb51c0be1ad2e494f4a591988d9fdcf7c376a2
SHA2566070c3cb6661b8e7ee20041419f5e4304d0d952203f7d4516ac2128497ecdf26
SHA512f250a19ce63c964ef4a9273efa5e9e6a3ac4f2c5b00bd65b546cc5a0d82ab74b59be8127f840660fe90100dbdc1609d6cd1039601b1188ffb4a6e5c209eb5686
-
Filesize
175KB
MD58f2223375414f5a6708a342a1efb714e
SHA1b9342d91cef91c550ec054e4ef8ad8a8785f06a0
SHA25638a3186a175d2d3a7f9216f6b8df67264f1a38d320547b7016d4d2f9ad2b845e
SHA5121af0d38a90d91ec07fd91a89cff7997c6159ad2c5bbed1ac8cd90a364f99766c3a01787713699414801b6f00bbfa5bb30ae66dee98b71628f019b78dee7a368e
-
Filesize
175KB
MD58f2223375414f5a6708a342a1efb714e
SHA1b9342d91cef91c550ec054e4ef8ad8a8785f06a0
SHA25638a3186a175d2d3a7f9216f6b8df67264f1a38d320547b7016d4d2f9ad2b845e
SHA5121af0d38a90d91ec07fd91a89cff7997c6159ad2c5bbed1ac8cd90a364f99766c3a01787713699414801b6f00bbfa5bb30ae66dee98b71628f019b78dee7a368e
-
Filesize
500KB
MD5f7bc5034b6739956094bf665e3a08f99
SHA1d802f2afa3576d2998195d40b37ef2e4cd405fc2
SHA2563fbd52c24c8f890353a98a95b3ad8bfea14a7b7f59e713759fc53a8f589d5ffa
SHA512ff0c7ba37ce41af8634f6753ef5a2afe414129a0616219c4226e7c2e169803eb4d6c27077843f2157550f308b0439d07a011ea6eb8cf5f1f4fa4ce14c5bf07f2
-
Filesize
500KB
MD5f7bc5034b6739956094bf665e3a08f99
SHA1d802f2afa3576d2998195d40b37ef2e4cd405fc2
SHA2563fbd52c24c8f890353a98a95b3ad8bfea14a7b7f59e713759fc53a8f589d5ffa
SHA512ff0c7ba37ce41af8634f6753ef5a2afe414129a0616219c4226e7c2e169803eb4d6c27077843f2157550f308b0439d07a011ea6eb8cf5f1f4fa4ce14c5bf07f2
-
Filesize
352KB
MD51f1bf35e75921e8e59d3f1d64614bcaf
SHA1a6826d45540341d7539ff3bc19278a0cd9433b67
SHA256c791048ad3201f691592305c0d2fb07a52b55439019489b234cb8ba5bfce37f3
SHA51220c7a0ee94e8004404d08bed5b41f1b8196674fdb4b7dc9940bab670cf050901883e130a561bb005b07d787a775a34f085e2472a2238a2cd87407f1246e938c4
-
Filesize
352KB
MD51f1bf35e75921e8e59d3f1d64614bcaf
SHA1a6826d45540341d7539ff3bc19278a0cd9433b67
SHA256c791048ad3201f691592305c0d2fb07a52b55439019489b234cb8ba5bfce37f3
SHA51220c7a0ee94e8004404d08bed5b41f1b8196674fdb4b7dc9940bab670cf050901883e130a561bb005b07d787a775a34f085e2472a2238a2cd87407f1246e938c4
-
Filesize
356KB
MD512d1531ef8f335d9052465ef89269f18
SHA188d7d5ac5be20cb46dfea733e15ee2b5d393b33a
SHA25664d2780620d0b357db1ad516e4151cdd823d2181b7c7bdf088211c19820b3b05
SHA512752f58234b80ede61b13257b6f04850132e10d0c8f91afc82c5702fbaa3d58a4ffb38690957c8076d05826861571115bc8702ed49a5d9230eb52c953b9e89cb8
-
Filesize
356KB
MD512d1531ef8f335d9052465ef89269f18
SHA188d7d5ac5be20cb46dfea733e15ee2b5d393b33a
SHA25664d2780620d0b357db1ad516e4151cdd823d2181b7c7bdf088211c19820b3b05
SHA512752f58234b80ede61b13257b6f04850132e10d0c8f91afc82c5702fbaa3d58a4ffb38690957c8076d05826861571115bc8702ed49a5d9230eb52c953b9e89cb8
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
295KB
MD530e5210e3c4f9b0cfca0bcd2de8dc372
SHA12667d2087356b64cc9b28555800a33b260748cfa
SHA2565480ccc9506759761caede0e8ea453de4c55f51fe8b866f913ca40c83d238144
SHA5123875d53dcfd8861aa1204a6b5ab8aba237cce554664e80b6e676aaae5fb99908530f0fa14f9f410432316b0623215c16bd6aa6dff7325528e674ef75bfb0fd0f
-
Filesize
295KB
MD530e5210e3c4f9b0cfca0bcd2de8dc372
SHA12667d2087356b64cc9b28555800a33b260748cfa
SHA2565480ccc9506759761caede0e8ea453de4c55f51fe8b866f913ca40c83d238144
SHA5123875d53dcfd8861aa1204a6b5ab8aba237cce554664e80b6e676aaae5fb99908530f0fa14f9f410432316b0623215c16bd6aa6dff7325528e674ef75bfb0fd0f