Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10/03/2023, 03:37
Static task
static1
Behavioral task
behavioral1
Sample
072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe
Resource
win10-20230220-en
General
-
Target
072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe
-
Size
546KB
-
MD5
0652658f0d87fba539d4e65083c815e2
-
SHA1
fb302cbc7cf27f498aacc246db04f38098eea199
-
SHA256
072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e
-
SHA512
b6b919be69d2af4414459ee48a66960b32215dfc2fe979d39963aae25a6737c7940f0dbeb57c28bf8ee0cb6171d40d9685b54c17d871a93f522eda477026465f
-
SSDEEP
12288:IMrmy90dJG/rHg62J30NsYeyJidazIUaqAE2BADPWtWtYGSe:+yCJGjHsJEuhezIUaqAj1tWAe
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
gonna
193.56.146.220:4174
-
auth_value
10ce5127fa09a5422f1a407fb6a7c077
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s2866yQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s2866yQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s2866yQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s2866yQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection s2866yQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s2866yQ.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1088-83-0x00000000008E0000-0x0000000000926000-memory.dmp family_redline behavioral1/memory/1088-84-0x0000000001FD0000-0x0000000002014000-memory.dmp family_redline behavioral1/memory/1088-85-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-86-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-88-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-90-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-92-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-94-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-96-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-98-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-102-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-105-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-107-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-109-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-111-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-113-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-115-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-117-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-119-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-121-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-123-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-125-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-127-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-131-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-129-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-133-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-135-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-137-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-139-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-141-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-145-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-143-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-147-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-149-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline behavioral1/memory/1088-151-0x0000000001FD0000-0x000000000200E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1532 vkWQ6077hP.exe 1036 s2866yQ.exe 1088 t38xk55.exe 276 uzast82.exe -
Loads dropped DLL 8 IoCs
pid Process 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 1532 vkWQ6077hP.exe 1532 vkWQ6077hP.exe 1532 vkWQ6077hP.exe 1532 vkWQ6077hP.exe 1088 t38xk55.exe 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 276 uzast82.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features s2866yQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" s2866yQ.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce vkWQ6077hP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkWQ6077hP.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1036 s2866yQ.exe 1036 s2866yQ.exe 1088 t38xk55.exe 1088 t38xk55.exe 276 uzast82.exe 276 uzast82.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1036 s2866yQ.exe Token: SeDebugPrivilege 1088 t38xk55.exe Token: SeDebugPrivilege 276 uzast82.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1676 wrote to memory of 1532 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 28 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1036 1532 vkWQ6077hP.exe 29 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1532 wrote to memory of 1088 1532 vkWQ6077hP.exe 30 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32 PID 1676 wrote to memory of 276 1676 072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe"C:\Users\Admin\AppData\Local\Temp\072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ddaf6a7e4c6bd55f4001a68b41020710
SHA1cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad
SHA2565669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8
SHA51202ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51
-
Filesize
175KB
MD5ddaf6a7e4c6bd55f4001a68b41020710
SHA1cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad
SHA2565669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8
SHA51202ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51
-
Filesize
402KB
MD5ae92995063c599f57c80a5d35a98b340
SHA172bbb27d0ea04722ba1cb373667db2bb2a2f2810
SHA256ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13
SHA51276b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08
-
Filesize
402KB
MD5ae92995063c599f57c80a5d35a98b340
SHA172bbb27d0ea04722ba1cb373667db2bb2a2f2810
SHA256ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13
SHA51276b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c
-
Filesize
175KB
MD5ddaf6a7e4c6bd55f4001a68b41020710
SHA1cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad
SHA2565669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8
SHA51202ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51
-
Filesize
175KB
MD5ddaf6a7e4c6bd55f4001a68b41020710
SHA1cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad
SHA2565669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8
SHA51202ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51
-
Filesize
402KB
MD5ae92995063c599f57c80a5d35a98b340
SHA172bbb27d0ea04722ba1cb373667db2bb2a2f2810
SHA256ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13
SHA51276b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08
-
Filesize
402KB
MD5ae92995063c599f57c80a5d35a98b340
SHA172bbb27d0ea04722ba1cb373667db2bb2a2f2810
SHA256ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13
SHA51276b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c