Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
11/06/2023, 00:03
General
-
Target
a4aab901f5f4662d75a66bdb08971148.exe
-
Size
1.7MB
-
MD5
a4aab901f5f4662d75a66bdb08971148
-
SHA1
9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
-
SHA256
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
-
SHA512
a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
-
SSDEEP
24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq
Malware Config
Extracted
redline
090623_11_red
goodlogs.neverever.ug:11615
-
auth_value
ca62706abf6895102883ab0c8a86ddff
Extracted
laplas
http://45.159.189.105
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Themida packer 22 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a4aab901f5f4662d75a66bdb08971148.exe"C:\Users\Admin\AppData\Local\Temp\a4aab901f5f4662d75a66bdb08971148.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
Filesize
578.9MB
MD529e969c36d54e216a83339f59c264ea8
SHA195481cec4dd1c5f37503cc7a18c51a67243389bb
SHA2566d0c31a6a1d6550278574cad6951ca94c6b3986449a89731c3800cd5fd8e5cbe
SHA512fff18f7a4d28336b872d086a305a7506ca8bd11ca0804017413bae833dcd87034c5a6c4fa7c3788ced2f37fc419651f1c0917d4de847555d1f45f1f820fc1c36
-
Filesize
571.6MB
MD5744bbab5c4f8863a191335e674801251
SHA10842403409bbd7176abd69e32a2898417ebb89fd
SHA256cfa0998663b93bc5e240aa92baad21540de2ad59fc1252864b511c9e1df1daa9
SHA5125461d00a2aa2fe9e1217eca81603a7b533cce46f9e46bb95ae3447c7934c30436cc6111430993728b848429bb952d52b1c8493a8a9597fbf3a94a88e60cfbb75
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
192KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
5.2MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.7MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB