Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2023, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe
Resource
win10v2004-20230621-en
General
-
Target
d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe
-
Size
508KB
-
MD5
707c58d1dbfd454ec4fc46c717deeae3
-
SHA1
e403877bc39370411de7d96ef6e92a6876d9faa5
-
SHA256
d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e
-
SHA512
e42b7afc9d0845b8e8657eeaba93ae5095f2bd05f750ccf6385a79f650c0333f972215ffe00bad461dd29ca018a91caf512bc8543bd59f45e23847db78638217
-
SSDEEP
12288:ntOy03z+7mXpO8kFqKoAZlpPH17BoS4jBHQ:sy0g4O8pKowTv17VoBHQ
Malware Config
Extracted
redline
drake
83.97.73.131:19071
-
auth_value
74ce6ffe4025a2e4027fb727915e7d7c
Extracted
amadey
3.84
77.91.68.63/doma/net/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4978518.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4978518.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4978518.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4978518.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4978518.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4978518.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation n4470054.exe Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation rugen.exe -
Executes dropped EXE 7 IoCs
pid Process 1328 y0696622.exe 1984 k4978518.exe 3792 l9962490.exe 2588 n4470054.exe 5004 rugen.exe 3428 rugen.exe 532 rugen.exe -
Loads dropped DLL 1 IoCs
pid Process 3584 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4978518.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4978518.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y0696622.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0696622.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1984 k4978518.exe 1984 k4978518.exe 3792 l9962490.exe 3792 l9962490.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1984 k4978518.exe Token: SeDebugPrivilege 3792 l9962490.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2588 n4470054.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5068 wrote to memory of 1328 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 85 PID 5068 wrote to memory of 1328 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 85 PID 5068 wrote to memory of 1328 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 85 PID 1328 wrote to memory of 1984 1328 y0696622.exe 86 PID 1328 wrote to memory of 1984 1328 y0696622.exe 86 PID 1328 wrote to memory of 1984 1328 y0696622.exe 86 PID 1328 wrote to memory of 3792 1328 y0696622.exe 88 PID 1328 wrote to memory of 3792 1328 y0696622.exe 88 PID 1328 wrote to memory of 3792 1328 y0696622.exe 88 PID 5068 wrote to memory of 2588 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 90 PID 5068 wrote to memory of 2588 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 90 PID 5068 wrote to memory of 2588 5068 d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe 90 PID 2588 wrote to memory of 5004 2588 n4470054.exe 91 PID 2588 wrote to memory of 5004 2588 n4470054.exe 91 PID 2588 wrote to memory of 5004 2588 n4470054.exe 91 PID 5004 wrote to memory of 3404 5004 rugen.exe 92 PID 5004 wrote to memory of 3404 5004 rugen.exe 92 PID 5004 wrote to memory of 3404 5004 rugen.exe 92 PID 5004 wrote to memory of 1292 5004 rugen.exe 94 PID 5004 wrote to memory of 1292 5004 rugen.exe 94 PID 5004 wrote to memory of 1292 5004 rugen.exe 94 PID 1292 wrote to memory of 2368 1292 cmd.exe 96 PID 1292 wrote to memory of 2368 1292 cmd.exe 96 PID 1292 wrote to memory of 2368 1292 cmd.exe 96 PID 1292 wrote to memory of 3456 1292 cmd.exe 97 PID 1292 wrote to memory of 3456 1292 cmd.exe 97 PID 1292 wrote to memory of 3456 1292 cmd.exe 97 PID 1292 wrote to memory of 3852 1292 cmd.exe 98 PID 1292 wrote to memory of 3852 1292 cmd.exe 98 PID 1292 wrote to memory of 3852 1292 cmd.exe 98 PID 1292 wrote to memory of 1484 1292 cmd.exe 99 PID 1292 wrote to memory of 1484 1292 cmd.exe 99 PID 1292 wrote to memory of 1484 1292 cmd.exe 99 PID 1292 wrote to memory of 4692 1292 cmd.exe 100 PID 1292 wrote to memory of 4692 1292 cmd.exe 100 PID 1292 wrote to memory of 4692 1292 cmd.exe 100 PID 1292 wrote to memory of 2080 1292 cmd.exe 101 PID 1292 wrote to memory of 2080 1292 cmd.exe 101 PID 1292 wrote to memory of 2080 1292 cmd.exe 101 PID 5004 wrote to memory of 3584 5004 rugen.exe 111 PID 5004 wrote to memory of 3584 5004 rugen.exe 111 PID 5004 wrote to memory of 3584 5004 rugen.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe"C:\Users\Admin\AppData\Local\Temp\d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0696622.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0696622.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4978518.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4978518.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9962490.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9962490.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4470054.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4470054.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F4⤵
- Creates scheduled task(s)
PID:3404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2368
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:N"5⤵PID:3456
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:R" /E5⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1484
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:N"5⤵PID:4692
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:R" /E5⤵PID:2080
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3584
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
PID:3428
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
PID:532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
257KB
MD5c6ec9d48c87be7bec69fab1eedad9307
SHA1ca8b1f85e1297d7ac5b444977d5c0fbf1a59d77a
SHA25673d90d47a51ffae10701a41fc02ea3fb56cbb8285d69a41f4989b3f3357ecc7c
SHA512719ba297dee8cecb7a343e79ec2aa2f9e48fd7ce60cb7b5b637c67e7da538f9ad1014286c15b4a7358db14195767e3bff1f2e429c39b7375635b11b4f8e66c11
-
Filesize
257KB
MD5c6ec9d48c87be7bec69fab1eedad9307
SHA1ca8b1f85e1297d7ac5b444977d5c0fbf1a59d77a
SHA25673d90d47a51ffae10701a41fc02ea3fb56cbb8285d69a41f4989b3f3357ecc7c
SHA512719ba297dee8cecb7a343e79ec2aa2f9e48fd7ce60cb7b5b637c67e7da538f9ad1014286c15b4a7358db14195767e3bff1f2e429c39b7375635b11b4f8e66c11
-
Filesize
89KB
MD50fd8c62f5734499715768109b5072e0b
SHA13da33626499609fdb6eac275521fd1b1857585d8
SHA2561f025683e0f81104532b806cf48c7db05ce76e312f0f276ef0a6c72cb9a29147
SHA5121ddd7277650b29c73e1135b65d26199229d8e730c3cf2ebc4cf83e3a380f0a93ee31f87c00ac53f430e4d8586d4a66ad7367c4d809779969f174ba710cebd9e8
-
Filesize
89KB
MD50fd8c62f5734499715768109b5072e0b
SHA13da33626499609fdb6eac275521fd1b1857585d8
SHA2561f025683e0f81104532b806cf48c7db05ce76e312f0f276ef0a6c72cb9a29147
SHA5121ddd7277650b29c73e1135b65d26199229d8e730c3cf2ebc4cf83e3a380f0a93ee31f87c00ac53f430e4d8586d4a66ad7367c4d809779969f174ba710cebd9e8
-
Filesize
251KB
MD5831576201a82f2ea16d87149c6f8b61b
SHA171081fb5f32b4ba8ae05beb1fec3c056dfa502f3
SHA256d0baef1c331616bc356670b616b5e5cc23126b6fb4f1e796b00e277cfd60de32
SHA51261fe02e2936e83476a58fba282038ce74eaf6c6db50ae270705d0174adc7d34914111121667aef2a5becefd4f7719f2c917adf67ae85425db73fcd00e56353f9
-
Filesize
251KB
MD5831576201a82f2ea16d87149c6f8b61b
SHA171081fb5f32b4ba8ae05beb1fec3c056dfa502f3
SHA256d0baef1c331616bc356670b616b5e5cc23126b6fb4f1e796b00e277cfd60de32
SHA51261fe02e2936e83476a58fba282038ce74eaf6c6db50ae270705d0174adc7d34914111121667aef2a5becefd4f7719f2c917adf67ae85425db73fcd00e56353f9
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
273B
MD504a943771990ab49147e63e8c2fbbed0
SHA1a2bde564bef4f63749716621693a3cfb7bd4d55e
SHA256587c2fb0cf025a255a077b24fe6433fd67bdfac451d74d321d86db96c369841e
SHA51240e325e6e50e2d7b6c9dd0c555e23c85c4a45bd1829a76efa0383dcc05ac5fd19a14804079a5d2523ded92b03b6e3051c3e8780053795be3359bf32dd3094a6d