Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe
Resource
win7-20230705-en
General
-
Target
7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe
-
Size
514KB
-
MD5
80e443f244436e60100ba0166bcc65c8
-
SHA1
bc806dfb2a3a325af161d2624418da6c4d96ad2e
-
SHA256
7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e96a2fe77cf47c30af4a
-
SHA512
871441d1d56e842faa060ebbf76d53c41094b4b516d0cdf76224fd5ebaa66b57e6837ce423e3c6dc28719cc9ccf5b7c18e925105959fbee480c321f0b37c34a2
-
SSDEEP
12288:3Ew1/ZfvnaRdnQg/0Z8a5uSiy7Hu5wqNNb0sUML+eC:3Eu/Vvn82g/xE6gZQb0sUMTC
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023113-186.dat healer behavioral2/files/0x0007000000023113-187.dat healer behavioral2/memory/3452-188-0x0000000000060000-0x000000000006A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection i8121179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" i8121179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" i8121179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" i8121179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" i8121179.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" i8121179.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation g8222071.exe Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 7 IoCs
pid Process 1460 x1967525.exe 1692 f8656098.exe 4676 g8222071.exe 572 danke.exe 3452 i8121179.exe 5104 danke.exe 4552 danke.exe -
Loads dropped DLL 1 IoCs
pid Process 564 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" i8121179.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x1967525.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1967525.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 684 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1692 f8656098.exe 1692 f8656098.exe 3452 i8121179.exe 3452 i8121179.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1692 f8656098.exe Token: SeDebugPrivilege 3452 i8121179.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4676 g8222071.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4556 wrote to memory of 1460 4556 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe 86 PID 4556 wrote to memory of 1460 4556 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe 86 PID 4556 wrote to memory of 1460 4556 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe 86 PID 1460 wrote to memory of 1692 1460 x1967525.exe 87 PID 1460 wrote to memory of 1692 1460 x1967525.exe 87 PID 1460 wrote to memory of 1692 1460 x1967525.exe 87 PID 1460 wrote to memory of 4676 1460 x1967525.exe 92 PID 1460 wrote to memory of 4676 1460 x1967525.exe 92 PID 1460 wrote to memory of 4676 1460 x1967525.exe 92 PID 4676 wrote to memory of 572 4676 g8222071.exe 93 PID 4676 wrote to memory of 572 4676 g8222071.exe 93 PID 4676 wrote to memory of 572 4676 g8222071.exe 93 PID 4556 wrote to memory of 3452 4556 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe 94 PID 4556 wrote to memory of 3452 4556 7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe 94 PID 572 wrote to memory of 684 572 danke.exe 95 PID 572 wrote to memory of 684 572 danke.exe 95 PID 572 wrote to memory of 684 572 danke.exe 95 PID 572 wrote to memory of 224 572 danke.exe 97 PID 572 wrote to memory of 224 572 danke.exe 97 PID 572 wrote to memory of 224 572 danke.exe 97 PID 224 wrote to memory of 1264 224 cmd.exe 99 PID 224 wrote to memory of 1264 224 cmd.exe 99 PID 224 wrote to memory of 1264 224 cmd.exe 99 PID 224 wrote to memory of 232 224 cmd.exe 100 PID 224 wrote to memory of 232 224 cmd.exe 100 PID 224 wrote to memory of 232 224 cmd.exe 100 PID 224 wrote to memory of 1728 224 cmd.exe 101 PID 224 wrote to memory of 1728 224 cmd.exe 101 PID 224 wrote to memory of 1728 224 cmd.exe 101 PID 224 wrote to memory of 1900 224 cmd.exe 102 PID 224 wrote to memory of 1900 224 cmd.exe 102 PID 224 wrote to memory of 1900 224 cmd.exe 102 PID 224 wrote to memory of 416 224 cmd.exe 103 PID 224 wrote to memory of 416 224 cmd.exe 103 PID 224 wrote to memory of 416 224 cmd.exe 103 PID 224 wrote to memory of 3816 224 cmd.exe 104 PID 224 wrote to memory of 3816 224 cmd.exe 104 PID 224 wrote to memory of 3816 224 cmd.exe 104 PID 572 wrote to memory of 564 572 danke.exe 108 PID 572 wrote to memory of 564 572 danke.exe 108 PID 572 wrote to memory of 564 572 danke.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe"C:\Users\Admin\AppData\Local\Temp\7acdfc580d8b75e8d34b1762eb1d938d7e8f8827c0f7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1967525.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1967525.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8656098.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8656098.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8222071.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8222071.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F5⤵
- Creates scheduled task(s)
PID:684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1264
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"6⤵PID:232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E6⤵PID:1728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1900
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"6⤵PID:416
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E6⤵PID:3816
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
PID:564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8121179.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8121179.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
329KB
MD5f135c42ff3a920d520899b502a76c626
SHA13a9998ece8a82daf9b4f0ee9883f7f8a0570dfa0
SHA256f5d106b6780201d22d633482840812b1c072b42786e89adfec64f1bd547d858f
SHA51247a9327abe19ba4331980d4cb071d8079feeaede0e3efc920a8bbbc39f9816ce3dfff34b9c5c8ed02fddf51fa9410c1243f66228b92eb9886fbfe14de11cd193
-
Filesize
329KB
MD5f135c42ff3a920d520899b502a76c626
SHA13a9998ece8a82daf9b4f0ee9883f7f8a0570dfa0
SHA256f5d106b6780201d22d633482840812b1c072b42786e89adfec64f1bd547d858f
SHA51247a9327abe19ba4331980d4cb071d8079feeaede0e3efc920a8bbbc39f9816ce3dfff34b9c5c8ed02fddf51fa9410c1243f66228b92eb9886fbfe14de11cd193
-
Filesize
254KB
MD55dfed732a9809de12f756630b5b3dce4
SHA1f964a32083f23d9d475df0d34ef003898d7dcc3c
SHA256b20fd504e17828f54d3c5cb5c502be06541fa210171897432fa71d32255dfc44
SHA512359e4d1e624d2af0d965271dc2ca1757b7e8aab017db8c4da461be0b754372e30c543f61ecec2c9a0f5f11e69aff3e4fa4c203d15a16397e15421e058baef346
-
Filesize
254KB
MD55dfed732a9809de12f756630b5b3dce4
SHA1f964a32083f23d9d475df0d34ef003898d7dcc3c
SHA256b20fd504e17828f54d3c5cb5c502be06541fa210171897432fa71d32255dfc44
SHA512359e4d1e624d2af0d965271dc2ca1757b7e8aab017db8c4da461be0b754372e30c543f61ecec2c9a0f5f11e69aff3e4fa4c203d15a16397e15421e058baef346
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59