Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
28/08/2023, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe
Resource
win10-20230703-en
General
-
Target
eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe
-
Size
1.4MB
-
MD5
b123c79d36be9ea9056081549aceca80
-
SHA1
0b3917f0d9219ee35df516accd37509d6887578c
-
SHA256
eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c
-
SHA512
7de8c1fa16761f80ad99c31368164121db6efca6a5ba4f57ebe61084b02c119a35393dcb7a6ebfc145673d94344ecb5fdd1e6829dbc3950772ffc652e953c34d
-
SSDEEP
24576:Sy3+W8KyhjyUjV62OKM3GGJ26f/uMIkDGlMYOw1xjTUnz9hAqmX9LLtgtDxFgBTL:53+gyAUZYKM3GGXfWxMYOw1FgzzA7Lt3
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
stas
77.91.124.82:19071
-
auth_value
db6d96c4eade05afc28c31d9ad73a73c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 4956 y4327228.exe 3732 y5074580.exe 1180 y1157476.exe 2088 l4861210.exe 2080 saves.exe 1148 m6686537.exe 4632 n1177302.exe 4440 saves.exe 2744 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 2164 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4327228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y5074580.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y1157476.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3116 wrote to memory of 4956 3116 eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe 70 PID 3116 wrote to memory of 4956 3116 eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe 70 PID 3116 wrote to memory of 4956 3116 eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe 70 PID 4956 wrote to memory of 3732 4956 y4327228.exe 71 PID 4956 wrote to memory of 3732 4956 y4327228.exe 71 PID 4956 wrote to memory of 3732 4956 y4327228.exe 71 PID 3732 wrote to memory of 1180 3732 y5074580.exe 72 PID 3732 wrote to memory of 1180 3732 y5074580.exe 72 PID 3732 wrote to memory of 1180 3732 y5074580.exe 72 PID 1180 wrote to memory of 2088 1180 y1157476.exe 73 PID 1180 wrote to memory of 2088 1180 y1157476.exe 73 PID 1180 wrote to memory of 2088 1180 y1157476.exe 73 PID 2088 wrote to memory of 2080 2088 l4861210.exe 74 PID 2088 wrote to memory of 2080 2088 l4861210.exe 74 PID 2088 wrote to memory of 2080 2088 l4861210.exe 74 PID 1180 wrote to memory of 1148 1180 y1157476.exe 75 PID 1180 wrote to memory of 1148 1180 y1157476.exe 75 PID 1180 wrote to memory of 1148 1180 y1157476.exe 75 PID 2080 wrote to memory of 2028 2080 saves.exe 76 PID 2080 wrote to memory of 2028 2080 saves.exe 76 PID 2080 wrote to memory of 2028 2080 saves.exe 76 PID 2080 wrote to memory of 3380 2080 saves.exe 77 PID 2080 wrote to memory of 3380 2080 saves.exe 77 PID 2080 wrote to memory of 3380 2080 saves.exe 77 PID 3380 wrote to memory of 4976 3380 cmd.exe 80 PID 3380 wrote to memory of 4976 3380 cmd.exe 80 PID 3380 wrote to memory of 4976 3380 cmd.exe 80 PID 3380 wrote to memory of 1060 3380 cmd.exe 81 PID 3380 wrote to memory of 1060 3380 cmd.exe 81 PID 3380 wrote to memory of 1060 3380 cmd.exe 81 PID 3380 wrote to memory of 2596 3380 cmd.exe 82 PID 3380 wrote to memory of 2596 3380 cmd.exe 82 PID 3380 wrote to memory of 2596 3380 cmd.exe 82 PID 3732 wrote to memory of 4632 3732 y5074580.exe 83 PID 3732 wrote to memory of 4632 3732 y5074580.exe 83 PID 3732 wrote to memory of 4632 3732 y5074580.exe 83 PID 3380 wrote to memory of 3368 3380 cmd.exe 84 PID 3380 wrote to memory of 3368 3380 cmd.exe 84 PID 3380 wrote to memory of 3368 3380 cmd.exe 84 PID 3380 wrote to memory of 2616 3380 cmd.exe 85 PID 3380 wrote to memory of 2616 3380 cmd.exe 85 PID 3380 wrote to memory of 2616 3380 cmd.exe 85 PID 3380 wrote to memory of 3736 3380 cmd.exe 86 PID 3380 wrote to memory of 3736 3380 cmd.exe 86 PID 3380 wrote to memory of 3736 3380 cmd.exe 86 PID 2080 wrote to memory of 2164 2080 saves.exe 88 PID 2080 wrote to memory of 2164 2080 saves.exe 88 PID 2080 wrote to memory of 2164 2080 saves.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe"C:\Users\Admin\AppData\Local\Temp\eef8c20f1e7b59d35e829b1255b0e1a1c4c64baa863287af8ff293aca88b997c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4327228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4327228.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5074580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5074580.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1157476.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1157476.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l4861210.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l4861210.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:1060
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3368
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:2616
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:3736
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:2164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m6686537.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m6686537.exe5⤵
- Executes dropped EXE
PID:1148
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1177302.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1177302.exe4⤵
- Executes dropped EXE
PID:4632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4440
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ef806472925a9fe4cfb1386e9c1e4687
SHA1d323b75fd49aeb20ae8ea080bbd2699ddaddeffb
SHA2560d6cc6d4eda12e91b1cc08a8c685a8dc673a7de6b428ee757090473e91aa2abc
SHA5122f9270da23208e03da38cbce8cffc81d111c59942085509809d76020fa3d222911a8005d0876b69c3edd162ecfcddfaa3d65da1350ed85983988e64be7216279
-
Filesize
1.3MB
MD5ef806472925a9fe4cfb1386e9c1e4687
SHA1d323b75fd49aeb20ae8ea080bbd2699ddaddeffb
SHA2560d6cc6d4eda12e91b1cc08a8c685a8dc673a7de6b428ee757090473e91aa2abc
SHA5122f9270da23208e03da38cbce8cffc81d111c59942085509809d76020fa3d222911a8005d0876b69c3edd162ecfcddfaa3d65da1350ed85983988e64be7216279
-
Filesize
475KB
MD5a97e6d28d980fb7ee7d09369e2aeadcc
SHA18391fac3f30db479d5f5ab8be8b5da37f08b367b
SHA256e4453c36c85e49b05d56488728274c0b104535aac50c68dffd67ea2f6158aa83
SHA5128d846f4974bafc8080768b076d117073a64607e06a31af7ffa0db0ccbf1eb05b51220096efb9bf35eb025c88516e8e15f7c5c79d4a9870b44f0b3e11f2baefd3
-
Filesize
475KB
MD5a97e6d28d980fb7ee7d09369e2aeadcc
SHA18391fac3f30db479d5f5ab8be8b5da37f08b367b
SHA256e4453c36c85e49b05d56488728274c0b104535aac50c68dffd67ea2f6158aa83
SHA5128d846f4974bafc8080768b076d117073a64607e06a31af7ffa0db0ccbf1eb05b51220096efb9bf35eb025c88516e8e15f7c5c79d4a9870b44f0b3e11f2baefd3
-
Filesize
175KB
MD5b0058304f5e7d13d5c9c01c573aa454f
SHA155dc07bc545e59e1e6b791186be7d5d0de5f7701
SHA256fa666bd8f9d7ac54772707cc179b6f5af9008f642677195f98fd6f7fa021354e
SHA512775934ebe5531ef8e04e2b50154ff6bf37128ac9f1481e3d547840eae21fb02a1ef2f39a9852cd779525e5eac6958649585a98589053865cd715b9f9654c8902
-
Filesize
175KB
MD5b0058304f5e7d13d5c9c01c573aa454f
SHA155dc07bc545e59e1e6b791186be7d5d0de5f7701
SHA256fa666bd8f9d7ac54772707cc179b6f5af9008f642677195f98fd6f7fa021354e
SHA512775934ebe5531ef8e04e2b50154ff6bf37128ac9f1481e3d547840eae21fb02a1ef2f39a9852cd779525e5eac6958649585a98589053865cd715b9f9654c8902
-
Filesize
319KB
MD5149ae6b17f5ee1821bbf08f45d6c9c5e
SHA156db2dff67e726a1dc9b2085f1b9a86abecae460
SHA256dc3e09b84fa2157cf039a5020a80e2407ed339fbd2641b4cbc51ca2c348571e5
SHA5120b1873e4b5811d4645167ffacab6582526fffc54068d05a3a7293fe3d47727c396992c9f69d0f91f0bd3cd56d791f59d429c2437851f5bfddbca1da50c7b3ce0
-
Filesize
319KB
MD5149ae6b17f5ee1821bbf08f45d6c9c5e
SHA156db2dff67e726a1dc9b2085f1b9a86abecae460
SHA256dc3e09b84fa2157cf039a5020a80e2407ed339fbd2641b4cbc51ca2c348571e5
SHA5120b1873e4b5811d4645167ffacab6582526fffc54068d05a3a7293fe3d47727c396992c9f69d0f91f0bd3cd56d791f59d429c2437851f5bfddbca1da50c7b3ce0
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
140KB
MD58fb607ee6eada6964a1e22b5b7423103
SHA1a7c466acaf5b2bea820946bbe5568210b3c68477
SHA2562ecf2f650ef7740a057d9b150b8788b6530af61bc2b545dbe6ee24d79fd3b16d
SHA512aea1bf4b996c6214de67f1c6b2f59222953d5b4a081405a514e1b10445637753d26c2f507767fccff58950d0515518268da84a852165bf5bebf1df3af5ed34b3
-
Filesize
140KB
MD58fb607ee6eada6964a1e22b5b7423103
SHA1a7c466acaf5b2bea820946bbe5568210b3c68477
SHA2562ecf2f650ef7740a057d9b150b8788b6530af61bc2b545dbe6ee24d79fd3b16d
SHA512aea1bf4b996c6214de67f1c6b2f59222953d5b4a081405a514e1b10445637753d26c2f507767fccff58950d0515518268da84a852165bf5bebf1df3af5ed34b3
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
324KB
MD57e22f50b1590c456f2978abd404c18e6
SHA1d1fabea9c1bfd4b3cd4416e0b1b0806d0c3b7738
SHA2569438dd861393244b04b788bf5cfc1e22afc62a2ab7016cae20203b73070c0127
SHA512142fd5b426e347af860d2bf14806083e5e029c7d9a2913ca851e65f9367a17a421c885863078a6e3c71a4a5a1d7b53c46529fcb310c182bbb1adaf9dc649af61
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b