Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20231025-en -
resource tags
arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system -
submitted
22/11/2023, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe
Resource
win10-20231025-en
General
-
Target
f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe
-
Size
2.7MB
-
MD5
0e9cf505555628b007eb877954c73442
-
SHA1
a4212455a57c3963a155d1cddf98f7e0655a9c25
-
SHA256
f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c
-
SHA512
47c79ed56d0fdc88160c6f32f5a08e4b70f1e6acffcb3f80227178e7649975acb6e6382f85adc26dc1576e63f859452d8b496f6c93029cb932b97739a9af60a4
-
SSDEEP
49152:MHviI/Wdy6mrV+zgLsxmj5Mz/ZZ0L48fBeExueK+6Zgi1lhS60iwF3CbgF/v/+qL:+qWWFzgwmj5g/ZZE4GBeEnKDZfGH3CbM
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2920-28-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3OK22hC.exe -
Executes dropped EXE 5 IoCs
pid Process 1088 ij7ck89.exe 2956 mQ6HA40.exe 3620 hF5Pe27.exe 4880 2Ua2943.exe 3756 3OK22hC.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ij7ck89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mQ6HA40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" hF5Pe27.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 3OK22hC.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4880 set thread context of 2920 4880 2Ua2943.exe 75 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5036 schtasks.exe 2292 schtasks.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1088 2776 f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe 70 PID 2776 wrote to memory of 1088 2776 f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe 70 PID 2776 wrote to memory of 1088 2776 f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe 70 PID 1088 wrote to memory of 2956 1088 ij7ck89.exe 71 PID 1088 wrote to memory of 2956 1088 ij7ck89.exe 71 PID 1088 wrote to memory of 2956 1088 ij7ck89.exe 71 PID 2956 wrote to memory of 3620 2956 mQ6HA40.exe 72 PID 2956 wrote to memory of 3620 2956 mQ6HA40.exe 72 PID 2956 wrote to memory of 3620 2956 mQ6HA40.exe 72 PID 3620 wrote to memory of 4880 3620 hF5Pe27.exe 73 PID 3620 wrote to memory of 4880 3620 hF5Pe27.exe 73 PID 3620 wrote to memory of 4880 3620 hF5Pe27.exe 73 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 4880 wrote to memory of 2920 4880 2Ua2943.exe 75 PID 3620 wrote to memory of 3756 3620 hF5Pe27.exe 76 PID 3620 wrote to memory of 3756 3620 hF5Pe27.exe 76 PID 3620 wrote to memory of 3756 3620 hF5Pe27.exe 76 PID 3756 wrote to memory of 2292 3756 3OK22hC.exe 77 PID 3756 wrote to memory of 2292 3756 3OK22hC.exe 77 PID 3756 wrote to memory of 2292 3756 3OK22hC.exe 77 PID 3756 wrote to memory of 5036 3756 3OK22hC.exe 79 PID 3756 wrote to memory of 5036 3756 3OK22hC.exe 79 PID 3756 wrote to memory of 5036 3756 3OK22hC.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe"C:\Users\Admin\AppData\Local\Temp\f58ca952e61a91f7e3a727069aa54eed5cb81eeedd260de394990d5d9e1ebc0c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7ck89.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mQ6HA40.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hF5Pe27.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ua2943.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK22hC.exe5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:2292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:5036
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5da048bec8d094e0245bccdd9cfb53c88
SHA1daea0d0f60966aaafd11b6316814bfd8a4680602
SHA2568750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a
SHA512d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d
-
Filesize
2.2MB
MD5bc5f14558b0903ac3b349d1266da1234
SHA1ba0493c02c526957b7bfcb58540a02e243a47c69
SHA2565a5d932ae5b7291f4c79e2c6ba5e70ab74acd958c2a7d9c54593824e2c666297
SHA5129f537fadaec7e4e509c2754a6ef195dd7d62d2930b419768bf7db5f2fd5277382466898df28d27f573062f1d945d2aa2cf928481c8731e2c83f7febe90fd3cf2
-
Filesize
2.2MB
MD5bc5f14558b0903ac3b349d1266da1234
SHA1ba0493c02c526957b7bfcb58540a02e243a47c69
SHA2565a5d932ae5b7291f4c79e2c6ba5e70ab74acd958c2a7d9c54593824e2c666297
SHA5129f537fadaec7e4e509c2754a6ef195dd7d62d2930b419768bf7db5f2fd5277382466898df28d27f573062f1d945d2aa2cf928481c8731e2c83f7febe90fd3cf2
-
Filesize
1.2MB
MD5c224b5277d51133daac9e9476c4be2a2
SHA1a2442b2f2d010271efc0687a23dc2af203064402
SHA256cebe9188a4d8be8d4e9aa780302300e1210c2b5acc2ffce11127f89ce3ef436d
SHA512842bc394ea6693ce93a493552e864835ff30f0e2266cd06021a9590987b0f5e1144f9a5e3955541f677c041ffb2825092888d935e33bd160e31b4f64088630c0
-
Filesize
1.2MB
MD5c224b5277d51133daac9e9476c4be2a2
SHA1a2442b2f2d010271efc0687a23dc2af203064402
SHA256cebe9188a4d8be8d4e9aa780302300e1210c2b5acc2ffce11127f89ce3ef436d
SHA512842bc394ea6693ce93a493552e864835ff30f0e2266cd06021a9590987b0f5e1144f9a5e3955541f677c041ffb2825092888d935e33bd160e31b4f64088630c0
-
Filesize
1.1MB
MD513f7ad9dc899b0c491a25cf91aa62e3d
SHA12c5c91b6ba39572e233d93cce57fe6bc30677bdf
SHA2561d0bab07357a3ccf4fa1148c9a28a5abb33eecb8611e78bf6451a4981b6ec9ba
SHA5128f58702c63ce99dee88559f6e6123681c64505d573f0988bcb2d80657bd2e6544dc5cf002b4f4204912c4eb3460dbebc3546af6dcce0e42be1fdd8cd7309b862
-
Filesize
1.1MB
MD513f7ad9dc899b0c491a25cf91aa62e3d
SHA12c5c91b6ba39572e233d93cce57fe6bc30677bdf
SHA2561d0bab07357a3ccf4fa1148c9a28a5abb33eecb8611e78bf6451a4981b6ec9ba
SHA5128f58702c63ce99dee88559f6e6123681c64505d573f0988bcb2d80657bd2e6544dc5cf002b4f4204912c4eb3460dbebc3546af6dcce0e42be1fdd8cd7309b862
-
Filesize
1.9MB
MD56dd10882eb6efed454bbc131ecb05e87
SHA11c23841c6f0b2c39dc39b2f0670aa4d674018a21
SHA256881b897defc1b49084d5c1029d3755b0457fe952a91c3958a60d341860c6c50c
SHA512e8ae7c30801688c796322fe6ebcfd6270a99a79ed0c7f7fb3851b4d9c1395389c13496fc521b5228be122b4ced1741a2b793d064d79dfda674726873ea8ab7cd
-
Filesize
1.9MB
MD56dd10882eb6efed454bbc131ecb05e87
SHA11c23841c6f0b2c39dc39b2f0670aa4d674018a21
SHA256881b897defc1b49084d5c1029d3755b0457fe952a91c3958a60d341860c6c50c
SHA512e8ae7c30801688c796322fe6ebcfd6270a99a79ed0c7f7fb3851b4d9c1395389c13496fc521b5228be122b4ced1741a2b793d064d79dfda674726873ea8ab7cd
-
Filesize
1.3MB
MD5da048bec8d094e0245bccdd9cfb53c88
SHA1daea0d0f60966aaafd11b6316814bfd8a4680602
SHA2568750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a
SHA512d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d
-
Filesize
1.3MB
MD5da048bec8d094e0245bccdd9cfb53c88
SHA1daea0d0f60966aaafd11b6316814bfd8a4680602
SHA2568750ca9a7f967ff992ee12ea3b4ee111776ede58904889a662d02aab5d4ebb2a
SHA512d973cc69ef8011e61b8705bc41ff3db212978e83aa167d7077e8f8b5048cf5dbab0f361ffa999bdb14af21585c6b46acf33dcb6b0cba67c081dc76f585654d2d