Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
y5573007.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
y5573007.exe
Resource
win10v2004-20231215-en
General
-
Target
y5573007.exe
-
Size
1.3MB
-
MD5
1dab5b16c54630ab6301e4862f8df0e0
-
SHA1
56cbaa192dcdf768cf27651a6772f6aee68091e6
-
SHA256
1877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d
-
SHA512
42f85dc712579577ff04c7bc54cf5c384058610e71bc89e6c282302c11be6d8ef8c004bf47c715f7e2999bd953e554f44abe74f2142fd97dccb9e4f2b458feea
-
SSDEEP
24576:hyrM8ZC5Uq8G7ZaKyEpCAnszT82vCYF2oG1y2xeEVeTsWfLwzCY:UeUq8GFaKyEpPszT842FRxeEo
Malware Config
Extracted
amadey
3.87
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
jang
77.91.124.82:19071
-
auth_value
662102010afcbe9e22b13116b1c1a088
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0006000000015687-44.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000014719-50.dat family_redline behavioral1/memory/1696-51-0x00000000009F0000-0x0000000000A20000-memory.dmp family_redline behavioral1/files/0x0007000000014719-49.dat family_redline -
Executes dropped EXE 8 IoCs
pid Process 1700 y0320571.exe 2100 y3397747.exe 1164 l9706125.exe 2816 saves.exe 2864 m4012392.exe 1696 n0933183.exe 632 saves.exe 1080 saves.exe -
Loads dropped DLL 12 IoCs
pid Process 2212 y5573007.exe 1700 y0320571.exe 1700 y0320571.exe 2100 y3397747.exe 2100 y3397747.exe 1164 l9706125.exe 1164 l9706125.exe 2816 saves.exe 2100 y3397747.exe 2864 m4012392.exe 1700 y0320571.exe 1696 n0933183.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" y5573007.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0320571.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3397747.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2704 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 2212 wrote to memory of 1700 2212 y5573007.exe 28 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 1700 wrote to memory of 2100 1700 y0320571.exe 43 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 2100 wrote to memory of 1164 2100 y3397747.exe 42 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 1164 wrote to memory of 2816 1164 l9706125.exe 29 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 2100 wrote to memory of 2864 2100 y3397747.exe 41 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 1700 wrote to memory of 1696 1700 y0320571.exe 40 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2704 2816 saves.exe 39 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2816 wrote to memory of 2684 2816 saves.exe 38 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 31 PID 2684 wrote to memory of 2584 2684 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\y5573007.exe"C:\Users\Admin\AppData\Local\Temp\y5573007.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0320571.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n0933183.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3397747.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3397747.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit2⤵
- Suspicious use of WriteProcessMemory
PID:2684
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F2⤵
- Creates scheduled task(s)
PID:2704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2808
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E1⤵PID:3020
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"1⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2660
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E1⤵PID:2616
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"1⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4012392.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9706125.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164
-
C:\Windows\system32\taskeng.exetaskeng.exe {F668EA5E-B599-42E1-8270-5B285737C21E} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe2⤵
- Executes dropped EXE
PID:632
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe2⤵
- Executes dropped EXE
PID:1080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD575644d2409665b17e5342d0beb819176
SHA1134012fda0f46d2e4b53345d01c875db7860d9ba
SHA256912b984dd2a870b0cb3fde67d3d836657259417a7951c23bccc57b5f55e24b0f
SHA5121d9092263fd0f2b4799ee28f5636583f387ebf659bf8a1295c4ac59b74778284efce7765a8c3ee9fa871357f1accc80f836504ef0d32c97bc8fd88838d3607ef
-
Filesize
367KB
MD59fcb7210b4991013e7b3a0d0e7158be0
SHA1c80a92de0d1ec52deb8ddfd2cc788ff80d047e24
SHA256321072eb936e518b7a34452b42560e5764a225f016e2d70aefefd64d0a565a6c
SHA512d1e0b65006f1c1e19fe7d7a26de4de37ae37a1668834d4c13ad41c9d4d03e331fb3de1da1466b85db74c8471cc6469aff8b9776d39ae1a30cf3f563180af2da5
-
Filesize
174KB
MD52e47ffa00d8f4df0f9c9486bc478fcba
SHA1ff133754d1851198ba550854fecc5a3463db0065
SHA256534653d922fc4d6f4967befbbf83af8ddfa3982e3bca29b9274f0370945f7fb7
SHA512da6115615b18432e373d09470769ea97bda084df573e751ff430dbada63736595aea8f943467e1bec91209bb37982bc296b7ff5c2dea9a2d207ea3242136eaab
-
Filesize
319KB
MD5adfb99d9e67648cedbf04b6f906bf667
SHA124c961b4c022701e1d426f9974255126b2ce1d09
SHA2566f83c9db7d351f52f43214ecc83c2b188052ab0677a9368c91265b95759f7c38
SHA51295010961110624767b2ff02914e02a433ae8ff5a2935d860caf2ee2f6c20982bb2fb5ec493bda608511504e89ed8e9ff39d2abff03ea83c50927bae4263107e1
-
Filesize
265KB
MD5ce9325406225a34702a534731740bcd3
SHA174d6365e9d2973c376eec38c03f6c53f751eed56
SHA256a2a2d5cd589b0b1a233af6456ff95efacfb585912c5550408369aad440ff80b9
SHA51269ad670cfccca6e388370831791c82b0eb4b7c2045fd0de51530350bbd3124c12c0c5b7a4b50eb595652a7681560114f8421fe42fc24c364179d562cb828ead5
-
Filesize
241KB
MD5444cb83bccdce45c749dff93f18dcfe5
SHA143c3d1423f868709dc9ff35e8905d565be33e78a
SHA2564af9f4faab2e44951d200626a6d48e050beb1c38f532f2886d1879d138d0f4e2
SHA51204045cc5b64e01b3dd9c93049d6857b846457ca079c906ddcf3e1a1dbd5ccfdaaf60e138d8d6157e23ca68a1c3e8e2cce3675e3b9b14008075c95471a43e9b2a
-
Filesize
267KB
MD59cbc7b410143f0c1e71146ff705db31c
SHA14947779d076d2e166a03659ba2022f85b3bdf486
SHA2563b8d93735b79120e021fa49903ed46ac6781f24c6a525ee00b6d6774e9a1ae0f
SHA51230e52976713c8312424eb0545868ae60d5796755ed5ed4bc259836e3f0ce7241b61aaa1edea7aa9cdf72373a9d319e80c8ea0014709ba96b60dcc6d2e3a8256b
-
Filesize
256KB
MD57d019841004d4c9bc14518303f953229
SHA1e91f44bbf2ded26900ab708e4d90c02ab8a75840
SHA256dd8bfebe7ba73a08027ccb99c6684fbfb3638c1fb13a7fbd822ddafa62cf3da7
SHA51279a2246d3cf1e15dbaba214fba9ba5341359ed6f80b84728278fe3ecf33bb08627dfa58977d64c002c4650ba06f84cb6135497cb739d73666c9597f663f9d388
-
Filesize
241KB
MD51be11f912ed55dec5b074f22e78acac6
SHA1dff2ca8902b69a70d8ec8f487e842bcf7eece2ae
SHA256d4ede743333fb8722db7cfaa3f5490a01f8b553f3e9662a6c6fe77841353a838
SHA512957306d703794f7fee6603c2fe8cb625e998e75ada20b18adf7563fa1b07c51c6c3a82f9585664973814bafeae458762c8ab435723a23f99ddb3aa31c1c37467
-
Filesize
329KB
MD52d4e41efd3db85a992d313e56cb51345
SHA1db3dea73b3e08d98da7697473890c6b74725280e
SHA256b3996d6c396fde63249c938f4207f2172bd56c55eba8984f0ba589ec57924aa9
SHA512ed796e2285516e0955c83119e7490fd4d03fc490ffc5406e5c3c4d427d9a3d4d3dd1e3c523e5ef3851bc0aef79c1aa99b120d2ce21c2244ca33210b20885c7fa
-
Filesize
475KB
MD5ba1c85e520d415fddd1417ffcd74b0f6
SHA1a41da3bd4f2f742910ad2a728bc36f2947b0e82d
SHA2567d4931e51585d1e364bfb34f1afb1cd05f1502ea152b9340916576bf0f5d5dc6
SHA5125f00f855b08c85e7c82e7ae4b37a9e7f2692afb09080154a2b20a55d1422c44909084c0e539d854ac256aa7b97facce1df3892ba86c85b0775e990103d913151
-
Filesize
246KB
MD576323901d22ba768dff5bd3b4f8a9c4c
SHA1cd644064bab22a80162850c2de8a99429753b327
SHA256d4fd107041bedeaaa568895892460e9fe9b99b20b1a8e02f0915de5c9e7e1264
SHA512bb5af4cb7cfb7def4480e3dcc7dd68a3c78ac14c8ce54e2e37454866b79a07dd6cdb0b646589bd7fea465565e888b3538761e38458aaa864eb920f4225812692
-
Filesize
166KB
MD53610e984f6b743fe9d6036b6b7fac63c
SHA1bd7ad4ebadb38d1695ce71ce86f48b378d781ea1
SHA2565ba01956337d9ec18a968a6fc79796cfaaabb00cb35e3ba28746e5b24ce4fb63
SHA512d290d381a9d84ae1928954a31adbf6bb8c012af93aba43e8a67135b9f6104d8569afda1f1e63874c9f8870f11e3a357282574ccfdeab3e3ead309966c40d19e6
-
Filesize
206KB
MD5d4424cca55115b0d05913fbd9ef6d33b
SHA1416697938a394435d1a8779ecbd1d0340bd04b3d
SHA256c6b235e8f095680653788f4b3649c6ba6d2004c7f9986ef37dfd4ae26bc6a496
SHA512c78e2ee7c3aabdf5b9ae78c934c49a3b1fd2ff78745c32479a26fc34240ca46d401a1b18144d168b899a7c485c115e7195ce53ed1432c39684719b08d21e1d9e
-
Filesize
247KB
MD530866eadd08d30cbd4ecd56662603bf6
SHA1f6f7218c7859793cb68d9d8cb9c1798d8bad8160
SHA256a6f941e5239b4de6a15ed142ce319f94a55256063934b831302e1e5a81ac901b
SHA51265871de234d8feafcf52768f94bb400ed2ec021b8a7dfa7176f7be631e10c6ba6c0f6342cfa4cc040b0411639fe45ae4f3127e45fc6f6b7c225906f8b4715417
-
Filesize
275KB
MD556cdadff0c71a7ec6e6b32ac99ba586b
SHA1c94b0be4327ebd7a6dcd7354435fdb39a47bdee3
SHA256e2b2181419dbfbd550ea84b9066957288b4677927836a063a2b1d708c70b8f34
SHA5128ad4463a6a1ebb8827395aee3776bf09cef5319d15706ad92243223f877423218f27b8ceb003860e005004944309c2fa5ca1d8ef580eca4cc6175e0d13d5df1d
-
Filesize
140KB
MD59ee79745f1bd3aec20c71e60cbe12907
SHA1798d7fdd9bf1c6f6dac8d03091a481251ba55561
SHA2569d02d0be0ac9910c9ff48448f92c0bbe88e3dd18f723d6f2af86195c6e7bd7fe
SHA512af7cb654ad18a76e038ac5cd2a4c3c30a1bee0bef7b32ff15162339fd3b042d40e0f5bcd3b689c1103c393158522b5e108c27b10c65739ae24b04dbf5ffc3a60
-
Filesize
186KB
MD5bba686433699cc5da28847053b832b58
SHA1358820a1e8e6c6eca275a8066b9ef14b08c10769
SHA256f30ae6efa23f1535909a2b4c1283f29ff5aee7c45e95e5114420c9db056aebd6
SHA512db0f0b41de6d0b39c85a718c3d724dc2b63c937c517a5c62faf37641ba31d0fdcfbe48384a040d9b1db527bb722d8ac30533a4fd95e1fc794c4aec14db307f8f
-
Filesize
314KB
MD5856c484467156ca70abe451c99d675dc
SHA1f83d81d05a44377934d083e43e2d97486725e82a
SHA256a5220ca29d29f6bc3a2d86b6d1dfc52f60c86b9b6e51d45369d36bed165c69d9
SHA512d80aad5a5ab53e1d4a7955710e4c0265044b59ab1f5a01534bdb375023297c2ed4557170b708c53615733ba6e136941575f6218cd1266f96cf387989c147759a