Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
300b85ef681...3c.exe
windows7-x64
300b85ef681...3c.exe
windows10-2004-x64
1002fa9e870a...3b.exe
windows10-2004-x64
1021feb39957...32.exe
windows10-2004-x64
1022f65486ce...8c.exe
windows10-2004-x64
10230ec3f2c3...5e.exe
windows10-2004-x64
102ea5e26c15...e7.exe
windows10-2004-x64
103352e66593...91.exe
windows10-2004-x64
93a8a7d42c4...54.exe
windows10-2004-x64
1055872fee0d...a2.exe
windows7-x64
355872fee0d...a2.exe
windows10-2004-x64
105c4e8c59ce...96.exe
windows10-2004-x64
109eded57acf...94.exe
windows10-2004-x64
10ab1944db7d...fc.exe
windows10-2004-x64
10ac6f6a7901...6b.exe
windows10-2004-x64
10afa70bcf38...3a.exe
windows10-2004-x64
10c4490bf883...30.exe
windows10-2004-x64
10c648954590...a2.exe
windows10-2004-x64
10d5755dadc9...b2.exe
windows10-2004-x64
10f066a86310...dd.exe
windows7-x64
10f066a86310...dd.exe
windows10-2004-x64
10fa130ffbae...7e.exe
windows10-2004-x64
10ffca01eab5...09.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
00b85ef681a2709f477253e1b189f4cbad5160e677d7c1640519def540c2fb3c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00b85ef681a2709f477253e1b189f4cbad5160e677d7c1640519def540c2fb3c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
02fa9e870a9e9a0cc531855a78099113495ff912e04f39b601de63c2b4853d3b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
230ec3f2c3ef81a9a14c2fc686c0aa21d93d3cca8dca04a8ecb90dd3c54c0f5e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3352e66593f9d652c7f760070d266d43ca2ba74eca75114c78a92c09c1a1c391.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3a8a7d42c4509a4814d5eb963c05afb11363688b72aa7535816ae86e20bcf654.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
55872fee0d31d2f9381e3b62d592835be2ee776ce2c69397061fc06d6efa5ea2.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
55872fee0d31d2f9381e3b62d592835be2ee776ce2c69397061fc06d6efa5ea2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5c4e8c59ce4b4f21acc7d26ba988d8f069d256569e9565b33d865a9859a5ba96.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
9eded57acff39eca8ffe9167fa52ac5a352e13a9ce3d0f0696a5a69bf589b794.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
ac6f6a79014cf8f7e7574684eefac7be8456184590031637c4329470e2c2d66b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c4490bf8834c5c3594355b47c30aba72c7684a25e0614f1a74add9993af97f30.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
d5755dadc9af9cde67934873a4cde67dc43f1cec089cfbeef71140b67d9912b2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f066a86310e9df931f9ad80a096c41561564e2e05f5b6865c8531b7abf16e0dd.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
f066a86310e9df931f9ad80a096c41561564e2e05f5b6865c8531b7abf16e0dd.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
ffca01eab57ad303c53af864d96d53e1fe5339d089ece9c9288d685395588b09.exe
Resource
win10v2004-20240508-en
General
-
Target
2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
-
Size
514KB
-
MD5
90f4e7656cd4f2ff21d306e9a2127aa8
-
SHA1
d7c5ac2b853e2ffb6281a91e1d48a652fdb4ab4b
-
SHA256
2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7
-
SHA512
cc4a87aab9ee3c6290dd6eefd14e2297f24f9738cad755bb462d402ab408fdbd27d196e5a44475e3a4296c0f959305d645187297fa12f76464f652d040651e15
-
SSDEEP
12288:kMrvy90pmeitVqabcxZthOFvD2ZT58iro7:7yAitsKcxZtsvCLE
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral7/files/0x0008000000023430-20.dat healer behavioral7/memory/1776-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4426601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4426601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4426601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4426601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4426601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4426601.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral7/memory/1512-45-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline behavioral7/files/0x000700000002342b-44.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation pdates.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b8095379.exe -
Executes dropped EXE 9 IoCs
pid Process 3796 v7811642.exe 2128 v1955735.exe 1776 a4426601.exe 4980 b8095379.exe 4476 pdates.exe 2600 c5089515.exe 1512 d2061509.exe 3260 pdates.exe 3704 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4426601.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7811642.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1955735.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5089515.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5089515.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5089515.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1776 a4426601.exe 1776 a4426601.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1776 a4426601.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4460 wrote to memory of 3796 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 84 PID 4460 wrote to memory of 3796 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 84 PID 4460 wrote to memory of 3796 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 84 PID 3796 wrote to memory of 2128 3796 v7811642.exe 85 PID 3796 wrote to memory of 2128 3796 v7811642.exe 85 PID 3796 wrote to memory of 2128 3796 v7811642.exe 85 PID 2128 wrote to memory of 1776 2128 v1955735.exe 86 PID 2128 wrote to memory of 1776 2128 v1955735.exe 86 PID 2128 wrote to memory of 4980 2128 v1955735.exe 95 PID 2128 wrote to memory of 4980 2128 v1955735.exe 95 PID 2128 wrote to memory of 4980 2128 v1955735.exe 95 PID 4980 wrote to memory of 4476 4980 b8095379.exe 97 PID 4980 wrote to memory of 4476 4980 b8095379.exe 97 PID 4980 wrote to memory of 4476 4980 b8095379.exe 97 PID 3796 wrote to memory of 2600 3796 v7811642.exe 98 PID 3796 wrote to memory of 2600 3796 v7811642.exe 98 PID 3796 wrote to memory of 2600 3796 v7811642.exe 98 PID 4460 wrote to memory of 1512 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 99 PID 4460 wrote to memory of 1512 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 99 PID 4460 wrote to memory of 1512 4460 2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe 99 PID 4476 wrote to memory of 4760 4476 pdates.exe 100 PID 4476 wrote to memory of 4760 4476 pdates.exe 100 PID 4476 wrote to memory of 4760 4476 pdates.exe 100 PID 4476 wrote to memory of 4076 4476 pdates.exe 102 PID 4476 wrote to memory of 4076 4476 pdates.exe 102 PID 4476 wrote to memory of 4076 4476 pdates.exe 102 PID 4076 wrote to memory of 3708 4076 cmd.exe 104 PID 4076 wrote to memory of 3708 4076 cmd.exe 104 PID 4076 wrote to memory of 3708 4076 cmd.exe 104 PID 4076 wrote to memory of 3328 4076 cmd.exe 105 PID 4076 wrote to memory of 3328 4076 cmd.exe 105 PID 4076 wrote to memory of 3328 4076 cmd.exe 105 PID 4076 wrote to memory of 2296 4076 cmd.exe 106 PID 4076 wrote to memory of 2296 4076 cmd.exe 106 PID 4076 wrote to memory of 2296 4076 cmd.exe 106 PID 4076 wrote to memory of 640 4076 cmd.exe 107 PID 4076 wrote to memory of 640 4076 cmd.exe 107 PID 4076 wrote to memory of 640 4076 cmd.exe 107 PID 4076 wrote to memory of 728 4076 cmd.exe 108 PID 4076 wrote to memory of 728 4076 cmd.exe 108 PID 4076 wrote to memory of 728 4076 cmd.exe 108 PID 4076 wrote to memory of 2352 4076 cmd.exe 109 PID 4076 wrote to memory of 2352 4076 cmd.exe 109 PID 4076 wrote to memory of 2352 4076 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe"C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3708
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:3328
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:2296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:640
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:728
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:2352
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3260
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5f3d4c9732520988f37640af8592b4d4f
SHA1439c8330fafbb18ca5bfb910ba6072b0d6c344ea
SHA2565308702f0f353193c42c209eb946a64d65aafb3b8543cfed37ef8b79a9477c11
SHA51267d76224af187bbe39a9c7a3b6cea6becc77d887cc3ac89513d006f8331ce60506d783b2034a8a2083bda1767ea1fa9dbcc9a52a7f1fc554065ca2f1927bd2d9
-
Filesize
359KB
MD51b5c60006cf65f19efde04faf393ff26
SHA179b21b5c269f61e83bded7046cac7a74c8d03a26
SHA2565d444bb020b097b1a1601470bff8ed4f721ca9833ed2645d13e7bb941f933c92
SHA512761a77a6ff1f8eda021d9827eb1a7af15d51ff792f1d34af0d965701e1eb756e148ace1f294cc753d1cc8469c0350b942cae76fccde6c206f5e574b22dd6662d
-
Filesize
35KB
MD54d10444994d8bcb46db1b0169d70408c
SHA1cb75bd6e3f9a211e3f6f0edd621c4d19f3cbb932
SHA256f3f96017154ef1ac7b8a8e402b1f4ec838b4cbf90b17d91fbd41c9d80fe93b73
SHA512ff14d0549a3f9aae43c2535970fcb73c7287603eaed8f6ef02865d1137e6d0a83349eb19d088c162ed140e01689b62beba29a3b0081a15d6d538f5bc4836692f
-
Filesize
234KB
MD5fc78db6faef23ec53cf6d28a8d2413e5
SHA1909012f46132d8e495fbb87aa929a34896e0abff
SHA256f64c365cf9ebf6b3d3c2c5fa5d606e6108cb7cbdca2d3c5a584265cdfe86af19
SHA51294da1949fb511f63aecb67cd890c6da681df8d7e8cf363547ae789c092209cb1c6f93b3f2880beca3d76b8b9ce4da397c0fd8edf1476ea4b163cfd3915e7b560
-
Filesize
11KB
MD54a52f5ac63c258eb43a31d19c1ef0f10
SHA1e234ac66b801fe1be51c144206a811809b2b53ef
SHA25645c201511196955b077ff6d298ab9d6f10cc394dfa6f91a746d10246db41ab00
SHA51215c2c18b9b19fdbd6744b81687f92263114a363b1cc32af2483676ab465c4a9f4eac35553212f331808744c7abb159b25b521556ec5a5b766b468f93d6fbcbc7
-
Filesize
223KB
MD56ea3f44322a07b398f06762b5a7e09a1
SHA1af77a595623910bf513a34e8308ea69efb9a2a91
SHA2562ad18f623171a8873c4d292125e8b1d2421172d6ba472d49f1d2988872b87266
SHA512a4edbb71f501caa94c48c7a1c0e0766eb693e138e47aad8b59a695f313cb5322dda91d95225a1034db386c186103dbfe28f3a27e9c3d40c86a2721f33a04121a