Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
30fcedda988...81.exe
windows10-2004-x64
102432f37cfb...1d.exe
windows10-2004-x64
102b87c7a59a...5a.exe
windows10-2004-x64
102d0e9487b9...7c.exe
windows10-2004-x64
10305a49521a...a8.exe
windows10-2004-x64
1034eac23d05...83.exe
windows10-2004-x64
104288cf23e3...b7.exe
windows10-2004-x64
10566c1670c8...b3.exe
windows7-x64
3566c1670c8...b3.exe
windows10-2004-x64
105b49e20d68...4b.exe
windows10-2004-x64
106c3c673ed8...b1.exe
windows10-2004-x64
107ba1ecff94...00.exe
windows10-2004-x64
107fc78a2450...25.exe
windows10-2004-x64
1080c33721dd...df.exe
windows10-2004-x64
109c63b1ba60...a6.exe
windows10-2004-x64
10ad95249c96...29.exe
windows10-2004-x64
10b3b9cd87ed...59.exe
windows10-2004-x64
10c567fbb4ec...1d.exe
windows7-x64
3c567fbb4ec...1d.exe
windows10-2004-x64
10c69d581e2c...e2.exe
windows10-2004-x64
10e3c9a1721d...3b.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
0fcedda9880a4fde053b44d2ef2a6b90a87db74ea8ef6e1605822364dcd8a881.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2432f37cfbe720ce2f627a725367676d71bb944d2306c1eab9bab6b0cab5e01d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
2b87c7a59a469adca1693ceecd7fb1ea4eb1bb095a55e316a96eafda54e2285a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
305a49521aa7fa93bdb6f6a01420fcd3800a565c32194a366c1d6a22f8f00da8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
34eac23d05376694cf25e5de3b6455451ef743f0f766b72fa3e5b94726010c83.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3.exe
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
7ba1ecff945330ba39b0d1bc0a81272da1abf8acbbe727db52a09c23c16c0c00.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7fc78a2450a642c8ab25d22c58c9792408d566a5b9043d95b64f6b407d9d8225.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
80c33721dd8916cf61ad4cfe3a1f57bd083b1adf9fdad50707739a67ee1c9bdf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
ad95249c96bb70f2fde592c74bf9bfaa2f25de9282a90943574ce4e547731029.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
b3b9cd87ed117eff25ebae286512425b6d778c82802a6b097ac45b68e438e159.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
c567fbb4ecb66496889cc136a63ac18310c18ecd83880c4c83fb29e71c63d51d.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
c567fbb4ecb66496889cc136a63ac18310c18ecd83880c4c83fb29e71c63d51d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b.exe
Resource
win10v2004-20240508-en
General
-
Target
6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
-
Size
389KB
-
MD5
54c918a054a58d3fe6838ce4c31344ae
-
SHA1
84132b9e7a9dfb09181d37588e2d69c9dfa7d8c7
-
SHA256
6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1
-
SHA512
2847ba4171fd4a050fce828595c3b066de2b69afff4f5d72877d36c24f14db541610d6260cd44c7530fc026792c1b5fae9f93b8b7dd18eaa870f9d86b14bf091
-
SSDEEP
6144:K0y+bnr+Xp0yN90QEcHiyKnpVK7KFibk30yxOF+2SlqcK+usm64j1pSSQAJM2Y:cMrPy90GSpk7KwbbyxwMqcRusmDZG
Malware Config
Extracted
amadey
3.86
http://5.42.92.67
-
install_dir
ebb444342c
-
install_file
legola.exe
-
strings_key
5680b049188ecacbfa57b1b29c2f35a7
-
url_paths
/norm/index.php
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral11/files/0x0008000000023447-12.dat healer behavioral11/memory/4056-14-0x0000000000190000-0x000000000019A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p9459476.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p9459476.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p9459476.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p9459476.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p9459476.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p9459476.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral11/files/0x0007000000023444-32.dat family_redline behavioral11/memory/2404-33-0x0000000000F80000-0x0000000000FB0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation r3698261.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation legola.exe -
Executes dropped EXE 7 IoCs
pid Process 1168 z2215498.exe 4056 p9459476.exe 3400 r3698261.exe 3364 legola.exe 2404 t6863908.exe 1000 legola.exe 2740 legola.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p9459476.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z2215498.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1596 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4056 p9459476.exe 4056 p9459476.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 p9459476.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3400 r3698261.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 828 wrote to memory of 1168 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 85 PID 828 wrote to memory of 1168 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 85 PID 828 wrote to memory of 1168 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 85 PID 1168 wrote to memory of 4056 1168 z2215498.exe 86 PID 1168 wrote to memory of 4056 1168 z2215498.exe 86 PID 1168 wrote to memory of 3400 1168 z2215498.exe 97 PID 1168 wrote to memory of 3400 1168 z2215498.exe 97 PID 1168 wrote to memory of 3400 1168 z2215498.exe 97 PID 3400 wrote to memory of 3364 3400 r3698261.exe 98 PID 3400 wrote to memory of 3364 3400 r3698261.exe 98 PID 3400 wrote to memory of 3364 3400 r3698261.exe 98 PID 828 wrote to memory of 2404 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 99 PID 828 wrote to memory of 2404 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 99 PID 828 wrote to memory of 2404 828 6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe 99 PID 3364 wrote to memory of 3580 3364 legola.exe 100 PID 3364 wrote to memory of 3580 3364 legola.exe 100 PID 3364 wrote to memory of 3580 3364 legola.exe 100 PID 3364 wrote to memory of 5012 3364 legola.exe 102 PID 3364 wrote to memory of 5012 3364 legola.exe 102 PID 3364 wrote to memory of 5012 3364 legola.exe 102 PID 5012 wrote to memory of 1428 5012 cmd.exe 104 PID 5012 wrote to memory of 1428 5012 cmd.exe 104 PID 5012 wrote to memory of 1428 5012 cmd.exe 104 PID 5012 wrote to memory of 4492 5012 cmd.exe 105 PID 5012 wrote to memory of 4492 5012 cmd.exe 105 PID 5012 wrote to memory of 4492 5012 cmd.exe 105 PID 5012 wrote to memory of 1420 5012 cmd.exe 106 PID 5012 wrote to memory of 1420 5012 cmd.exe 106 PID 5012 wrote to memory of 1420 5012 cmd.exe 106 PID 5012 wrote to memory of 2124 5012 cmd.exe 107 PID 5012 wrote to memory of 2124 5012 cmd.exe 107 PID 5012 wrote to memory of 2124 5012 cmd.exe 107 PID 5012 wrote to memory of 3384 5012 cmd.exe 108 PID 5012 wrote to memory of 3384 5012 cmd.exe 108 PID 5012 wrote to memory of 3384 5012 cmd.exe 108 PID 5012 wrote to memory of 3336 5012 cmd.exe 109 PID 5012 wrote to memory of 3336 5012 cmd.exe 109 PID 5012 wrote to memory of 3336 5012 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe"C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F5⤵
- Creates scheduled task(s)
PID:3580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1428
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:N"6⤵PID:4492
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:R" /E6⤵PID:1420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2124
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:N"6⤵PID:3384
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:R" /E6⤵PID:3336
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:1000
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1596
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD59c4c016fc3d3e33c3c40210d5662e5de
SHA1eac9ecdf3df4d559837dc771a27d13897cf43f5a
SHA256fa89aaf9d9d40f1eadb1b7be875c2404e2cb353b75d5cd2a773aff3174dbba60
SHA512c4b490fb0b482c5f3ce5d2ac25c18d1b489ea9b21b2418c580d641f7fdd1bacd8ff6a06594835199fae16dd9ec9e352920a3b6b0fcdfa8475dbeda573e195f3e
-
Filesize
234KB
MD5586d8efec84ddbcd7d95fb2e3003020b
SHA1a4703fec900fdb713ab3e10da5d06ca552bf41ec
SHA25675a0d266a2929f38d13b530c9127aa5429d9a26651a346e695d84f7ae97f5109
SHA512b52dfb27a176c061285be5709fe0127e498a7b1360d91bc02f36cd0784499e39c2f42766fd5f943d635e3d5a08aed81e6ee43770185fc969263fc0c38d0a03f3
-
Filesize
11KB
MD59047f06f90f6bcfc55824596c7d9f6ed
SHA1f1f3342a87a4435e82123523d1f82c65347ed2b4
SHA256357f195c3f5dd7b9c25b37254b8163d60a84266b4db5fa0316043316cdf9eefe
SHA5122dba7866b439eb6084979be042b0c7ab6ce93b783dceb9891a464dbdbff5ed34e69e6d10bb13c74af7919c6e73fad2b393e9c8564ffcbf8ab8ea2dd76c77cdd2
-
Filesize
223KB
MD54fe9e60866f4c6480ece922aff5fd498
SHA1c637eb736db34dce7786ddf20acd35a8954a635a
SHA256fdf2d3f0e61d8c9e7566f585f50f465bdc8318220247c55460a117d576c35275
SHA512efbb56a37935e87dea20813fadd6cf91ea0e1aea797d6f5e76fc83f64803cee5ba7b82a61858c40dfdc4ef0dae3844fd443c2e856f3a557b7d1e056bd262c08e