Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 17:34
Static task
static1
Behavioral task
behavioral1
Sample
2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe
Resource
win10v2004-20240802-en
General
-
Target
2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe
-
Size
1.8MB
-
MD5
91a0d71b8aa56eddc7557dee31b7792f
-
SHA1
7a9f89e76fe95d5d489ba74311521dbae2ccc610
-
SHA256
2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03
-
SHA512
8d809f16f1de54f573ae6e747c2a7b80a40a6dd39135f66511b2869ada2c8ec2fbede0732242b5ab7912ffb9a07a0c55b824e565c0b5673d9d33e740eb07d2b7
-
SSDEEP
24576:5N1TUHB62u86R25Fm/DxBnGlL/Rr0GiivVfTCQhzLt5f1M4iRFu63Jrlliq:1UHBx6Rom/a/1/JTCGjfHCHJrl
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3012-55-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/3012-54-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/3012-53-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/3012-50-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/3012-48-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 2 IoCs
pid Process 2940 axplong.exe 1140 gold.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 2940 axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 2940 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1140 set thread context of 3012 1140 gold.exe 33 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 2940 axplong.exe 3012 RegAsm.exe 3012 RegAsm.exe 3012 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2940 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 29 PID 2840 wrote to memory of 2940 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 29 PID 2840 wrote to memory of 2940 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 29 PID 2840 wrote to memory of 2940 2840 2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe 29 PID 2940 wrote to memory of 1140 2940 axplong.exe 31 PID 2940 wrote to memory of 1140 2940 axplong.exe 31 PID 2940 wrote to memory of 1140 2940 axplong.exe 31 PID 2940 wrote to memory of 1140 2940 axplong.exe 31 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33 PID 1140 wrote to memory of 3012 1140 gold.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe"C:\Users\Admin\AppData\Local\Temp\2c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD52d647cf43622ed10b6d733bb5f048fc3
SHA16b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA25641426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA51262400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1.8MB
MD591a0d71b8aa56eddc7557dee31b7792f
SHA17a9f89e76fe95d5d489ba74311521dbae2ccc610
SHA2562c6e6b28c48ca943e69e288acad2743d0b4bd66db328cfce63380598829d6e03
SHA5128d809f16f1de54f573ae6e747c2a7b80a40a6dd39135f66511b2869ada2c8ec2fbede0732242b5ab7912ffb9a07a0c55b824e565c0b5673d9d33e740eb07d2b7