Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
69s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
15/02/2023, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe
Resource
win10-20220812-en
General
-
Target
adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe
-
Size
820KB
-
MD5
18a7315c002bdf9991776f504ae7f5ce
-
SHA1
7384fc125b9045b2503002ce7fad75972f927fb1
-
SHA256
adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318
-
SHA512
37d3f0927483653f17c4f2aa1b7cd04e69643d148cee02fa3d4d01c0bc6d70f98569348ebee1f58113631f76c0f129d15819b8de0b4061c5f86c19d54096b98a
-
SSDEEP
12288:uMrFy901P+jjqdBGaccfFC7jP0Y3sOUYSwbxNH+DWX/MHIi9CzCtw6vuOUkx4:PymGjIBoks7b3sOtSaBNXi9SN6WOlx4
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" rNZ2994.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" rNZ2994.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" rNZ2994.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" srX6005.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" srX6005.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" srX6005.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" rNZ2994.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" rNZ2994.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" srX6005.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" srX6005.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/600-488-0x0000000002250000-0x0000000002296000-memory.dmp family_redline behavioral1/memory/600-496-0x0000000004B50000-0x0000000004B94000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4892 vdn8225.exe 2036 vyN3022.exe 4256 rNZ2994.exe 4532 srX6005.exe 3096 tHd87Ll.exe 600 uVq15AL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rNZ2994.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features srX6005.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" srX6005.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vdn8225.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vyN3022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vyN3022.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vdn8225.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4256 rNZ2994.exe 4256 rNZ2994.exe 4532 srX6005.exe 4532 srX6005.exe 3096 tHd87Ll.exe 3096 tHd87Ll.exe 600 uVq15AL.exe 600 uVq15AL.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4256 rNZ2994.exe Token: SeDebugPrivilege 4532 srX6005.exe Token: SeDebugPrivilege 3096 tHd87Ll.exe Token: SeDebugPrivilege 600 uVq15AL.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4892 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 67 PID 2500 wrote to memory of 4892 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 67 PID 2500 wrote to memory of 4892 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 67 PID 4892 wrote to memory of 2036 4892 vdn8225.exe 66 PID 4892 wrote to memory of 2036 4892 vdn8225.exe 66 PID 4892 wrote to memory of 2036 4892 vdn8225.exe 66 PID 2036 wrote to memory of 4256 2036 vyN3022.exe 68 PID 2036 wrote to memory of 4256 2036 vyN3022.exe 68 PID 2036 wrote to memory of 4532 2036 vyN3022.exe 69 PID 2036 wrote to memory of 4532 2036 vyN3022.exe 69 PID 2036 wrote to memory of 4532 2036 vyN3022.exe 69 PID 4892 wrote to memory of 3096 4892 vdn8225.exe 70 PID 4892 wrote to memory of 3096 4892 vdn8225.exe 70 PID 4892 wrote to memory of 3096 4892 vdn8225.exe 70 PID 2500 wrote to memory of 600 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 72 PID 2500 wrote to memory of 600 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 72 PID 2500 wrote to memory of 600 2500 adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe"C:\Users\Admin\AppData\Local\Temp\adbb3af0d2fe8f2e90e06178428ea701a81cce37586d09706fca276c408b0318.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vdn8225.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vdn8225.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tHd87Ll.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tHd87Ll.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVq15AL.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVq15AL.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vyN3022.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vyN3022.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rNZ2994.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rNZ2994.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\srX6005.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\srX6005.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
315KB
MD5f294797a611f6dee63a6fcad56fa3e5a
SHA1b526f47e46b96c55059660891d1260ee0b51d5e7
SHA256ee8c1327dd23846c9c6fdd9eb6930e7bc91b18c31a9291c01fa0e2a6dc462ff2
SHA51215ca26c8bb2affac72d413973d5639ac045c73b1b49c5728a611b5d7624e8d19b0c2b42f24fddd23168da2c60b1b6452dc3454e9799c8c8c284a2ec05343e828
-
Filesize
315KB
MD5f294797a611f6dee63a6fcad56fa3e5a
SHA1b526f47e46b96c55059660891d1260ee0b51d5e7
SHA256ee8c1327dd23846c9c6fdd9eb6930e7bc91b18c31a9291c01fa0e2a6dc462ff2
SHA51215ca26c8bb2affac72d413973d5639ac045c73b1b49c5728a611b5d7624e8d19b0c2b42f24fddd23168da2c60b1b6452dc3454e9799c8c8c284a2ec05343e828
-
Filesize
483KB
MD5820a348eb95a899fb0f7e69e5c1891c4
SHA1022b94013e968212446e2bc7b79c33c90d22fdd1
SHA25605abfdb3c39a7beaf519d8f395fc073d393e17ea18f4246ad1d6cace43c23e98
SHA5128059c6d31f405cc0e443740aa8449a48fdbcba544322267a410ecc904f6f0177cc286ad90c23f0823792285a4eb6ce2713f74225e630d6d549a82ab77bb91b7b
-
Filesize
483KB
MD5820a348eb95a899fb0f7e69e5c1891c4
SHA1022b94013e968212446e2bc7b79c33c90d22fdd1
SHA25605abfdb3c39a7beaf519d8f395fc073d393e17ea18f4246ad1d6cace43c23e98
SHA5128059c6d31f405cc0e443740aa8449a48fdbcba544322267a410ecc904f6f0177cc286ad90c23f0823792285a4eb6ce2713f74225e630d6d549a82ab77bb91b7b
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
338KB
MD51af1b57ce76b66546e2f074a659fea14
SHA117a519ba427187d5411ba2e0bf2d70956c9ac620
SHA2564bdac0a1f3dffb5d0d10c95ed3c70c6bf451ea02038e0202019c58d07fb6d3ba
SHA512cc9ad3185adef50b8cd121821ce51f366f1f77d8a5ce66581adc033464660ccf9cf4be027e30303b5f2b783caa899ef5cbf6c7c3d3dcfe532edb38aa75342631
-
Filesize
338KB
MD51af1b57ce76b66546e2f074a659fea14
SHA117a519ba427187d5411ba2e0bf2d70956c9ac620
SHA2564bdac0a1f3dffb5d0d10c95ed3c70c6bf451ea02038e0202019c58d07fb6d3ba
SHA512cc9ad3185adef50b8cd121821ce51f366f1f77d8a5ce66581adc033464660ccf9cf4be027e30303b5f2b783caa899ef5cbf6c7c3d3dcfe532edb38aa75342631
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
258KB
MD50d12b6dc52613d919d47608afa94853d
SHA13aaba8ca69c4a3fb23d10af9db66173a47e7947f
SHA256de98d4ae2215630ea271a86b9302ec4615d0a0b83c4a3c09322246159f3b70ab
SHA51235c5046816eba7c18fa1e7db03678c815cfa090ebe5a3f74171dc1ac21a3af247497ace59db4cfc07ea0b7e224ad4a516632b94ab59e19c4ec037c1d53880ee3
-
Filesize
258KB
MD50d12b6dc52613d919d47608afa94853d
SHA13aaba8ca69c4a3fb23d10af9db66173a47e7947f
SHA256de98d4ae2215630ea271a86b9302ec4615d0a0b83c4a3c09322246159f3b70ab
SHA51235c5046816eba7c18fa1e7db03678c815cfa090ebe5a3f74171dc1ac21a3af247497ace59db4cfc07ea0b7e224ad4a516632b94ab59e19c4ec037c1d53880ee3