Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
16/02/2023, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe
Resource
win10-20220812-en
General
-
Target
fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe
-
Size
819KB
-
MD5
8b879e3bd60681d5c63356bb05c7afe3
-
SHA1
acc8ca556bc1577db4fd3ad1d0e98b085a4d79e3
-
SHA256
fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06
-
SHA512
74b9270baec1db5ee67b4f2fba0e7f78dc1cd7f96ca372ccda7f3ecf3dac2408a5d6c32e8979324c0c943d71184281c4bd45f5a3ccc9bedee7c3a360087c201d
-
SSDEEP
24576:+ygniA8tq+VzCTV5cfhuj5U+EuKbfbFzpjB:Ngn3Y1ChGfha5URDpp
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ruJ2588.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sdB1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sdB1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sdB1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ruJ2588.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ruJ2588.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ruJ2588.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ruJ2588.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sdB1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sdB1020.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1184-492-0x0000000002550000-0x0000000002596000-memory.dmp family_redline behavioral1/memory/1184-497-0x0000000005090000-0x00000000050D4000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4816 vOZ1773.exe 1228 vHm2261.exe 2760 ruJ2588.exe 4720 sdB1020.exe 4164 tgG54xM.exe 1184 ueK08sK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ruJ2588.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features sdB1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" sdB1020.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vOZ1773.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vHm2261.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vHm2261.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vOZ1773.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2760 ruJ2588.exe 2760 ruJ2588.exe 4720 sdB1020.exe 4720 sdB1020.exe 4164 tgG54xM.exe 4164 tgG54xM.exe 1184 ueK08sK.exe 1184 ueK08sK.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2760 ruJ2588.exe Token: SeDebugPrivilege 4720 sdB1020.exe Token: SeDebugPrivilege 4164 tgG54xM.exe Token: SeDebugPrivilege 1184 ueK08sK.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2208 wrote to memory of 4816 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 66 PID 2208 wrote to memory of 4816 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 66 PID 2208 wrote to memory of 4816 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 66 PID 4816 wrote to memory of 1228 4816 vOZ1773.exe 67 PID 4816 wrote to memory of 1228 4816 vOZ1773.exe 67 PID 4816 wrote to memory of 1228 4816 vOZ1773.exe 67 PID 1228 wrote to memory of 2760 1228 vHm2261.exe 68 PID 1228 wrote to memory of 2760 1228 vHm2261.exe 68 PID 1228 wrote to memory of 4720 1228 vHm2261.exe 69 PID 1228 wrote to memory of 4720 1228 vHm2261.exe 69 PID 1228 wrote to memory of 4720 1228 vHm2261.exe 69 PID 4816 wrote to memory of 4164 4816 vOZ1773.exe 70 PID 4816 wrote to memory of 4164 4816 vOZ1773.exe 70 PID 4816 wrote to memory of 4164 4816 vOZ1773.exe 70 PID 2208 wrote to memory of 1184 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 72 PID 2208 wrote to memory of 1184 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 72 PID 2208 wrote to memory of 1184 2208 fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe"C:\Users\Admin\AppData\Local\Temp\fb08319c14a5f5d71c3a080b982e5ddc015affc0c2a785a08e932a6eb75f5c06.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ1773.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ1773.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vHm2261.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vHm2261.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ruJ2588.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ruJ2588.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sdB1020.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sdB1020.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tgG54xM.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tgG54xM.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ueK08sK.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ueK08sK.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD5a5b4394cfdffd55f458ea030a1f959e4
SHA1421a4abb61209bfd6719f402a543c4631a37d16d
SHA256bacbb87f276d71b2b16893b27e9bfca628c425daece9ca998fc811ed8b20ca89
SHA512fc8cd56a0da80945ad291b52799e59dbb15dd3b63c6a0a4daddba1ae81212d5f9fb409b6c0268de416d2e832e7e53bd2f92fe4020e2596c46e530721f5522199
-
Filesize
313KB
MD5a5b4394cfdffd55f458ea030a1f959e4
SHA1421a4abb61209bfd6719f402a543c4631a37d16d
SHA256bacbb87f276d71b2b16893b27e9bfca628c425daece9ca998fc811ed8b20ca89
SHA512fc8cd56a0da80945ad291b52799e59dbb15dd3b63c6a0a4daddba1ae81212d5f9fb409b6c0268de416d2e832e7e53bd2f92fe4020e2596c46e530721f5522199
-
Filesize
483KB
MD51f8ce31e31d69c386fee7fd7c8333a07
SHA1f7169b8aa80c8e2fdc1125ca95172041c8053c11
SHA256732202860697fc698400f09dab775289d618c73f15e0b96bda869bde1a76d4b0
SHA512fe53620fabe4ef19ead78ff2018522966e2e71a1f2665af4de3a2b43c3706dc71d7ac3e9e8d2d480c6160cfc9746cafd09a28129365684648b099fee23a09c59
-
Filesize
483KB
MD51f8ce31e31d69c386fee7fd7c8333a07
SHA1f7169b8aa80c8e2fdc1125ca95172041c8053c11
SHA256732202860697fc698400f09dab775289d618c73f15e0b96bda869bde1a76d4b0
SHA512fe53620fabe4ef19ead78ff2018522966e2e71a1f2665af4de3a2b43c3706dc71d7ac3e9e8d2d480c6160cfc9746cafd09a28129365684648b099fee23a09c59
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
338KB
MD5c27a045ca7097607b52e5af9822a1748
SHA1b34ba220b352075a4fc077b016be5da08bcf658a
SHA2563aba1388665a333664898789a65fa71fdd540e82036f73b1ccf648926adc7855
SHA51273cf6fbb02dc22758e250b7009e44930efcfe5beaa6efdbffec36f52f04d7453ef8f7a826a4abd9afc41b780bb969276cb3b6d3dde5249039c5fff6ef4977a10
-
Filesize
338KB
MD5c27a045ca7097607b52e5af9822a1748
SHA1b34ba220b352075a4fc077b016be5da08bcf658a
SHA2563aba1388665a333664898789a65fa71fdd540e82036f73b1ccf648926adc7855
SHA51273cf6fbb02dc22758e250b7009e44930efcfe5beaa6efdbffec36f52f04d7453ef8f7a826a4abd9afc41b780bb969276cb3b6d3dde5249039c5fff6ef4977a10
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
257KB
MD5813b1f4920c48d60a9252589ffaaf254
SHA1912df3fbb9b0c3c9fe7e29e98ccf06e293204380
SHA25665c7a6312fab0125e333198089d7ea106ef6a369181f1e7e8f8ae95c04c8e8f0
SHA512853845a43d06cd10802c41329b3e8d81d5c9104bd51f47fc56f5634eb2ff079616c5561d5789ba50033a679efdf825a311447abc31e4976f2cf9999efef516c9
-
Filesize
257KB
MD5813b1f4920c48d60a9252589ffaaf254
SHA1912df3fbb9b0c3c9fe7e29e98ccf06e293204380
SHA25665c7a6312fab0125e333198089d7ea106ef6a369181f1e7e8f8ae95c04c8e8f0
SHA512853845a43d06cd10802c41329b3e8d81d5c9104bd51f47fc56f5634eb2ff079616c5561d5789ba50033a679efdf825a311447abc31e4976f2cf9999efef516c9