Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01/03/2023, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe
Resource
win10-20230220-en
General
-
Target
47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe
-
Size
536KB
-
MD5
7ec08dd5bb61dad9fa771621819723dd
-
SHA1
5293756b76118ae01766b7698ee5286994aba4a9
-
SHA256
47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201
-
SHA512
4c27de974a32fef4b802c33c9e1ac2dd59284f0a5423a28753435bdc7c83688c0fc4a96035b68d6e5888dfb59d1fd6d39a32f85ea079bd2432e8fdc300a57576
-
SSDEEP
6144:Kky+bnr+Vp0yN90QE7T3u3s63H6Fpc2xL6JMpHfvM6/+TFLqbZ490t4CbTbsexiW:YMrty90x3Es63aFnxL6JSnpUv9ArDiW
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Extracted
redline
fuba
193.56.146.11:4162
-
auth_value
43015841fc23c63b15ca6ffe1d278d5e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw69AM03rq97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw69AM03rq97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw69AM03rq97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw69AM03rq97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw69AM03rq97.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2904-139-0x0000000002600000-0x0000000002646000-memory.dmp family_redline behavioral1/memory/2904-141-0x0000000004AF0000-0x0000000004B34000-memory.dmp family_redline behavioral1/memory/2904-145-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-146-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-148-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-150-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-152-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-154-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-156-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-158-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-160-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-162-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-164-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-166-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-168-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-172-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-174-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-170-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-176-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-178-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-180-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-182-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-184-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-186-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-188-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-190-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-192-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-194-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-196-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-198-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-200-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-202-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-204-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-206-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2904-208-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2304 vha1875fe.exe 2800 sw69AM03rq97.exe 2904 tED63ln55.exe 2680 uoC84EX52.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw69AM03rq97.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vha1875fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vha1875fe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2800 sw69AM03rq97.exe 2800 sw69AM03rq97.exe 2904 tED63ln55.exe 2904 tED63ln55.exe 2680 uoC84EX52.exe 2680 uoC84EX52.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2800 sw69AM03rq97.exe Token: SeDebugPrivilege 2904 tED63ln55.exe Token: SeDebugPrivilege 2680 uoC84EX52.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2304 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 66 PID 2076 wrote to memory of 2304 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 66 PID 2076 wrote to memory of 2304 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 66 PID 2304 wrote to memory of 2800 2304 vha1875fe.exe 67 PID 2304 wrote to memory of 2800 2304 vha1875fe.exe 67 PID 2304 wrote to memory of 2904 2304 vha1875fe.exe 68 PID 2304 wrote to memory of 2904 2304 vha1875fe.exe 68 PID 2304 wrote to memory of 2904 2304 vha1875fe.exe 68 PID 2076 wrote to memory of 2680 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 70 PID 2076 wrote to memory of 2680 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 70 PID 2076 wrote to memory of 2680 2076 47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe"C:\Users\Admin\AppData\Local\Temp\47cf19e1f751ee38c29817ce3cfa9fd82b55655523c6f8d52f4dcd0ad49e8201.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vha1875fe.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vha1875fe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw69AM03rq97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw69AM03rq97.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tED63ln55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tED63ln55.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uoC84EX52.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uoC84EX52.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5c4760b827ba0ad313377c689aa1ef228
SHA13625b89419c654b3b0b9ca6788939608f8aabcbb
SHA2562949f4862ddff0bbfd430406c31d722a01e6e3e5d11101b7fd442a8577b5396b
SHA512a9963fa8d95a7db95d774f7b82e1df040a19f14eb1d8b6813aef0a7feec46db22e2171a421b5c8c749eb13cfb7c9d9ad3bfea9df07f15b352de88bdca8e9506f
-
Filesize
175KB
MD5c4760b827ba0ad313377c689aa1ef228
SHA13625b89419c654b3b0b9ca6788939608f8aabcbb
SHA2562949f4862ddff0bbfd430406c31d722a01e6e3e5d11101b7fd442a8577b5396b
SHA512a9963fa8d95a7db95d774f7b82e1df040a19f14eb1d8b6813aef0a7feec46db22e2171a421b5c8c749eb13cfb7c9d9ad3bfea9df07f15b352de88bdca8e9506f
-
Filesize
391KB
MD543d8f46d18629e9527de811d06779641
SHA11a3f860f0e63e3a431ef44c7a3a35a57ca1b4727
SHA25676fb56ada32e1484209b63d2ebac680bfc0a58e50ff30383a76f32f8b330147b
SHA51249a4af92f64de719be26ff5f550890231af35371623f4c5013452f32b42b1482bf03ec50b70ee1e3a222f156d51b37ad1a16a9f4b8eaef1bdfd9dec9ce6238f5
-
Filesize
391KB
MD543d8f46d18629e9527de811d06779641
SHA11a3f860f0e63e3a431ef44c7a3a35a57ca1b4727
SHA25676fb56ada32e1484209b63d2ebac680bfc0a58e50ff30383a76f32f8b330147b
SHA51249a4af92f64de719be26ff5f550890231af35371623f4c5013452f32b42b1482bf03ec50b70ee1e3a222f156d51b37ad1a16a9f4b8eaef1bdfd9dec9ce6238f5
-
Filesize
11KB
MD517cbd7ac1c4ffac1332523a9d582eda5
SHA119fcd0434ea9ae8ca20df2e2ab861a1918b7cebb
SHA25618bd5bfb4b8ffe42ab14862e89062b723b163d8d4b46511875251a8cbe5bee6b
SHA512369bf2393fc0ab7944da3d300706462b9aa008664e33fd7500d153d28d386e0ee9c8fcdaef986a8ef921c317dae362c7cb9ab2822e35f0ae222fa34daab51fb5
-
Filesize
11KB
MD517cbd7ac1c4ffac1332523a9d582eda5
SHA119fcd0434ea9ae8ca20df2e2ab861a1918b7cebb
SHA25618bd5bfb4b8ffe42ab14862e89062b723b163d8d4b46511875251a8cbe5bee6b
SHA512369bf2393fc0ab7944da3d300706462b9aa008664e33fd7500d153d28d386e0ee9c8fcdaef986a8ef921c317dae362c7cb9ab2822e35f0ae222fa34daab51fb5
-
Filesize
304KB
MD59c3e7c5879f2758bb2add2fbf488ed16
SHA1c5a2662767f97a4860f33a9fe6cace435a3c1b02
SHA2567ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf
SHA5120808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a
-
Filesize
304KB
MD59c3e7c5879f2758bb2add2fbf488ed16
SHA1c5a2662767f97a4860f33a9fe6cace435a3c1b02
SHA2567ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf
SHA5120808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a