Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02/03/2023, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe
Resource
win10-20230220-en
General
-
Target
55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe
-
Size
550KB
-
MD5
1226ad47573b8620e3f7cb8fac95aa47
-
SHA1
eab7d0d269cd1e322eefc4f95ad7550b767fff9c
-
SHA256
55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4
-
SHA512
c5884b2f30a239db9dd36af133cacece12ac402c4cca65384a09301c412cd3632c52a090213eb5259999d465e0474410666b382bd6fc6f073cb960526e81db73
-
SSDEEP
6144:KNy+bnr+Cp0yN90QE0G8DSDA3UYgf+LOIavir4Fo7EZkzC7pGvsrs6ipt8pm2to:XMrqy90KbMAkpZzo7GlwkYB2m25plE4
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Extracted
redline
fomich
melevv.eu:4162
-
auth_value
b018e52ac946001794d8b8c23e901859
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw42QO29GP88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw42QO29GP88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw42QO29GP88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw42QO29GP88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw42QO29GP88.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4504-140-0x0000000004B90000-0x0000000004BD6000-memory.dmp family_redline behavioral1/memory/4504-144-0x0000000007170000-0x00000000071B4000-memory.dmp family_redline behavioral1/memory/4504-147-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-148-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-150-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-152-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-154-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-156-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-158-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-160-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-162-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-164-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-166-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-168-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-170-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-172-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-174-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-176-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-178-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-180-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-182-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-184-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-186-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-188-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-190-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-194-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-196-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-192-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-198-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-200-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-202-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-204-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-206-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-208-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/4504-210-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3728 vJS7841hL.exe 4128 sw42QO29GP88.exe 4504 tPW45Te40.exe 1316 uJh25Ee72.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw42QO29GP88.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vJS7841hL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vJS7841hL.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4128 sw42QO29GP88.exe 4128 sw42QO29GP88.exe 4504 tPW45Te40.exe 4504 tPW45Te40.exe 1316 uJh25Ee72.exe 1316 uJh25Ee72.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4128 sw42QO29GP88.exe Token: SeDebugPrivilege 4504 tPW45Te40.exe Token: SeDebugPrivilege 1316 uJh25Ee72.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3728 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 66 PID 1644 wrote to memory of 3728 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 66 PID 1644 wrote to memory of 3728 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 66 PID 3728 wrote to memory of 4128 3728 vJS7841hL.exe 67 PID 3728 wrote to memory of 4128 3728 vJS7841hL.exe 67 PID 3728 wrote to memory of 4504 3728 vJS7841hL.exe 68 PID 3728 wrote to memory of 4504 3728 vJS7841hL.exe 68 PID 3728 wrote to memory of 4504 3728 vJS7841hL.exe 68 PID 1644 wrote to memory of 1316 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 70 PID 1644 wrote to memory of 1316 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 70 PID 1644 wrote to memory of 1316 1644 55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe"C:\Users\Admin\AppData\Local\Temp\55f9e5284f17d47a56fa4725909e157cc0c679a1db9d4cd2f5cb5ddfad615da4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJS7841hL.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJS7841hL.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42QO29GP88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw42QO29GP88.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPW45Te40.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPW45Te40.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJh25Ee72.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJh25Ee72.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD541ae719b8538bb930033ef1af1c87fef
SHA1fb2ee0a4f9760fb4d2ba6eceba1422abc798eaa9
SHA256d4511a9ded0c3cbb0b7b4b53fedd312f745ea1534151032dc8584b5fe57ea5dd
SHA512bbea60184beb9550fb2db9d1a52c33a13b56dd477894ea3c0ec0b51098fef74ec944afa54af3ccd86ae97ca6b6d753f266508761f5ede7bd8391c3c8a9a56a97
-
Filesize
175KB
MD541ae719b8538bb930033ef1af1c87fef
SHA1fb2ee0a4f9760fb4d2ba6eceba1422abc798eaa9
SHA256d4511a9ded0c3cbb0b7b4b53fedd312f745ea1534151032dc8584b5fe57ea5dd
SHA512bbea60184beb9550fb2db9d1a52c33a13b56dd477894ea3c0ec0b51098fef74ec944afa54af3ccd86ae97ca6b6d753f266508761f5ede7bd8391c3c8a9a56a97
-
Filesize
405KB
MD50751fd0f4e1fdd0433883d15a0fdd34c
SHA17e16272bd11d6e7a3e8361789cf7dd78db61e67e
SHA256981f0feb0178b27416337e502dd215c76956c810b10b0e008f28ed5a0c31de0f
SHA51212f6f9bd53fbe3e069d31e06be5c8ff94d002e7527beefbf51910e87af0aca32997255ff3e73bdff6e5dec36a292d5014f3dd945acda620284369a83b223500b
-
Filesize
405KB
MD50751fd0f4e1fdd0433883d15a0fdd34c
SHA17e16272bd11d6e7a3e8361789cf7dd78db61e67e
SHA256981f0feb0178b27416337e502dd215c76956c810b10b0e008f28ed5a0c31de0f
SHA51212f6f9bd53fbe3e069d31e06be5c8ff94d002e7527beefbf51910e87af0aca32997255ff3e73bdff6e5dec36a292d5014f3dd945acda620284369a83b223500b
-
Filesize
12KB
MD577a440a658afb140cc65c572d2624492
SHA10cab6ebd962a3811a116dc1316987eb7e10cab83
SHA256434885a36ab2ce05e343c5472afeb512b16ca245b8ce760ba3a4a555bbdf9703
SHA512464729d4c91d83ab02d4f5518cbd0b4a13db1b681e271ee447d52dcaab61b007c35ff3aa8db9381c73b877fb6c3049b6635f6d74ea379042f0644f8c24bc6105
-
Filesize
12KB
MD577a440a658afb140cc65c572d2624492
SHA10cab6ebd962a3811a116dc1316987eb7e10cab83
SHA256434885a36ab2ce05e343c5472afeb512b16ca245b8ce760ba3a4a555bbdf9703
SHA512464729d4c91d83ab02d4f5518cbd0b4a13db1b681e271ee447d52dcaab61b007c35ff3aa8db9381c73b877fb6c3049b6635f6d74ea379042f0644f8c24bc6105
-
Filesize
381KB
MD54662b9b6434d05f758ed7c02d2523e12
SHA1e829ac10779358a8ca4d1baaca5bbb306b93355f
SHA256183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b
SHA51267b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93
-
Filesize
381KB
MD54662b9b6434d05f758ed7c02d2523e12
SHA1e829ac10779358a8ca4d1baaca5bbb306b93355f
SHA256183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b
SHA51267b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93