Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
126s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02/03/2023, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe
Resource
win10-20230220-en
General
-
Target
adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe
-
Size
550KB
-
MD5
9f67db2dead062c26f84bd9bcf060ce8
-
SHA1
55b3e441b7f398d10920c71f3f976b60f85d466e
-
SHA256
adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931
-
SHA512
72e23ccc03b11d4d9a5f0121b9661d6574a272a4bafd03c575f57e234cad4596f69f14e568cd555a8c3ff5a8ac4c98de4d7527bd33349cb1bf7b9c24554863ee
-
SSDEEP
12288:vMrOy90R7ZncbdZMq7FkLdiJ71kzC8D4bLrCHcB:ByUZncBx7aLdiJJkzebLrCHcB
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Extracted
redline
fomich
melevv.eu:4162
-
auth_value
b018e52ac946001794d8b8c23e901859
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw86Qw00Gi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw86Qw00Gi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw86Qw00Gi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw86Qw00Gi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw86Qw00Gi96.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1012-142-0x0000000004C60000-0x0000000004CA6000-memory.dmp family_redline behavioral1/memory/1012-144-0x0000000007130000-0x0000000007174000-memory.dmp family_redline behavioral1/memory/1012-148-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-149-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-151-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-153-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-155-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-157-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-161-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-163-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-159-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-165-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-167-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-169-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-171-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-173-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-179-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-177-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-175-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-181-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-185-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-183-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-187-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-189-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-191-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-195-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-193-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-197-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-199-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-201-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-205-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-203-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-207-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-211-0x0000000007130000-0x000000000716E000-memory.dmp family_redline behavioral1/memory/1012-209-0x0000000007130000-0x000000000716E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3340 vFX5538hU.exe 4192 sw86Qw00Gi96.exe 1012 tEG14mS16.exe 2632 uhF17eq93.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw86Qw00Gi96.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vFX5538hU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vFX5538hU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4192 sw86Qw00Gi96.exe 4192 sw86Qw00Gi96.exe 1012 tEG14mS16.exe 1012 tEG14mS16.exe 2632 uhF17eq93.exe 2632 uhF17eq93.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4192 sw86Qw00Gi96.exe Token: SeDebugPrivilege 1012 tEG14mS16.exe Token: SeDebugPrivilege 2632 uhF17eq93.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4064 wrote to memory of 3340 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 66 PID 4064 wrote to memory of 3340 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 66 PID 4064 wrote to memory of 3340 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 66 PID 3340 wrote to memory of 4192 3340 vFX5538hU.exe 67 PID 3340 wrote to memory of 4192 3340 vFX5538hU.exe 67 PID 3340 wrote to memory of 1012 3340 vFX5538hU.exe 68 PID 3340 wrote to memory of 1012 3340 vFX5538hU.exe 68 PID 3340 wrote to memory of 1012 3340 vFX5538hU.exe 68 PID 4064 wrote to memory of 2632 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 70 PID 4064 wrote to memory of 2632 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 70 PID 4064 wrote to memory of 2632 4064 adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe"C:\Users\Admin\AppData\Local\Temp\adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD52037601956ad9667a6534f251ecac9b8
SHA15936b0c1f566a54bff4484dc1a057fca59e004c9
SHA256ec3cb5f02657df186f6ae2f88b4dd4741f452a25e7b0365fae815b7b7a8833ed
SHA512deeea470938a3fed717d1f359db9e3e6b28abbfb6bbd686381478f96cf8f36fae095937c6517a3dce6de0505c1a9ba5efd9037961a01eeb1e07726cb10342b44
-
Filesize
175KB
MD52037601956ad9667a6534f251ecac9b8
SHA15936b0c1f566a54bff4484dc1a057fca59e004c9
SHA256ec3cb5f02657df186f6ae2f88b4dd4741f452a25e7b0365fae815b7b7a8833ed
SHA512deeea470938a3fed717d1f359db9e3e6b28abbfb6bbd686381478f96cf8f36fae095937c6517a3dce6de0505c1a9ba5efd9037961a01eeb1e07726cb10342b44
-
Filesize
405KB
MD537d025efb71f1b3b3c7c089a221fa5a2
SHA146d95b9036b43801c6f72178b31c951ed8c11cd1
SHA256cba9894adf6d1f39b689a0f90c1bef8a6726efb43c91e49a5050d673cfa952a7
SHA5126f905c527bf93eba2ba3781413a76066e79df4e622f5b8ac46242b9309b4112d0c5bcf5b9e1418448f22cecd6bfcdcbd65788a59991401f24576f1e0388f73da
-
Filesize
405KB
MD537d025efb71f1b3b3c7c089a221fa5a2
SHA146d95b9036b43801c6f72178b31c951ed8c11cd1
SHA256cba9894adf6d1f39b689a0f90c1bef8a6726efb43c91e49a5050d673cfa952a7
SHA5126f905c527bf93eba2ba3781413a76066e79df4e622f5b8ac46242b9309b4112d0c5bcf5b9e1418448f22cecd6bfcdcbd65788a59991401f24576f1e0388f73da
-
Filesize
12KB
MD564732fec05187a674cd4945215843bd5
SHA1c9c96ae445631ad588d5edd10618181649bd7cce
SHA256dc746a24fb73aa3a72e595c4957b6f4dc69c7117caac303749278fb987d9c336
SHA512c8a235b79485ed63b81059235e435461edcb964c3932942fe1a5f383dc40feb03c433b43c4dec4c0bf277487009e08e6a7b6fa7f28e7f856dc5648e90404aca0
-
Filesize
12KB
MD564732fec05187a674cd4945215843bd5
SHA1c9c96ae445631ad588d5edd10618181649bd7cce
SHA256dc746a24fb73aa3a72e595c4957b6f4dc69c7117caac303749278fb987d9c336
SHA512c8a235b79485ed63b81059235e435461edcb964c3932942fe1a5f383dc40feb03c433b43c4dec4c0bf277487009e08e6a7b6fa7f28e7f856dc5648e90404aca0
-
Filesize
381KB
MD54662b9b6434d05f758ed7c02d2523e12
SHA1e829ac10779358a8ca4d1baaca5bbb306b93355f
SHA256183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b
SHA51267b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93
-
Filesize
381KB
MD54662b9b6434d05f758ed7c02d2523e12
SHA1e829ac10779358a8ca4d1baaca5bbb306b93355f
SHA256183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b
SHA51267b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93