Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02/03/2023, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe
Resource
win10-20230220-en
General
-
Target
2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe
-
Size
686KB
-
MD5
108e6ae0e620ef33aad48a6597f727d7
-
SHA1
397e20b0d01a5b88c46856c0635cc61f7b47b1c8
-
SHA256
2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37
-
SHA512
b307a575547d8b1aab0787c71df3bf0c569aebe4d6c5c3e81d82d779d010c31c00b45e24b57634280c738604966a0f215fbc0c65d2229a7ce6b57c503d3db622
-
SSDEEP
12288:UMrly90jcNVyhhtv5kfED+AEE6d8BnsFrA+Z/EBAxX+lGl+FJTIW:RyyMVynp5k8D7EE6knQ7WWxOlGl/W
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Extracted
redline
fomich
melevv.eu:4162
-
auth_value
b018e52ac946001794d8b8c23e901859
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urpd85nO72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urpd85nO72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urpd85nO72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urpd85nO72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urpd85nO72.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4980-176-0x0000000002FC0000-0x0000000003006000-memory.dmp family_redline behavioral1/memory/4980-177-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline behavioral1/memory/4980-178-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-179-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-183-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-187-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-191-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-189-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-193-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-195-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-197-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-199-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-201-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-203-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-205-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-207-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-209-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-211-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-213-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4980-215-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 5052 ycMD20br58.exe 824 urpd85nO72.exe 4980 wrbm57wk97.exe 3464 xunQ73rn87.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urpd85nO72.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urpd85nO72.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ycMD20br58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycMD20br58.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 824 urpd85nO72.exe 824 urpd85nO72.exe 4980 wrbm57wk97.exe 4980 wrbm57wk97.exe 3464 xunQ73rn87.exe 3464 xunQ73rn87.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 824 urpd85nO72.exe Token: SeDebugPrivilege 4980 wrbm57wk97.exe Token: SeDebugPrivilege 3464 xunQ73rn87.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4092 wrote to memory of 5052 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 66 PID 4092 wrote to memory of 5052 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 66 PID 4092 wrote to memory of 5052 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 66 PID 5052 wrote to memory of 824 5052 ycMD20br58.exe 67 PID 5052 wrote to memory of 824 5052 ycMD20br58.exe 67 PID 5052 wrote to memory of 824 5052 ycMD20br58.exe 67 PID 5052 wrote to memory of 4980 5052 ycMD20br58.exe 68 PID 5052 wrote to memory of 4980 5052 ycMD20br58.exe 68 PID 5052 wrote to memory of 4980 5052 ycMD20br58.exe 68 PID 4092 wrote to memory of 3464 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 70 PID 4092 wrote to memory of 3464 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 70 PID 4092 wrote to memory of 3464 4092 2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe"C:\Users\Admin\AppData\Local\Temp\2b085ed167b51549a426eb9c8f5b940fe2f95881c119bbdeffea7cee97decb37.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycMD20br58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycMD20br58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urpd85nO72.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urpd85nO72.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrbm57wk97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrbm57wk97.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xunQ73rn87.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xunQ73rn87.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD57efff3d40fdb45923e6e8c292cea7624
SHA1daee92533af187658d3378e9ed666aa8eab00c12
SHA2566d16f1bea1579225e6faa7c279fe16226f606039f6667c0be005fc46432f68e6
SHA5128fc8ae543e50d434c4a4632629c0ceb3d527058bd341ab890a954c28d0d1df13611d97c0827bb5b7bfa2730c54b18245bd5cd3b0ef6ce23267f88f528531bdf9
-
Filesize
175KB
MD57efff3d40fdb45923e6e8c292cea7624
SHA1daee92533af187658d3378e9ed666aa8eab00c12
SHA2566d16f1bea1579225e6faa7c279fe16226f606039f6667c0be005fc46432f68e6
SHA5128fc8ae543e50d434c4a4632629c0ceb3d527058bd341ab890a954c28d0d1df13611d97c0827bb5b7bfa2730c54b18245bd5cd3b0ef6ce23267f88f528531bdf9
-
Filesize
542KB
MD5808fb7d3f175bdba2dae98aed86191a5
SHA144d5b0cc25dd31e7f2ccf893738c648bf5336d7f
SHA2569a960f1a306bfa273d1861dc5c17522650ab02f6d5e398e295454aabf069d97d
SHA51201ab1c4ba31b0627d39a0a94fb69c9800777be908b7b8c04ff8b3e14dc625d827c0dee52a9e5341a26acee7529dde7591e676bd8650175fd0228bd5b2d472f3e
-
Filesize
542KB
MD5808fb7d3f175bdba2dae98aed86191a5
SHA144d5b0cc25dd31e7f2ccf893738c648bf5336d7f
SHA2569a960f1a306bfa273d1861dc5c17522650ab02f6d5e398e295454aabf069d97d
SHA51201ab1c4ba31b0627d39a0a94fb69c9800777be908b7b8c04ff8b3e14dc625d827c0dee52a9e5341a26acee7529dde7591e676bd8650175fd0228bd5b2d472f3e
-
Filesize
318KB
MD56bf70eb1f13bb5f9dc61eef7d7016664
SHA1704a3f23de746bf164ca205f1b03a9ee2c752877
SHA256e11eb0b06cc9a208a2de0a01f190bfae2f0484e84a68a4d822731c9bc92abce0
SHA5122846e76f2ac6cfa272c87e77bd5579133585654e5c1725aaf471209d04ff6749a4ab02f4180a66af637cba0e6a5468bce0a957ff1ac7d8a0f1698fa12f750b4f
-
Filesize
318KB
MD56bf70eb1f13bb5f9dc61eef7d7016664
SHA1704a3f23de746bf164ca205f1b03a9ee2c752877
SHA256e11eb0b06cc9a208a2de0a01f190bfae2f0484e84a68a4d822731c9bc92abce0
SHA5122846e76f2ac6cfa272c87e77bd5579133585654e5c1725aaf471209d04ff6749a4ab02f4180a66af637cba0e6a5468bce0a957ff1ac7d8a0f1698fa12f750b4f
-
Filesize
376KB
MD5d59f82338e5d937f8762de73d2fe5bfd
SHA1405e65a38c7677eaed8a28a9b9ef72a0ad7bdacb
SHA256138b6143c345a24a8f866d24f461d19ce4c9ed06204f12eb4d09207baff6ebf1
SHA512bf1cfe667b92ecdfd20625a50245e2640ddcc7f0320ae842b28ebd9e48582a437ed68360745d997d0cb5064926b84ec7de4450bf9f3d89692ea5f1ddf4775e75
-
Filesize
376KB
MD5d59f82338e5d937f8762de73d2fe5bfd
SHA1405e65a38c7677eaed8a28a9b9ef72a0ad7bdacb
SHA256138b6143c345a24a8f866d24f461d19ce4c9ed06204f12eb4d09207baff6ebf1
SHA512bf1cfe667b92ecdfd20625a50245e2640ddcc7f0320ae842b28ebd9e48582a437ed68360745d997d0cb5064926b84ec7de4450bf9f3d89692ea5f1ddf4775e75