Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
87s -
max time network
90s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/03/2023, 16:27
Static task
static1
Behavioral task
behavioral1
Sample
67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe
Resource
win10-20230220-en
General
-
Target
67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe
-
Size
561KB
-
MD5
6a9ce8dc677be066e26d06302266c3f1
-
SHA1
82f73bdb0000ad4f9b487fbd8c2b7e116e47690e
-
SHA256
67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83
-
SHA512
ec8710f4abf147238ebdc5c34bddb75b7a31f182320bfb97049af04b1090b32d6189ab8d67b1224ddad210287fee55b5d4ed9264f1a787aba76227f35a801ca5
-
SSDEEP
12288:wMruy90LGMLnIcY4BCmVYlINWi/9SN3TKsu++48:OyYI8WlINWqaTKsT2
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf23Ts42lB61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf23Ts42lB61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf23Ts42lB61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf23Ts42lB61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf23Ts42lB61.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3908-141-0x0000000004A70000-0x0000000004AB6000-memory.dmp family_redline behavioral1/memory/3908-145-0x0000000004AF0000-0x0000000004B34000-memory.dmp family_redline behavioral1/memory/3908-148-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-149-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-151-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-153-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-155-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-157-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-159-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-161-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-163-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-165-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-167-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-169-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-173-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-171-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-175-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-177-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-179-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-181-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-183-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-185-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-187-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-189-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-191-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-193-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-195-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-197-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-199-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-201-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-203-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-205-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-207-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-209-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/3908-211-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2504 vhsz0006Rk.exe 2984 sf23Ts42lB61.exe 3908 tf07Zy43jF80.exe 4652 uhSC85lG38YI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf23Ts42lB61.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vhsz0006Rk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhsz0006Rk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2984 sf23Ts42lB61.exe 2984 sf23Ts42lB61.exe 3908 tf07Zy43jF80.exe 3908 tf07Zy43jF80.exe 4652 uhSC85lG38YI.exe 4652 uhSC85lG38YI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2984 sf23Ts42lB61.exe Token: SeDebugPrivilege 3908 tf07Zy43jF80.exe Token: SeDebugPrivilege 4652 uhSC85lG38YI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2504 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 66 PID 2468 wrote to memory of 2504 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 66 PID 2468 wrote to memory of 2504 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 66 PID 2504 wrote to memory of 2984 2504 vhsz0006Rk.exe 67 PID 2504 wrote to memory of 2984 2504 vhsz0006Rk.exe 67 PID 2504 wrote to memory of 3908 2504 vhsz0006Rk.exe 68 PID 2504 wrote to memory of 3908 2504 vhsz0006Rk.exe 68 PID 2504 wrote to memory of 3908 2504 vhsz0006Rk.exe 68 PID 2468 wrote to memory of 4652 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 70 PID 2468 wrote to memory of 4652 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 70 PID 2468 wrote to memory of 4652 2468 67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe"C:\Users\Admin\AppData\Local\Temp\67a98ee3e356b6495ccd00cfe6c92697bf9e49c9fc201617534dcf69976eba83.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsz0006Rk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsz0006Rk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf23Ts42lB61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf23Ts42lB61.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf07Zy43jF80.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf07Zy43jF80.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhSC85lG38YI.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhSC85lG38YI.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD502bced30207dde9c0bf18ecebdd39aa3
SHA1b5a763844ac7ca19d642540dbe6ccc0f7e22405d
SHA256ec894a1592bf07fe7b995737fc5121f9bdaa39165d068a7e8e7ff6e8a55844cb
SHA512e415e6a54c94d47c1cc84eca24663c141ac906baf4c50b2ae671f308fc64055f1b1b99bc9df2499eda2f682d307bc42f33fcd5a585811567548c5981b2834fd2
-
Filesize
176KB
MD502bced30207dde9c0bf18ecebdd39aa3
SHA1b5a763844ac7ca19d642540dbe6ccc0f7e22405d
SHA256ec894a1592bf07fe7b995737fc5121f9bdaa39165d068a7e8e7ff6e8a55844cb
SHA512e415e6a54c94d47c1cc84eca24663c141ac906baf4c50b2ae671f308fc64055f1b1b99bc9df2499eda2f682d307bc42f33fcd5a585811567548c5981b2834fd2
-
Filesize
417KB
MD5164d2f235e8d4bcca5db3657734bc0d2
SHA1dcc6f678e80436b0c707473c34c9d4fc3bf1d043
SHA25627914ab152be17aa9ae67bddbee704f5657b5b0e2a0f7025e8cf261bd3820816
SHA5124c8f4e789376af4748159bcf59274e1b0662c6348ccd8b931a40931cd78a8a365f0b11e16194ba0804f82a874a8a4d1d4700baaadd549cd78fae49e0ef24c7c6
-
Filesize
417KB
MD5164d2f235e8d4bcca5db3657734bc0d2
SHA1dcc6f678e80436b0c707473c34c9d4fc3bf1d043
SHA25627914ab152be17aa9ae67bddbee704f5657b5b0e2a0f7025e8cf261bd3820816
SHA5124c8f4e789376af4748159bcf59274e1b0662c6348ccd8b931a40931cd78a8a365f0b11e16194ba0804f82a874a8a4d1d4700baaadd549cd78fae49e0ef24c7c6
-
Filesize
12KB
MD54e0ec18c1140e1960dd5d56954929480
SHA1ee51b6fab015f08be46bcebaf27fc9a50fc99501
SHA25601259d1593a3ead465f6f297ae27ac1a40ae649dfb6e84185e279af19b9e135f
SHA51217a37eaa7c6e0ba61cdb996f2fbe6fd4be23de7417911f72eb530d29d2d7b9375161f4dea4d7dd292a28eff3cf5fb9fe194e8492d18fa435df0df8881bc2d249
-
Filesize
12KB
MD54e0ec18c1140e1960dd5d56954929480
SHA1ee51b6fab015f08be46bcebaf27fc9a50fc99501
SHA25601259d1593a3ead465f6f297ae27ac1a40ae649dfb6e84185e279af19b9e135f
SHA51217a37eaa7c6e0ba61cdb996f2fbe6fd4be23de7417911f72eb530d29d2d7b9375161f4dea4d7dd292a28eff3cf5fb9fe194e8492d18fa435df0df8881bc2d249
-
Filesize
419KB
MD56b48a9a5ca542b20633aff65ae0e882a
SHA1c5e08fe68b82b937492e9686347567a37d606a48
SHA256763b078fafe64dce994f8843a962741a00784eb2adcd8de0a1865f459e454355
SHA51205e452f2b6540bc566b8d3b956c1e1ca8b645be991583374a559bd84fcd13c1ec79526a5b7dfb01369b0120793d1ac6aa4b5b956a5311ac504ed79cd0ea9e2e5
-
Filesize
419KB
MD56b48a9a5ca542b20633aff65ae0e882a
SHA1c5e08fe68b82b937492e9686347567a37d606a48
SHA256763b078fafe64dce994f8843a962741a00784eb2adcd8de0a1865f459e454355
SHA51205e452f2b6540bc566b8d3b956c1e1ca8b645be991583374a559bd84fcd13c1ec79526a5b7dfb01369b0120793d1ac6aa4b5b956a5311ac504ed79cd0ea9e2e5