Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
07/03/2023, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe
Resource
win10-20230220-en
General
-
Target
433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe
-
Size
551KB
-
MD5
9ac7963c23863db0f54d9949b9c66808
-
SHA1
7cc280cac100ffe60ef9137b942b4647ad4ac922
-
SHA256
433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948
-
SHA512
8a34b3553b91057f531291b59bb6f75d674fea3f385bc38f9afa693d1aa46c8b682151931361a7b3252b01abc69585378b4ca56524cca810abfe259cafb84233
-
SSDEEP
12288:xMroy90xYpheCw6r+QxxBXkLJzuonD5QqK/I:RyD6JE+wTcVHaI
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
misha
193.56.146.11:4173
-
auth_value
e17e441c954db214b94a603a7b0b1aea
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s8220gO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s8220gO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s8220gO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s8220gO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s8220gO.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
resource yara_rule behavioral1/memory/4236-138-0x0000000002130000-0x0000000002176000-memory.dmp family_redline behavioral1/memory/4236-140-0x0000000002660000-0x00000000026A4000-memory.dmp family_redline behavioral1/memory/4236-141-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-142-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-144-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-148-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-150-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-146-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-152-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-154-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-158-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-161-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-163-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-165-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-167-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-169-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-171-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-173-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-175-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-177-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-179-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-181-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-183-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-185-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-187-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-189-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-191-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-193-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-195-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-197-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-199-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-201-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-203-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-205-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-207-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4236-1061-0x0000000004C60000-0x0000000004C70000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4048 vkmN6653hO.exe 4116 s8220gO.exe 4236 t13WP48.exe 4364 uZNat18.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" s8220gO.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vkmN6653hO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkmN6653hO.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4116 s8220gO.exe 4116 s8220gO.exe 4236 t13WP48.exe 4236 t13WP48.exe 4364 uZNat18.exe 4364 uZNat18.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4116 s8220gO.exe Token: SeDebugPrivilege 4236 t13WP48.exe Token: SeDebugPrivilege 4364 uZNat18.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3848 wrote to memory of 4048 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 66 PID 3848 wrote to memory of 4048 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 66 PID 3848 wrote to memory of 4048 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 66 PID 4048 wrote to memory of 4116 4048 vkmN6653hO.exe 67 PID 4048 wrote to memory of 4116 4048 vkmN6653hO.exe 67 PID 4048 wrote to memory of 4236 4048 vkmN6653hO.exe 68 PID 4048 wrote to memory of 4236 4048 vkmN6653hO.exe 68 PID 4048 wrote to memory of 4236 4048 vkmN6653hO.exe 68 PID 3848 wrote to memory of 4364 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 70 PID 3848 wrote to memory of 4364 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 70 PID 3848 wrote to memory of 4364 3848 433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe"C:\Users\Admin\AppData\Local\Temp\433d49e0aa1c64bd2dc0c49dad92e369b3f40d1bd457bf2c34a486e685888948.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkmN6653hO.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkmN6653hO.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8220gO.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s8220gO.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t13WP48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t13WP48.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZNat18.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZNat18.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
406KB
MD5832c1cf105ab556626a3045b78238165
SHA1aa713443f69fbacfda2d8d63de57889e73b1e7ff
SHA2564814f27752e7a83e1e237b4c506cbc471cf4babe68ee0134b373fab9a0ede45b
SHA5127a8a58aa52f07a939f53c62145b5acd516742673c66bae88891484bb123c0a47473fd812652fc6d30ed9dd446bb206068634b4873e65848956f207fa80e8f0b3
-
Filesize
406KB
MD5832c1cf105ab556626a3045b78238165
SHA1aa713443f69fbacfda2d8d63de57889e73b1e7ff
SHA2564814f27752e7a83e1e237b4c506cbc471cf4babe68ee0134b373fab9a0ede45b
SHA5127a8a58aa52f07a939f53c62145b5acd516742673c66bae88891484bb123c0a47473fd812652fc6d30ed9dd446bb206068634b4873e65848956f207fa80e8f0b3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
365KB
MD5845708fe8e574bb4ae832556c0598a40
SHA19c85ea1653e0a6cd465356bba04ea0b5b106a7e3
SHA25603d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
SHA512edf2fd1ec51e3d3cb9d3e00b20a644ee2f375b52156c445fea3e1b565d387bf8f217824bfeddf043119343947a91a2e5470fb3ac572f0160cbf0f1894ba20a89
-
Filesize
365KB
MD5845708fe8e574bb4ae832556c0598a40
SHA19c85ea1653e0a6cd465356bba04ea0b5b106a7e3
SHA25603d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
SHA512edf2fd1ec51e3d3cb9d3e00b20a644ee2f375b52156c445fea3e1b565d387bf8f217824bfeddf043119343947a91a2e5470fb3ac572f0160cbf0f1894ba20a89