Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/03/2023, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe
Resource
win10-20230220-en
General
-
Target
a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe
-
Size
558KB
-
MD5
a2ef892f7b24f11eea60bd1f3fe4a63f
-
SHA1
79e66c350b4918d865a0dfc02b981cf99362d34c
-
SHA256
a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e
-
SHA512
8aaf452d9b49a5eeab63da95e550048b31bdfc31142c59aa4a99f0034ff6a3adcf33d249811efde96d66951131f47e7117f3e203e9477511a8b8503624a5f8e7
-
SSDEEP
12288:yMrFy90eAhBU7Ab++WaHuuBBZnxgKZiX4TVKinRxN:HyPA/Usb++WaO6Z2aiKlvN
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
misha
193.56.146.11:4173
-
auth_value
e17e441c954db214b94a603a7b0b1aea
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s3789pq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s3789pq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s3789pq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s3789pq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s3789pq.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1996-139-0x0000000002580000-0x00000000025C6000-memory.dmp family_redline behavioral1/memory/1996-144-0x0000000002600000-0x0000000002644000-memory.dmp family_redline behavioral1/memory/1996-146-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-147-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-149-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-151-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-153-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-155-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-157-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-159-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-161-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-163-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-165-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-167-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-169-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-171-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-173-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-175-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-177-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-179-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-181-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-183-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-185-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-187-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-189-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-191-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-193-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-195-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-197-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-199-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-201-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-203-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-205-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-207-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/1996-209-0x0000000002600000-0x000000000263E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4436 vkSz8174zc.exe 4916 s3789pq.exe 1996 t92Lr87.exe 3984 uMLHZ09.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" s3789pq.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vkSz8174zc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkSz8174zc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4916 s3789pq.exe 4916 s3789pq.exe 1996 t92Lr87.exe 1996 t92Lr87.exe 3984 uMLHZ09.exe 3984 uMLHZ09.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4916 s3789pq.exe Token: SeDebugPrivilege 1996 t92Lr87.exe Token: SeDebugPrivilege 3984 uMLHZ09.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4052 wrote to memory of 4436 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 67 PID 4052 wrote to memory of 4436 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 67 PID 4052 wrote to memory of 4436 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 67 PID 4436 wrote to memory of 4916 4436 vkSz8174zc.exe 68 PID 4436 wrote to memory of 4916 4436 vkSz8174zc.exe 68 PID 4436 wrote to memory of 1996 4436 vkSz8174zc.exe 69 PID 4436 wrote to memory of 1996 4436 vkSz8174zc.exe 69 PID 4436 wrote to memory of 1996 4436 vkSz8174zc.exe 69 PID 4052 wrote to memory of 3984 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 71 PID 4052 wrote to memory of 3984 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 71 PID 4052 wrote to memory of 3984 4052 a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe"C:\Users\Admin\AppData\Local\Temp\a762730248ba4c84deb2e2ba104d0191a1ca4031b8ef5b4640a19e570f9a518e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkSz8174zc.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkSz8174zc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3789pq.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s3789pq.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t92Lr87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t92Lr87.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uMLHZ09.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uMLHZ09.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
414KB
MD598c497c0504b4d960d85e1e13c5e5487
SHA1ed54a9a85d375c2fbd4a7064cc3366b52521d8f8
SHA256c6a48a72afcee257721408575c2ac62156b1b1f919da7897a6da0774ceb05c3d
SHA5128cb20c5f3f02c53e101d75cb65445d1de41fd9d7c4f4aaccd1235167e96782578839455a18da85287e8671c58d7915baf67ccbbee6afef6e01f0fed095b1bbdb
-
Filesize
414KB
MD598c497c0504b4d960d85e1e13c5e5487
SHA1ed54a9a85d375c2fbd4a7064cc3366b52521d8f8
SHA256c6a48a72afcee257721408575c2ac62156b1b1f919da7897a6da0774ceb05c3d
SHA5128cb20c5f3f02c53e101d75cb65445d1de41fd9d7c4f4aaccd1235167e96782578839455a18da85287e8671c58d7915baf67ccbbee6afef6e01f0fed095b1bbdb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
391KB
MD5945b263a725208c255afd2b55d136e6a
SHA140c3b96eeee53351d23bb1eea75f42150f2c17ab
SHA256dd66c64dfae20a40f719ead09ecf868f5ee504ada893de1b4a2e2f379e57cd6a
SHA512f93a7c38f6216013ceceec7594aa72114b9c8a2cd304fc4fb3bd2a2515e81b3c507b6b78ba184e6ccf05049b831bca31f55d97614a8b02feaebdb1e0b3cbf293
-
Filesize
391KB
MD5945b263a725208c255afd2b55d136e6a
SHA140c3b96eeee53351d23bb1eea75f42150f2c17ab
SHA256dd66c64dfae20a40f719ead09ecf868f5ee504ada893de1b4a2e2f379e57cd6a
SHA512f93a7c38f6216013ceceec7594aa72114b9c8a2cd304fc4fb3bd2a2515e81b3c507b6b78ba184e6ccf05049b831bca31f55d97614a8b02feaebdb1e0b3cbf293