Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25/03/2023, 09:54
Static task
static1
Behavioral task
behavioral1
Sample
692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe
Resource
win10-20230220-en
General
-
Target
692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe
-
Size
689KB
-
MD5
16f9dc98ad99825b48e69e86be6da4d8
-
SHA1
34aca6728d518072293ad4aecf39cdce68cea899
-
SHA256
692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205
-
SHA512
37172ace4a013693188085ae143631c0d65766357daecb853b4fcdc4a4649b42237f19fa91a758ef6c8403bdda295c170075d147531db1ec7cfbc1d75c7ecb6c
-
SSDEEP
12288:9MrDy90nvJLMnPrTNJFSEtQLhW2cngq/6zd768wB:qyfrTxUcnz/6z9rwB
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lenka
193.233.20.32:4125
-
auth_value
8a60e8b2ec79d6a7e92f9feac39b8830
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6290.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2828-179-0x0000000004B70000-0x0000000004BB6000-memory.dmp family_redline behavioral1/memory/2828-180-0x0000000007140000-0x0000000007184000-memory.dmp family_redline behavioral1/memory/2828-185-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-186-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-188-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-190-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-192-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-194-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-196-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-198-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-202-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-200-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-204-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-206-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-208-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-210-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-212-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-214-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-216-0x0000000007140000-0x000000000717F000-memory.dmp family_redline behavioral1/memory/2828-218-0x0000000007140000-0x000000000717F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3364 unio7245.exe 4236 pro6290.exe 2828 qu6085.exe 4904 si551129.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6290.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio7245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio7245.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4236 pro6290.exe 4236 pro6290.exe 2828 qu6085.exe 2828 qu6085.exe 4904 si551129.exe 4904 si551129.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4236 pro6290.exe Token: SeDebugPrivilege 2828 qu6085.exe Token: SeDebugPrivilege 4904 si551129.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4044 wrote to memory of 3364 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 66 PID 4044 wrote to memory of 3364 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 66 PID 4044 wrote to memory of 3364 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 66 PID 3364 wrote to memory of 4236 3364 unio7245.exe 67 PID 3364 wrote to memory of 4236 3364 unio7245.exe 67 PID 3364 wrote to memory of 4236 3364 unio7245.exe 67 PID 3364 wrote to memory of 2828 3364 unio7245.exe 68 PID 3364 wrote to memory of 2828 3364 unio7245.exe 68 PID 3364 wrote to memory of 2828 3364 unio7245.exe 68 PID 4044 wrote to memory of 4904 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 70 PID 4044 wrote to memory of 4904 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 70 PID 4044 wrote to memory of 4904 4044 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe"C:\Users\Admin\AppData\Local\Temp\692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5e80464c643732f28518c0d87cc91aebb
SHA191142c1729cdc9b9593238381ddbe574cd8ee6a4
SHA256138aa922c4c89a0fa9290dcc0a6814a00fccfb6ad9966127e268a946d7bbcf6a
SHA512b10bea2f341a022f534052d651e6c509d41270e3dc1ef8be8f3761d675a64136bd57f39bdda8d494cb79d9b466b9109ff06df6793d44c6f24d499554cae441ff
-
Filesize
175KB
MD5e80464c643732f28518c0d87cc91aebb
SHA191142c1729cdc9b9593238381ddbe574cd8ee6a4
SHA256138aa922c4c89a0fa9290dcc0a6814a00fccfb6ad9966127e268a946d7bbcf6a
SHA512b10bea2f341a022f534052d651e6c509d41270e3dc1ef8be8f3761d675a64136bd57f39bdda8d494cb79d9b466b9109ff06df6793d44c6f24d499554cae441ff
-
Filesize
548KB
MD52d238a988b1e79fdca02f7baaca0258a
SHA126634bc5e549fb5cf11dd6748968c39e884f8e7b
SHA256206ce4e882bf7bc5a6fd5254d179955d4d138dc1c24bcfc4f4bd084de60ab831
SHA51221f61381a017374fc39da0d2218e2259c7069f7c907c81caef98226494430eed83fbf3ea23d13c16bc42bd1e09f5b858cc2762690777c134581a24f31d69c102
-
Filesize
548KB
MD52d238a988b1e79fdca02f7baaca0258a
SHA126634bc5e549fb5cf11dd6748968c39e884f8e7b
SHA256206ce4e882bf7bc5a6fd5254d179955d4d138dc1c24bcfc4f4bd084de60ab831
SHA51221f61381a017374fc39da0d2218e2259c7069f7c907c81caef98226494430eed83fbf3ea23d13c16bc42bd1e09f5b858cc2762690777c134581a24f31d69c102
-
Filesize
328KB
MD50ec2fd8c74c49b4b2dbdb59f9c80d6d0
SHA1cd135f1efb0bb8c774e0f4a7a4ec9858f67f5356
SHA256b6065f070981dfc90df2780620549c77e135dcff66f1f24d0be39c4c11c60aa3
SHA512cb49f109e3ba8a41cd277e2b8b1d74f8d6bd8676fe2b2e0bf29bcc0bbd41937f1fbfda035b4cd8ebe2b604e197f18b85fdd77b9699b8a0d993fab17a5c080fdc
-
Filesize
328KB
MD50ec2fd8c74c49b4b2dbdb59f9c80d6d0
SHA1cd135f1efb0bb8c774e0f4a7a4ec9858f67f5356
SHA256b6065f070981dfc90df2780620549c77e135dcff66f1f24d0be39c4c11c60aa3
SHA512cb49f109e3ba8a41cd277e2b8b1d74f8d6bd8676fe2b2e0bf29bcc0bbd41937f1fbfda035b4cd8ebe2b604e197f18b85fdd77b9699b8a0d993fab17a5c080fdc
-
Filesize
385KB
MD51e477f3c8253eeb1be53c9b8f24aa77c
SHA1e8c5359d90cf10bc1f913622a4bfb1accd45cf81
SHA2569d4cc4853f9dc2e1c42f99473109c6a05476b4a54df3bdbe61ab0825edcfeaad
SHA51282298865847f638c7ab2fcf3ea81341895c95076df66e9cbc955ecdf6f8f2bc0ef74ac885f18c2dff44ee3eaa0526a85a44c2408bc099659f41541c573db3fb3
-
Filesize
385KB
MD51e477f3c8253eeb1be53c9b8f24aa77c
SHA1e8c5359d90cf10bc1f913622a4bfb1accd45cf81
SHA2569d4cc4853f9dc2e1c42f99473109c6a05476b4a54df3bdbe61ab0825edcfeaad
SHA51282298865847f638c7ab2fcf3ea81341895c95076df66e9cbc955ecdf6f8f2bc0ef74ac885f18c2dff44ee3eaa0526a85a44c2408bc099659f41541c573db3fb3