Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25/03/2023, 14:26
Static task
static1
Behavioral task
behavioral1
Sample
274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe
Resource
win10-20230220-en
General
-
Target
274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe
-
Size
687KB
-
MD5
f7087c0a042e4fb42e7a6d3192f31a2a
-
SHA1
5661cb48aa55e07ca7d1e260f4b8e398c19db45a
-
SHA256
274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a
-
SHA512
345ff6275064daea7425cbaeb6f3af449df1145b91aa035907dc6628aad9ad25fccc103faa70a929ec140bb2b177860966a445d60a014f30e368f8cff687c79f
-
SSDEEP
12288:mMr0y903lzpxDKApG5ER7yErabo0av0bqKsHTJwkask:Oyk9DFpGsgbDBbSwk/k
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
firmu
193.233.20.32:4125
-
auth_value
9f3e5e35e4a3a38fc36c5a851728aa33
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0837.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0837.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0837.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0837.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0837.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4332-178-0x00000000047F0000-0x0000000004836000-memory.dmp family_redline behavioral1/memory/4332-179-0x0000000007640000-0x0000000007684000-memory.dmp family_redline behavioral1/memory/4332-180-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-183-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-181-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-185-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-187-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-189-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-192-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-195-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-201-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-199-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-205-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-203-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-207-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-209-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-211-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-213-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-215-0x0000000007640000-0x000000000767F000-memory.dmp family_redline behavioral1/memory/4332-217-0x0000000007640000-0x000000000767F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4156 un977679.exe 996 pro0837.exe 4332 qu9785.exe 4952 si368618.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0837.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0837.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un977679.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un977679.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 996 pro0837.exe 996 pro0837.exe 4332 qu9785.exe 4332 qu9785.exe 4952 si368618.exe 4952 si368618.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 996 pro0837.exe Token: SeDebugPrivilege 4332 qu9785.exe Token: SeDebugPrivilege 4952 si368618.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4156 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 66 PID 4212 wrote to memory of 4156 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 66 PID 4212 wrote to memory of 4156 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 66 PID 4156 wrote to memory of 996 4156 un977679.exe 67 PID 4156 wrote to memory of 996 4156 un977679.exe 67 PID 4156 wrote to memory of 996 4156 un977679.exe 67 PID 4156 wrote to memory of 4332 4156 un977679.exe 68 PID 4156 wrote to memory of 4332 4156 un977679.exe 68 PID 4156 wrote to memory of 4332 4156 un977679.exe 68 PID 4212 wrote to memory of 4952 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 70 PID 4212 wrote to memory of 4952 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 70 PID 4212 wrote to memory of 4952 4212 274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe"C:\Users\Admin\AppData\Local\Temp\274dbd160c52099b971d7de3d1ffb6ade75774e385d50e817bfb704c05ac8e2a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un977679.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un977679.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0837.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0837.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9785.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9785.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si368618.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si368618.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56b780eb9c71d7b15142e05f33765678b
SHA11b853b28e715a7c7a8e4a39567e7b22697265741
SHA2562067ab13d0198979bf52e0b0e37bc9187cb178517620826424fc3c9f41c06d76
SHA512a149005b933b4a7739cf723ee1fec219e8eb2019fbe5300a807383aae83c46e60d0fcd8f3b1f5cb8d85556ade4567db91ecdaa4fdbbc87350d5cb7b1f4274314
-
Filesize
175KB
MD56b780eb9c71d7b15142e05f33765678b
SHA11b853b28e715a7c7a8e4a39567e7b22697265741
SHA2562067ab13d0198979bf52e0b0e37bc9187cb178517620826424fc3c9f41c06d76
SHA512a149005b933b4a7739cf723ee1fec219e8eb2019fbe5300a807383aae83c46e60d0fcd8f3b1f5cb8d85556ade4567db91ecdaa4fdbbc87350d5cb7b1f4274314
-
Filesize
545KB
MD56117cce83f6d2374070b28bffde98787
SHA1f0f9b1b6f1f43f679529de6ef7f78d8948a259f6
SHA256b82f70ad085751fd68d933c272d98f82b7d5ee7d090b8ef1184930cff4f5fdb6
SHA51214788178b6a56485c50d4aba468cc63c34fceb50c5876cfbc349ba0c359fc6c3ae55642ba5f98e14392ab899d5e996953ab9882cb9285217c1962d4834ab3c13
-
Filesize
545KB
MD56117cce83f6d2374070b28bffde98787
SHA1f0f9b1b6f1f43f679529de6ef7f78d8948a259f6
SHA256b82f70ad085751fd68d933c272d98f82b7d5ee7d090b8ef1184930cff4f5fdb6
SHA51214788178b6a56485c50d4aba468cc63c34fceb50c5876cfbc349ba0c359fc6c3ae55642ba5f98e14392ab899d5e996953ab9882cb9285217c1962d4834ab3c13
-
Filesize
325KB
MD5565eba1e4f9eee5d84ea3facc4f35b73
SHA1fc4896f627b040c5780b254d3baa508fed70bf47
SHA256f9dec88bbd9030b62491bb189a106161864a69bd9e42340c9f66587bd0010708
SHA512c58bcde07c521d204f7a9509f7e1676c09f2e3519edacd04bde40d4c102275a0265793a615e779d69237d4a6cc4472216ef588e1bd89f4a4844963f534ebb6db
-
Filesize
325KB
MD5565eba1e4f9eee5d84ea3facc4f35b73
SHA1fc4896f627b040c5780b254d3baa508fed70bf47
SHA256f9dec88bbd9030b62491bb189a106161864a69bd9e42340c9f66587bd0010708
SHA512c58bcde07c521d204f7a9509f7e1676c09f2e3519edacd04bde40d4c102275a0265793a615e779d69237d4a6cc4472216ef588e1bd89f4a4844963f534ebb6db
-
Filesize
382KB
MD56abccdd9692189341c649c9d8a80eb66
SHA17f10dee90e98e773688ead96cc54920aceb46211
SHA256c6fcb4c9bf245a7b43dd67b786805f603d5ef33aa3a99a4a8dc017758fe29a27
SHA512e1c4151617fe530bdeace3d3bb9bc0f39c608b03a09d6eebb7a4da6a7da1bde00457a66dfeecb949f790bccf80ea6932faefcd17048a6e08a6db94e18f76f848
-
Filesize
382KB
MD56abccdd9692189341c649c9d8a80eb66
SHA17f10dee90e98e773688ead96cc54920aceb46211
SHA256c6fcb4c9bf245a7b43dd67b786805f603d5ef33aa3a99a4a8dc017758fe29a27
SHA512e1c4151617fe530bdeace3d3bb9bc0f39c608b03a09d6eebb7a4da6a7da1bde00457a66dfeecb949f790bccf80ea6932faefcd17048a6e08a6db94e18f76f848