Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
73s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
26/03/2023, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
Resource
win10-20230220-en
General
-
Target
ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
-
Size
691KB
-
MD5
69e0e719a212dc8c8d2aadf6bdcb6c10
-
SHA1
488900b5909d66687fa6217560871855098581f1
-
SHA256
ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2
-
SHA512
81679183576c132544a886180e1e8855d3fb969acf03561895f41f0945f8284dce9d9f0b7381057e88abb449f6a78bacb7d1bc36dd3066423c32651a2670fb5f
-
SSDEEP
12288:HMrYy90lyNJunvjV1A3xknZHqCWP/f/UOO4+55wxlFxPHYUfPsaamLKh4+s2:bygQon5w/Pfex+xl4UfPKPKt2
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
dent
193.233.20.33:4125
-
auth_value
e795368557f02e28e8aef6bcb279a3b0
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8650.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3928-177-0x0000000004920000-0x0000000004966000-memory.dmp family_redline behavioral1/memory/3928-180-0x0000000007650000-0x0000000007694000-memory.dmp family_redline behavioral1/memory/3928-181-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-182-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-184-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-186-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-188-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-190-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-192-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-194-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-196-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-198-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-200-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-202-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-204-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-206-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-209-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-211-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-213-0x0000000007650000-0x000000000768E000-memory.dmp family_redline behavioral1/memory/3928-215-0x0000000007650000-0x000000000768E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4012 un212425.exe 2052 pro8650.exe 3928 qu7773.exe 4792 si958117.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8650.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8650.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un212425.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un212425.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2052 pro8650.exe 2052 pro8650.exe 3928 qu7773.exe 3928 qu7773.exe 4792 si958117.exe 4792 si958117.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2052 pro8650.exe Token: SeDebugPrivilege 3928 qu7773.exe Token: SeDebugPrivilege 4792 si958117.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4012 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 66 PID 2148 wrote to memory of 4012 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 66 PID 2148 wrote to memory of 4012 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 66 PID 4012 wrote to memory of 2052 4012 un212425.exe 67 PID 4012 wrote to memory of 2052 4012 un212425.exe 67 PID 4012 wrote to memory of 2052 4012 un212425.exe 67 PID 4012 wrote to memory of 3928 4012 un212425.exe 68 PID 4012 wrote to memory of 3928 4012 un212425.exe 68 PID 4012 wrote to memory of 3928 4012 un212425.exe 68 PID 2148 wrote to memory of 4792 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 70 PID 2148 wrote to memory of 4792 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 70 PID 2148 wrote to memory of 4792 2148 ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe"C:\Users\Admin\AppData\Local\Temp\ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD567ce56e6273ab6833687f46187e5fb18
SHA126f7dabc4f8f69b9a5b7a2552d9a6ded70223968
SHA256b321e8483cb95db26422e10210efc5ed5f593ae079aef39d9d68fcb15e22a40a
SHA512fe705467544bf24addb81567e8114209954c16fb5ce321ee95222aaa9026194c2e7ed1f77d3054d3dc0c2769f84734004fa24238affa4868f3e6574b8f087ba3
-
Filesize
175KB
MD567ce56e6273ab6833687f46187e5fb18
SHA126f7dabc4f8f69b9a5b7a2552d9a6ded70223968
SHA256b321e8483cb95db26422e10210efc5ed5f593ae079aef39d9d68fcb15e22a40a
SHA512fe705467544bf24addb81567e8114209954c16fb5ce321ee95222aaa9026194c2e7ed1f77d3054d3dc0c2769f84734004fa24238affa4868f3e6574b8f087ba3
-
Filesize
550KB
MD50f76c21adc69b60a99642584fff0f7b7
SHA1a8b88c4fee0c245ea82cef503379e95e014251b1
SHA256b5fa42df50dbe9dc5bd7d42e8a4ef9d01d1666ee6ba4363fc6cf97f6ddc12e15
SHA51224c8463cd8b134cbb804f0c8f79759e91e92e26ce024116a0779abc8f8f013dce01dccbad53bdc8696a4008fa1b4259987f14f433a7c34fd556c36eb926a595b
-
Filesize
550KB
MD50f76c21adc69b60a99642584fff0f7b7
SHA1a8b88c4fee0c245ea82cef503379e95e014251b1
SHA256b5fa42df50dbe9dc5bd7d42e8a4ef9d01d1666ee6ba4363fc6cf97f6ddc12e15
SHA51224c8463cd8b134cbb804f0c8f79759e91e92e26ce024116a0779abc8f8f013dce01dccbad53bdc8696a4008fa1b4259987f14f433a7c34fd556c36eb926a595b
-
Filesize
325KB
MD59d889f25dc0882f0d1834cde8b67aae6
SHA15c2de63e9af45c35157c7412d2f5210bd2595331
SHA256470224da7890334039a9aa7a00cdc0783463c75aa8c5306b2d9a584d29dfd3b3
SHA5122a61e8fdbc6aba895756db16f76967debc3415d45c94644cbf428e31d59a7c0a9f1e377009c420e6a602780ed20ab121a4b2124340c636c0c6640a9b967dee87
-
Filesize
325KB
MD59d889f25dc0882f0d1834cde8b67aae6
SHA15c2de63e9af45c35157c7412d2f5210bd2595331
SHA256470224da7890334039a9aa7a00cdc0783463c75aa8c5306b2d9a584d29dfd3b3
SHA5122a61e8fdbc6aba895756db16f76967debc3415d45c94644cbf428e31d59a7c0a9f1e377009c420e6a602780ed20ab121a4b2124340c636c0c6640a9b967dee87
-
Filesize
384KB
MD5222376e1ffa308ea3dd64ed43ab88ea0
SHA199c644559273d3a3546195365713f091be996091
SHA256496062aa69a3ab7e93b3add0aa07412e608fbb71d60cadd62d5ff367b5f6d39a
SHA5121cf24fd64028f55bcf44bd203611669119941b634e94644f364f3dfaf2d553548492f59595d01da61e9e946c1eda5670768187463fce29765f87ac3f77fc9215
-
Filesize
384KB
MD5222376e1ffa308ea3dd64ed43ab88ea0
SHA199c644559273d3a3546195365713f091be996091
SHA256496062aa69a3ab7e93b3add0aa07412e608fbb71d60cadd62d5ff367b5f6d39a
SHA5121cf24fd64028f55bcf44bd203611669119941b634e94644f364f3dfaf2d553548492f59595d01da61e9e946c1eda5670768187463fce29765f87ac3f77fc9215