Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27/03/2023, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe
Resource
win10-20230220-en
General
-
Target
a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe
-
Size
700KB
-
MD5
146262f23a06557ae09f1dca37613818
-
SHA1
e1e6163829a2cb18088663b9a3fe02a0572c6426
-
SHA256
a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674
-
SHA512
6fa7832d98b16e76908a6d9e67f3b3f98268150391edbea3e1087ee0f538486197ba27c25dcc6abad4f9b84e44f1794893a59086bda0f0eaa04233b8b507bb27
-
SSDEEP
12288:sMrly90wBiOJtu3h+e6imVJPKh9DMCcAD9u8F3xp2EPWUBg6quj4XV13FVTRBauM:ZytBiOJa+QmDPQD9u8VHNDgnuj4XVB2B
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0210.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3620-181-0x0000000002490000-0x00000000024D6000-memory.dmp family_redline behavioral1/memory/3620-182-0x0000000002890000-0x00000000028D4000-memory.dmp family_redline behavioral1/memory/3620-183-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-184-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-186-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-188-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-190-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-192-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-194-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-196-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-198-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-200-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-202-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-204-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-206-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-208-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-210-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-212-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-214-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/3620-216-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3364 un197226.exe 4236 pro0210.exe 3620 qu9696.exe 2076 si857493.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0210.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un197226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un197226.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4236 pro0210.exe 4236 pro0210.exe 3620 qu9696.exe 3620 qu9696.exe 2076 si857493.exe 2076 si857493.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4236 pro0210.exe Token: SeDebugPrivilege 3620 qu9696.exe Token: SeDebugPrivilege 2076 si857493.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4044 wrote to memory of 3364 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 66 PID 4044 wrote to memory of 3364 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 66 PID 4044 wrote to memory of 3364 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 66 PID 3364 wrote to memory of 4236 3364 un197226.exe 67 PID 3364 wrote to memory of 4236 3364 un197226.exe 67 PID 3364 wrote to memory of 4236 3364 un197226.exe 67 PID 3364 wrote to memory of 3620 3364 un197226.exe 68 PID 3364 wrote to memory of 3620 3364 un197226.exe 68 PID 3364 wrote to memory of 3620 3364 un197226.exe 68 PID 4044 wrote to memory of 2076 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 70 PID 4044 wrote to memory of 2076 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 70 PID 4044 wrote to memory of 2076 4044 a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe"C:\Users\Admin\AppData\Local\Temp\a872764a700579ffa144a57d135e39bc393e640a78dcc3f9b9d0f1abfcf42674.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un197226.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un197226.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0210.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0210.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9696.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9696.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si857493.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si857493.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD525c36cb8426ab590c762a26ba0f89937
SHA1d02a81a7fbd8212b99dfe0f53e1276d226a7d689
SHA25611cfcbddae18b087d2cf8d5b8b87868bca19faabb6631f1a1db1d6b9b3ea003f
SHA5128da8cc6abd485359c91eba81131335ae9be06abe6f0827ef0b8059805744d37d772fcd369cc399b9322ff852939f103f5ee55dcf032f818573f856fbfcc390c4
-
Filesize
175KB
MD525c36cb8426ab590c762a26ba0f89937
SHA1d02a81a7fbd8212b99dfe0f53e1276d226a7d689
SHA25611cfcbddae18b087d2cf8d5b8b87868bca19faabb6631f1a1db1d6b9b3ea003f
SHA5128da8cc6abd485359c91eba81131335ae9be06abe6f0827ef0b8059805744d37d772fcd369cc399b9322ff852939f103f5ee55dcf032f818573f856fbfcc390c4
-
Filesize
558KB
MD5e8385998fe627870583fec2c517e94cd
SHA14b718bbc7d881495cc0f2fa0070bd0a1d3d18723
SHA2564a13c9a66f1bd351ede3ab3d3ccf7b5551364c694db552c3464ed9e1568acd68
SHA512cae6847424e9d81946a6181f4bc1d23fbb95482ed228eaf1035767c653a4af4fb427575e45dc7c107cd79e60a48ae92b5e3418f8a4221e326660585b3ead155d
-
Filesize
558KB
MD5e8385998fe627870583fec2c517e94cd
SHA14b718bbc7d881495cc0f2fa0070bd0a1d3d18723
SHA2564a13c9a66f1bd351ede3ab3d3ccf7b5551364c694db552c3464ed9e1568acd68
SHA512cae6847424e9d81946a6181f4bc1d23fbb95482ed228eaf1035767c653a4af4fb427575e45dc7c107cd79e60a48ae92b5e3418f8a4221e326660585b3ead155d
-
Filesize
307KB
MD58779ce2b098ba94fcac91afdd1b9b69c
SHA1045b48ae179a35f2198ad993827ddd2b9bd0634b
SHA256193fca9ed4b573945156ec412e52ca7a1354646ea965b03e8923ae469e0e0e18
SHA512d81234e05aec1d448fc4fadfcc8560c2de143c2223b011b4eba1c5484e514a89ece524c4978ecab2c98eb338035e34ba4b390a408fd37e61b986d72f154948fb
-
Filesize
307KB
MD58779ce2b098ba94fcac91afdd1b9b69c
SHA1045b48ae179a35f2198ad993827ddd2b9bd0634b
SHA256193fca9ed4b573945156ec412e52ca7a1354646ea965b03e8923ae469e0e0e18
SHA512d81234e05aec1d448fc4fadfcc8560c2de143c2223b011b4eba1c5484e514a89ece524c4978ecab2c98eb338035e34ba4b390a408fd37e61b986d72f154948fb
-
Filesize
365KB
MD58250ff2e52d765024745daad3b8c8153
SHA120b1552ff816e233d2243f8f5acbe110f72b50f4
SHA2561c9c43ed39ec2199acb72508434db3c1a9b9af7b0ff2c9392be5fc4f69720d8a
SHA512d8e39359a92905c53dd9fd9643eb9b262f5c16b2b89e27d1b887945fc3da24428d04a5ffdfa6600ec2ad11d7c46b7af036ebea69a93f8c76d7bd89f05b652d9d
-
Filesize
365KB
MD58250ff2e52d765024745daad3b8c8153
SHA120b1552ff816e233d2243f8f5acbe110f72b50f4
SHA2561c9c43ed39ec2199acb72508434db3c1a9b9af7b0ff2c9392be5fc4f69720d8a
SHA512d8e39359a92905c53dd9fd9643eb9b262f5c16b2b89e27d1b887945fc3da24428d04a5ffdfa6600ec2ad11d7c46b7af036ebea69a93f8c76d7bd89f05b652d9d