Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27/03/2023, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe
Resource
win10-20230220-en
General
-
Target
12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe
-
Size
700KB
-
MD5
b4e0c34a319e1fabf653c76d31563155
-
SHA1
9819c9959249320ee6c94f97a59ea2eec9edfc70
-
SHA256
12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d
-
SHA512
fc2b4a9e42cdaba670622bcf7fb635d3be29a41d7d2844c3b3b9d7be671f69778a3fbdb8af61a2f53e17da8ee44407202548b58cac11e71f39615c8260f9c6b5
-
SSDEEP
12288:uMrZy908RhZJZ5nmxBC9DzxcAvp78F5eaXcTBen8JqVlYNthlTcaxY:fyzXrmxOR8zea208aghmX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7086.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7086.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7086.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7086.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7086.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/3576-180-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/3576-181-0x0000000004CC0000-0x0000000004D04000-memory.dmp family_redline behavioral1/memory/3576-182-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-183-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-185-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-187-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-189-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3576-1101-0x0000000004D10000-0x0000000004D20000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4300 un384037.exe 4612 pro7086.exe 3576 qu6359.exe 4440 si642781.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7086.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7086.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un384037.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un384037.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4612 pro7086.exe 4612 pro7086.exe 3576 qu6359.exe 3576 qu6359.exe 4440 si642781.exe 4440 si642781.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4612 pro7086.exe Token: SeDebugPrivilege 3576 qu6359.exe Token: SeDebugPrivilege 4440 si642781.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3628 wrote to memory of 4300 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 66 PID 3628 wrote to memory of 4300 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 66 PID 3628 wrote to memory of 4300 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 66 PID 4300 wrote to memory of 4612 4300 un384037.exe 67 PID 4300 wrote to memory of 4612 4300 un384037.exe 67 PID 4300 wrote to memory of 4612 4300 un384037.exe 67 PID 4300 wrote to memory of 3576 4300 un384037.exe 68 PID 4300 wrote to memory of 3576 4300 un384037.exe 68 PID 4300 wrote to memory of 3576 4300 un384037.exe 68 PID 3628 wrote to memory of 4440 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 70 PID 3628 wrote to memory of 4440 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 70 PID 3628 wrote to memory of 4440 3628 12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe"C:\Users\Admin\AppData\Local\Temp\12e1eb5f3c7f829cb225d6b2c5aad4b8930bcb10319668135c017f338e8caf8d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un384037.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un384037.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7086.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7086.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6359.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6359.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642781.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si642781.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5629206192f00d7eaef07138db484e484
SHA19aeb5a02478ffc46e0150ca20be5d2a571d7f79a
SHA2565fe85df74736d9d887ad082ec23079675a6d92795e0add3d747ccd1501858723
SHA5120d25750263346cc2b5e98b67b734eaf2b9f176c8d6d1b16262e1d2376d1b4fe24c53aff4d7473bb829567e1b2732940fad26e192334c5ebf89cc5dbaa3985ff0
-
Filesize
175KB
MD5629206192f00d7eaef07138db484e484
SHA19aeb5a02478ffc46e0150ca20be5d2a571d7f79a
SHA2565fe85df74736d9d887ad082ec23079675a6d92795e0add3d747ccd1501858723
SHA5120d25750263346cc2b5e98b67b734eaf2b9f176c8d6d1b16262e1d2376d1b4fe24c53aff4d7473bb829567e1b2732940fad26e192334c5ebf89cc5dbaa3985ff0
-
Filesize
558KB
MD534091171a70cb14d7436ebe106c268de
SHA1788690cbd4f242d6172910f6d6d0f3b26bbaa206
SHA256fc8ae3566c54ecbc4d3e3bf2937fe76edf84131ebd5243043b8bbd2a2b3b2557
SHA512ee7628aa258b060cad65fa01f46b5b51eb1a5e26f15db035a7fc04b04bd15413ffab5c4e2dba5559023bedd0a9818a46b0e401ae5a454e80903ceeffe77010ad
-
Filesize
558KB
MD534091171a70cb14d7436ebe106c268de
SHA1788690cbd4f242d6172910f6d6d0f3b26bbaa206
SHA256fc8ae3566c54ecbc4d3e3bf2937fe76edf84131ebd5243043b8bbd2a2b3b2557
SHA512ee7628aa258b060cad65fa01f46b5b51eb1a5e26f15db035a7fc04b04bd15413ffab5c4e2dba5559023bedd0a9818a46b0e401ae5a454e80903ceeffe77010ad
-
Filesize
307KB
MD5307f6194c99f81b076596768ed18e95d
SHA1aec42eba6ff9203deadd74c43bf0380012b33763
SHA256ab2e6ae2bbcdf89457fdd3757e89d9c97db12c98c96fa6511fd035073accbcb8
SHA51208fe4ed1ae8e863807138824a29fc20d93123fa6444dfdbefd67fb94ee2bb2411fa66cd8dbb9adbed3d6aa1ac67fede64db745dd7a518bf311227bfc102f62db
-
Filesize
307KB
MD5307f6194c99f81b076596768ed18e95d
SHA1aec42eba6ff9203deadd74c43bf0380012b33763
SHA256ab2e6ae2bbcdf89457fdd3757e89d9c97db12c98c96fa6511fd035073accbcb8
SHA51208fe4ed1ae8e863807138824a29fc20d93123fa6444dfdbefd67fb94ee2bb2411fa66cd8dbb9adbed3d6aa1ac67fede64db745dd7a518bf311227bfc102f62db
-
Filesize
365KB
MD58a8670e2443f831fc610b840be361044
SHA11cc8ebbf4fe4f0849aa75685861674ffdab3dae6
SHA256fa1774a44be81b0c59ce03aa1dbcbd9114c7ef5c18e572b3362dd91802fabb00
SHA512ba9bf9ccb6f7514a98040c27afcb2af167864ba7c36846f2a4a9965369e6bdc6ea15765a0fa726e25ba340a4930439d16147f7a2d870c9bf01d1cc4d0594322e
-
Filesize
365KB
MD58a8670e2443f831fc610b840be361044
SHA11cc8ebbf4fe4f0849aa75685861674ffdab3dae6
SHA256fa1774a44be81b0c59ce03aa1dbcbd9114c7ef5c18e572b3362dd91802fabb00
SHA512ba9bf9ccb6f7514a98040c27afcb2af167864ba7c36846f2a4a9965369e6bdc6ea15765a0fa726e25ba340a4930439d16147f7a2d870c9bf01d1cc4d0594322e