Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
Resource
win10v2004-20230220-en
General
-
Target
89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
-
Size
683KB
-
MD5
84f5fb9df449978d540e1bfb39df93ed
-
SHA1
3dc0d24b02920bd8ebccaea30d99029a47a50e4f
-
SHA256
89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6
-
SHA512
163bc41995e60a761d2c2b9149057e6e23d262a5dd6a5f69477a5e84ded7a199aa8e33e831560fa76353a2330a149bc6959d7710abeac938e06442d67a4696ec
-
SSDEEP
12288:5Mr5y90AqqAjVN2kYpdeudvQNr+vCb1YIpB1+qbwiS0n2UqEWntm6x:QybqquN2kYacvQt+v6b1BbM0n2UqEWnX
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
dent
193.233.20.33:4125
-
auth_value
e795368557f02e28e8aef6bcb279a3b0
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5125.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2772-194-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-195-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-197-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-199-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-201-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-203-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-205-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-207-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-209-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-211-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-215-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-217-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-213-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-219-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-221-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-223-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-225-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/2772-227-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3144 un351668.exe 2528 pro5125.exe 2772 qu8768.exe 2552 si342873.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5125.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un351668.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un351668.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2528 pro5125.exe 2528 pro5125.exe 2772 qu8768.exe 2772 qu8768.exe 2552 si342873.exe 2552 si342873.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2528 pro5125.exe Token: SeDebugPrivilege 2772 qu8768.exe Token: SeDebugPrivilege 2552 si342873.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4348 wrote to memory of 3144 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 84 PID 4348 wrote to memory of 3144 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 84 PID 4348 wrote to memory of 3144 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 84 PID 3144 wrote to memory of 2528 3144 un351668.exe 85 PID 3144 wrote to memory of 2528 3144 un351668.exe 85 PID 3144 wrote to memory of 2528 3144 un351668.exe 85 PID 3144 wrote to memory of 2772 3144 un351668.exe 90 PID 3144 wrote to memory of 2772 3144 un351668.exe 90 PID 3144 wrote to memory of 2772 3144 un351668.exe 90 PID 4348 wrote to memory of 2552 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 93 PID 4348 wrote to memory of 2552 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 93 PID 4348 wrote to memory of 2552 4348 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe"C:\Users\Admin\AppData\Local\Temp\89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56984f95cd1e18c84c1d6dab5d8f522c2
SHA1965a2904ff2b86c8f361fee1a4bcb41b856b1f33
SHA25606f6b9b66d14d494098fb0cddd4ffd4879391a06c93e45e5ab11bf7633467a94
SHA51267994b0e57e051832ed58d489c9e577ddbb619ab627abc20da954d8bc0925302fa0772e6bf75309449c3a9c0518a44739954f32099a6c50d372f9d483d9e9cf4
-
Filesize
175KB
MD56984f95cd1e18c84c1d6dab5d8f522c2
SHA1965a2904ff2b86c8f361fee1a4bcb41b856b1f33
SHA25606f6b9b66d14d494098fb0cddd4ffd4879391a06c93e45e5ab11bf7633467a94
SHA51267994b0e57e051832ed58d489c9e577ddbb619ab627abc20da954d8bc0925302fa0772e6bf75309449c3a9c0518a44739954f32099a6c50d372f9d483d9e9cf4
-
Filesize
541KB
MD5017ea28841f5e2dc166e5bc357f97fdb
SHA12dc564ebe5753420c2277915201dda518f48f084
SHA25647037c83ca89f4af58af9d2d64071452dd823fa125568261b81f7df562bef356
SHA512db0879cf131b0956498afa5ce8266b6154faf16a8824f81fae958ee2f24166cf905a07b98124715215ac7b7ba643c1e8af588495d170ecd14c435359813444e5
-
Filesize
541KB
MD5017ea28841f5e2dc166e5bc357f97fdb
SHA12dc564ebe5753420c2277915201dda518f48f084
SHA25647037c83ca89f4af58af9d2d64071452dd823fa125568261b81f7df562bef356
SHA512db0879cf131b0956498afa5ce8266b6154faf16a8824f81fae958ee2f24166cf905a07b98124715215ac7b7ba643c1e8af588495d170ecd14c435359813444e5
-
Filesize
322KB
MD5d31137371f6331322a440f5327b409be
SHA1698f31de337f17bc4709c70096fa4b9b95a1901d
SHA256f2f09e3fabfbea81ded189d3b739e8847b319db1f4e35e430f50e90bb4cbda50
SHA512b1d24892c692b11e41bdc17521fbbdf5da89fcdd24214e4d8a3e446b37df586bc265cd6df8add15cdd851af00d78ab749d06f5178e5d5ae481f59261592c585c
-
Filesize
322KB
MD5d31137371f6331322a440f5327b409be
SHA1698f31de337f17bc4709c70096fa4b9b95a1901d
SHA256f2f09e3fabfbea81ded189d3b739e8847b319db1f4e35e430f50e90bb4cbda50
SHA512b1d24892c692b11e41bdc17521fbbdf5da89fcdd24214e4d8a3e446b37df586bc265cd6df8add15cdd851af00d78ab749d06f5178e5d5ae481f59261592c585c
-
Filesize
379KB
MD5c43c376df234ad0187218afc03ce7a72
SHA1d3d909d5c430dbe305650708ac4cd6e1f150afc8
SHA25673e8f078b74f4b0a00bef4a00b35cda2ca0473789c786c2ccbd63d9f030358c4
SHA512ae643e9ff1064b2d47fac78857635aadb923bb4be4dd5211e3745d2d51a9bf9093892a349aea40e4b75f181313215e6d2f8835eba4f665295f61c0cb815648ff
-
Filesize
379KB
MD5c43c376df234ad0187218afc03ce7a72
SHA1d3d909d5c430dbe305650708ac4cd6e1f150afc8
SHA25673e8f078b74f4b0a00bef4a00b35cda2ca0473789c786c2ccbd63d9f030358c4
SHA512ae643e9ff1064b2d47fac78857635aadb923bb4be4dd5211e3745d2d51a9bf9093892a349aea40e4b75f181313215e6d2f8835eba4f665295f61c0cb815648ff