Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27/03/2023, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe
Resource
win10-20230220-en
General
-
Target
c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe
-
Size
685KB
-
MD5
ae7bdd17d4b6c0e0ebe954d915c43319
-
SHA1
61799aff793b9a5f426f6569683dab378f5767e4
-
SHA256
c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491
-
SHA512
368f8fd260c34cebe947cd27dcb45eed54334cf4b29de1f798e968edb4e90d0a02e887cd81cac128e92c6b0be137808d5e212f1b7877b9f9d541326059944f15
-
SSDEEP
12288:fMrIy90l6Y4XJzkuvspWeV5Jhz7+yHVI2s6YsdbQrlpCb87BdesEFxL8/ktDJ:jy2v4JLvspxLJ71CsbQrLQcTesEvLHt9
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5374.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5374.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5374.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5374.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5374.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1356-177-0x0000000002510000-0x0000000002556000-memory.dmp family_redline behavioral1/memory/1356-178-0x00000000051B0000-0x00000000051F4000-memory.dmp family_redline behavioral1/memory/1356-181-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-183-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-188-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-190-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-186-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-192-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-194-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-196-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-198-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-200-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-202-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-204-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-206-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-208-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-210-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-212-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-214-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline behavioral1/memory/1356-216-0x00000000051B0000-0x00000000051EE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3316 un266966.exe 2772 pro5374.exe 1356 qu8944.exe 3732 si996440.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5374.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5374.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un266966.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un266966.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2772 pro5374.exe 2772 pro5374.exe 1356 qu8944.exe 1356 qu8944.exe 3732 si996440.exe 3732 si996440.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2772 pro5374.exe Token: SeDebugPrivilege 1356 qu8944.exe Token: SeDebugPrivilege 3732 si996440.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3316 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 66 PID 3228 wrote to memory of 3316 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 66 PID 3228 wrote to memory of 3316 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 66 PID 3316 wrote to memory of 2772 3316 un266966.exe 67 PID 3316 wrote to memory of 2772 3316 un266966.exe 67 PID 3316 wrote to memory of 2772 3316 un266966.exe 67 PID 3316 wrote to memory of 1356 3316 un266966.exe 68 PID 3316 wrote to memory of 1356 3316 un266966.exe 68 PID 3316 wrote to memory of 1356 3316 un266966.exe 68 PID 3228 wrote to memory of 3732 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 70 PID 3228 wrote to memory of 3732 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 70 PID 3228 wrote to memory of 3732 3228 c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe"C:\Users\Admin\AppData\Local\Temp\c25eb70130443c9e6fbf331cff5924ffc6035ff7cacfcf8daf4e4c19e5f45491.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266966.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266966.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5374.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5374.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8944.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8944.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si996440.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si996440.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56d305a7fdd16f9f3e85df92ba3b73ac2
SHA151dc1f03a9896ffdf894ba142f884c9eabefcb94
SHA256dc8cc04c51416cd5d365288dfac22bf18d3ac043f31d0a75c5b10e21d0610f7c
SHA512c58a63ecba6d185a3eb5cc4143bf7b27163c392998f647c378229bc7c3ac8848ee2f3ae8dab5900ca0df722981515a5dc3b50a4e45649f5444449249b9fe438b
-
Filesize
175KB
MD56d305a7fdd16f9f3e85df92ba3b73ac2
SHA151dc1f03a9896ffdf894ba142f884c9eabefcb94
SHA256dc8cc04c51416cd5d365288dfac22bf18d3ac043f31d0a75c5b10e21d0610f7c
SHA512c58a63ecba6d185a3eb5cc4143bf7b27163c392998f647c378229bc7c3ac8848ee2f3ae8dab5900ca0df722981515a5dc3b50a4e45649f5444449249b9fe438b
-
Filesize
543KB
MD5b7f008b9a0f62d745f8593f418f4e891
SHA1fcda02815cd343b46c493e3b2645b0d59cf79745
SHA256d172b05f8c2c8df1742318009928402f7278ca0476de8fc7f8a5c243a70f3ace
SHA51219e73d3e47e835cce31289e3e5be0e3d2f5357bad0d36e0a3b949b2545d27099f3b4611658983f4607480a0b1aec75ea28922c7d99ed15f6985abb16562076dd
-
Filesize
543KB
MD5b7f008b9a0f62d745f8593f418f4e891
SHA1fcda02815cd343b46c493e3b2645b0d59cf79745
SHA256d172b05f8c2c8df1742318009928402f7278ca0476de8fc7f8a5c243a70f3ace
SHA51219e73d3e47e835cce31289e3e5be0e3d2f5357bad0d36e0a3b949b2545d27099f3b4611658983f4607480a0b1aec75ea28922c7d99ed15f6985abb16562076dd
-
Filesize
292KB
MD519a1982454387cfb02c0c89e1d80f9fe
SHA18a67e3aed0a1756e656465c2dc94e91089cb01ac
SHA2563013e9266d5d26cc835a6612cd91e52769fc7020548431ab9d8e92e2fcfbf434
SHA512bf394e14415f2992b12ba0d39045aad37035aced16b045a6490204a28da9cecb4a24481847cad8587c40a9d08562ccde95a53dc5540a1a0255c11edc209e07b1
-
Filesize
292KB
MD519a1982454387cfb02c0c89e1d80f9fe
SHA18a67e3aed0a1756e656465c2dc94e91089cb01ac
SHA2563013e9266d5d26cc835a6612cd91e52769fc7020548431ab9d8e92e2fcfbf434
SHA512bf394e14415f2992b12ba0d39045aad37035aced16b045a6490204a28da9cecb4a24481847cad8587c40a9d08562ccde95a53dc5540a1a0255c11edc209e07b1
-
Filesize
350KB
MD57fa0fa4683fcf4826897f24fab79ef90
SHA1313e8792c9b980da1a4e0153ea62c7c50b7eb16e
SHA25608d633d9021e1f8d39a9095f15df65693c98fa6c3e1f239a48ae46ea2a24456a
SHA512e9ebc5e116098d94879770bcb3fd767a57cf72a6e3e7428930e0787701ec81761f7985192c416ba7ed22c144bfe9d5a5e590caa28a61a0874fb2351e83a21fda
-
Filesize
350KB
MD57fa0fa4683fcf4826897f24fab79ef90
SHA1313e8792c9b980da1a4e0153ea62c7c50b7eb16e
SHA25608d633d9021e1f8d39a9095f15df65693c98fa6c3e1f239a48ae46ea2a24456a
SHA512e9ebc5e116098d94879770bcb3fd767a57cf72a6e3e7428930e0787701ec81761f7985192c416ba7ed22c144bfe9d5a5e590caa28a61a0874fb2351e83a21fda