Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
Resource
win10v2004-20230220-en
General
-
Target
b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
-
Size
695KB
-
MD5
c95d4d970cda70c280f37991dff60df3
-
SHA1
aabf35d37e133fe7e72929020d4855c983808230
-
SHA256
b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4
-
SHA512
b98cc261874aa981e3537d3b9cbe7dadc979690b72ed4641acfcd738c16b84288af6b58b0f5de4ccf6d309a5aed50bd770b31d9ecf132dc53017b858dfba0448
-
SSDEEP
12288:yMrKy90qlGLsMZrPJh8yRBwNb6poB3FQMylueujsAvPSezhLJJhKtNAc1SHj3tf/:IyhT8F2yY33FQMylueXAyqhFWtNAcQD1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8301.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2564-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2564-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2704 un850948.exe 4020 pro8301.exe 2564 qu2659.exe 3888 si900092.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8301.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un850948.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un850948.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4020 pro8301.exe 4020 pro8301.exe 2564 qu2659.exe 2564 qu2659.exe 3888 si900092.exe 3888 si900092.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4020 pro8301.exe Token: SeDebugPrivilege 2564 qu2659.exe Token: SeDebugPrivilege 3888 si900092.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2704 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 84 PID 2132 wrote to memory of 2704 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 84 PID 2132 wrote to memory of 2704 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 84 PID 2704 wrote to memory of 4020 2704 un850948.exe 85 PID 2704 wrote to memory of 4020 2704 un850948.exe 85 PID 2704 wrote to memory of 4020 2704 un850948.exe 85 PID 2704 wrote to memory of 2564 2704 un850948.exe 86 PID 2704 wrote to memory of 2564 2704 un850948.exe 86 PID 2704 wrote to memory of 2564 2704 un850948.exe 86 PID 2132 wrote to memory of 3888 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 88 PID 2132 wrote to memory of 3888 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 88 PID 2132 wrote to memory of 3888 2132 b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe"C:\Users\Admin\AppData\Local\Temp\b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5588298e4a1642cf19fbc977513a06b88
SHA1e10211e757c8c25b90319f7455ca922c8d6eec12
SHA2562b93dfbad714d7f53250dcfac12709402fb075ea60591fed0c15650ed0f348c7
SHA51270952684eea1db26e6f6c9cfc4ee5a8e80a8f1b87056517fa6f6f07323036d221fee2b3a0bdbb6966f9f5f668209e07371ac55e1a3e5a5b58fe6f0c9c884703f
-
Filesize
175KB
MD5588298e4a1642cf19fbc977513a06b88
SHA1e10211e757c8c25b90319f7455ca922c8d6eec12
SHA2562b93dfbad714d7f53250dcfac12709402fb075ea60591fed0c15650ed0f348c7
SHA51270952684eea1db26e6f6c9cfc4ee5a8e80a8f1b87056517fa6f6f07323036d221fee2b3a0bdbb6966f9f5f668209e07371ac55e1a3e5a5b58fe6f0c9c884703f
-
Filesize
553KB
MD58910f2d9841571ab26b5f34cc908bedb
SHA1be151155676960eef389f5a0f80f9ca6899e837c
SHA25621aa98269129f07730edddeb52a2fff2615d707c0d1e772914cb9ab0a6f98aaa
SHA512253d11f16b114702ac968147d48cbafcb4ca5f0b893daec5f13ea8632fb16e62e3bdd478863be883ebdb855458d2a3d320e9c3097e6756c17ffa56f70a550c2e
-
Filesize
553KB
MD58910f2d9841571ab26b5f34cc908bedb
SHA1be151155676960eef389f5a0f80f9ca6899e837c
SHA25621aa98269129f07730edddeb52a2fff2615d707c0d1e772914cb9ab0a6f98aaa
SHA512253d11f16b114702ac968147d48cbafcb4ca5f0b893daec5f13ea8632fb16e62e3bdd478863be883ebdb855458d2a3d320e9c3097e6756c17ffa56f70a550c2e
-
Filesize
308KB
MD52919c73923ff4ff4446c4d3fc93d6426
SHA1913b26af828f67e165f274c12d7f374f9ee03cf6
SHA256a618946cd47726739ec39655574ac399825fb2b4b9b255c7804ec0f719656eb8
SHA5122805070d093fe81b38c9221c5f9b8c283407e4ec7ffd13b1b7290466c2ab786ab17023195c97c3f1f936113605ce561801fcae22c3f9245cf8df4daeead7e38f
-
Filesize
308KB
MD52919c73923ff4ff4446c4d3fc93d6426
SHA1913b26af828f67e165f274c12d7f374f9ee03cf6
SHA256a618946cd47726739ec39655574ac399825fb2b4b9b255c7804ec0f719656eb8
SHA5122805070d093fe81b38c9221c5f9b8c283407e4ec7ffd13b1b7290466c2ab786ab17023195c97c3f1f936113605ce561801fcae22c3f9245cf8df4daeead7e38f
-
Filesize
366KB
MD5ca44214cd177b1b6fc43a37e08aaa08e
SHA1b28f448c7a018d01a841599189703c2fd630edb9
SHA2569ccca5c43e227e163c6215200d6e36a2cf92f89d10be27df9b36717dc8a596ff
SHA512a057175d60a274ee6a4d29c79e99986c247508b6dc5e422111820f0c9923a75c6376db1094ecdae3a188fb3f6ea23a67b7d3570de3518a1df2532116aad993f3
-
Filesize
366KB
MD5ca44214cd177b1b6fc43a37e08aaa08e
SHA1b28f448c7a018d01a841599189703c2fd630edb9
SHA2569ccca5c43e227e163c6215200d6e36a2cf92f89d10be27df9b36717dc8a596ff
SHA512a057175d60a274ee6a4d29c79e99986c247508b6dc5e422111820f0c9923a75c6376db1094ecdae3a188fb3f6ea23a67b7d3570de3518a1df2532116aad993f3