Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28/03/2023, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe
Resource
win10-20230220-en
General
-
Target
625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe
-
Size
685KB
-
MD5
faf6f762b5a507a1e66167748f848325
-
SHA1
a008359b00442d6919bf6de015a1e3e3578f89ee
-
SHA256
625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68
-
SHA512
6bc89f8ae8593ee2a97641d0e1c3553a4c748c221b45a3b56fe2ef135f13c112c471dddf2fbbb96ba98a8aa79f90993dc0d5566810894dc8bcf2c6cb136998e8
-
SSDEEP
12288:tMryy90wnKg9ytOsOtUi4d7kbS6FRAImIA5P9fQQU5+2EgsA2g0cy:/y/nIqUi4dVeRCX/BgsAh7y
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7641.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2816-181-0x0000000004930000-0x0000000004976000-memory.dmp family_redline behavioral1/memory/2816-182-0x0000000007650000-0x0000000007694000-memory.dmp family_redline behavioral1/memory/2816-185-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-190-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-192-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-187-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-194-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-196-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-198-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-200-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-202-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-204-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-206-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-208-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-210-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-212-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-214-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-216-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-218-0x0000000007650000-0x000000000768F000-memory.dmp family_redline behavioral1/memory/2816-220-0x0000000007650000-0x000000000768F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3360 un200716.exe 4264 pro7641.exe 2816 qu7232.exe 4196 si005283.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7641.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un200716.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un200716.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4264 pro7641.exe 4264 pro7641.exe 2816 qu7232.exe 2816 qu7232.exe 4196 si005283.exe 4196 si005283.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4264 pro7641.exe Token: SeDebugPrivilege 2816 qu7232.exe Token: SeDebugPrivilege 4196 si005283.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1600 wrote to memory of 3360 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 66 PID 1600 wrote to memory of 3360 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 66 PID 1600 wrote to memory of 3360 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 66 PID 3360 wrote to memory of 4264 3360 un200716.exe 67 PID 3360 wrote to memory of 4264 3360 un200716.exe 67 PID 3360 wrote to memory of 4264 3360 un200716.exe 67 PID 3360 wrote to memory of 2816 3360 un200716.exe 68 PID 3360 wrote to memory of 2816 3360 un200716.exe 68 PID 3360 wrote to memory of 2816 3360 un200716.exe 68 PID 1600 wrote to memory of 4196 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 70 PID 1600 wrote to memory of 4196 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 70 PID 1600 wrote to memory of 4196 1600 625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe"C:\Users\Admin\AppData\Local\Temp\625321c003778d06d430ef612a9190e8ff724f971fd23aa5a6bb86158c46bf68.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un200716.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un200716.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7641.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7641.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7232.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7232.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si005283.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si005283.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5d3cce77e640c44a88e617b0a75c82293
SHA142d4af8fd58e0b443ccf7710736b507844e25e5f
SHA256f15361fed9fa94fc44bc25e723898963d3aaebf95f4928cf2ff31d26d236c7e3
SHA512cfba9d3342a0395d6f94581373f2dfb346dbc753539093146d462f3c3bb3b2942c8dcd876c507515f633915e9c78b5f0bf58f761d8837919f9b86a7dc5d45ce3
-
Filesize
175KB
MD5d3cce77e640c44a88e617b0a75c82293
SHA142d4af8fd58e0b443ccf7710736b507844e25e5f
SHA256f15361fed9fa94fc44bc25e723898963d3aaebf95f4928cf2ff31d26d236c7e3
SHA512cfba9d3342a0395d6f94581373f2dfb346dbc753539093146d462f3c3bb3b2942c8dcd876c507515f633915e9c78b5f0bf58f761d8837919f9b86a7dc5d45ce3
-
Filesize
544KB
MD5f87229d709bf9880404950d3e6b9bd78
SHA17dd18e6f1ec0db55ce17d78a3b292351d8c738a6
SHA2569b1581a134b1fc7a2769961f24dd2e48ce6191f2270167c32bc849924e773bb7
SHA512ede41b7e8ca4a5b96a1f98f555084a617ff72677416cb57c518a23d74b4f043176e83ab4122aac09c396133f49ec921ecc48ff3be1df9afe769738a91c1ddaa6
-
Filesize
544KB
MD5f87229d709bf9880404950d3e6b9bd78
SHA17dd18e6f1ec0db55ce17d78a3b292351d8c738a6
SHA2569b1581a134b1fc7a2769961f24dd2e48ce6191f2270167c32bc849924e773bb7
SHA512ede41b7e8ca4a5b96a1f98f555084a617ff72677416cb57c518a23d74b4f043176e83ab4122aac09c396133f49ec921ecc48ff3be1df9afe769738a91c1ddaa6
-
Filesize
321KB
MD5db42fac35898ec52cb05ec2183be0235
SHA1942effb5cba8ec8ae197a3195b1cec5492071e3e
SHA256902e77f47ff820ee196b573bfae8297639a6683d448594958bb190855c991001
SHA512b71e68204dfae12ab08789d6709adc0fa304d56781a562b256bfeb78ec41087c7c05d5010fd67e519ae82616ed1072c95bcc8645b63326c0c7536c090d4019f3
-
Filesize
321KB
MD5db42fac35898ec52cb05ec2183be0235
SHA1942effb5cba8ec8ae197a3195b1cec5492071e3e
SHA256902e77f47ff820ee196b573bfae8297639a6683d448594958bb190855c991001
SHA512b71e68204dfae12ab08789d6709adc0fa304d56781a562b256bfeb78ec41087c7c05d5010fd67e519ae82616ed1072c95bcc8645b63326c0c7536c090d4019f3
-
Filesize
380KB
MD57e3046a0a2010feaef36ff57e4b7fedb
SHA1e9c3b29aa277794c8df2dac40ea614e040001df4
SHA256d3516ef5548a05dcff8ff7b58367841fc3a84262a63a03015b76379a8b87c49c
SHA512d7c43072ab234518d9dd8101abbd85698b44d7a47446a2307d81f503828ab33f47472381a5e5ab092776e259db8e94935615d6e343b88267e6db293bb149da33
-
Filesize
380KB
MD57e3046a0a2010feaef36ff57e4b7fedb
SHA1e9c3b29aa277794c8df2dac40ea614e040001df4
SHA256d3516ef5548a05dcff8ff7b58367841fc3a84262a63a03015b76379a8b87c49c
SHA512d7c43072ab234518d9dd8101abbd85698b44d7a47446a2307d81f503828ab33f47472381a5e5ab092776e259db8e94935615d6e343b88267e6db293bb149da33