Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
29/03/2023, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe
Resource
win10-20230220-en
General
-
Target
e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe
-
Size
659KB
-
MD5
486164cba30558ad4f1cd52e508f807a
-
SHA1
edeb065b81b6e9ee57b4df4cab6eb31ca382a422
-
SHA256
e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802
-
SHA512
3440db0b6495621398311bab930bffdefcae13783c93f3343bbbdd2447917b1463d183133cbf0c6f83f382b6cccb93001a5f08d07add59e4f79fa9b35b6bd7ee
-
SSDEEP
12288:aMrcy90VVzqSVlUy3So1YAKOLKw+GHkTi6youYdp2DEc0RA:6ygLVlUxMbBKa0i6yoADaRA
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zaza
176.113.115.145:4125
-
auth_value
48bf44c663fe3c1035fb4dd0b91fde5d
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8295.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1776-181-0x0000000007080000-0x00000000070C6000-memory.dmp family_redline behavioral1/memory/1776-182-0x0000000007100000-0x0000000007144000-memory.dmp family_redline behavioral1/memory/1776-183-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-184-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-186-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-188-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-190-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-192-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-194-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-196-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-198-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-200-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-202-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-207-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-210-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-212-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-214-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-216-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-218-0x0000000007100000-0x000000000713F000-memory.dmp family_redline behavioral1/memory/1776-220-0x0000000007100000-0x000000000713F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1116 un379693.exe 1340 pro8295.exe 1776 qu3371.exe 4756 si757349.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8295.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un379693.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un379693.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1340 pro8295.exe 1340 pro8295.exe 1776 qu3371.exe 1776 qu3371.exe 4756 si757349.exe 4756 si757349.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1340 pro8295.exe Token: SeDebugPrivilege 1776 qu3371.exe Token: SeDebugPrivilege 4756 si757349.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4404 wrote to memory of 1116 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 66 PID 4404 wrote to memory of 1116 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 66 PID 4404 wrote to memory of 1116 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 66 PID 1116 wrote to memory of 1340 1116 un379693.exe 67 PID 1116 wrote to memory of 1340 1116 un379693.exe 67 PID 1116 wrote to memory of 1340 1116 un379693.exe 67 PID 1116 wrote to memory of 1776 1116 un379693.exe 68 PID 1116 wrote to memory of 1776 1116 un379693.exe 68 PID 1116 wrote to memory of 1776 1116 un379693.exe 68 PID 4404 wrote to memory of 4756 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 70 PID 4404 wrote to memory of 4756 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 70 PID 4404 wrote to memory of 4756 4404 e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe"C:\Users\Admin\AppData\Local\Temp\e8280e61cc4a5609efd3d332e4d39dde5c4f65aed4fa21ac67c3d7176b1e5802.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379693.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379693.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8295.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8295.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3371.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3371.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si757349.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si757349.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5bd22c4b054d101821699c41241d57724
SHA1f335a5360c0005fe48e752b3d33faffa5c12f203
SHA256f2fc55815b11d7bcf111eef35d8c091cf168ec85ff9150578ec83039930734dc
SHA512248d59629ff25ab82ff348061172303242238fef7a581f2988f25e4a904cb1d50bbfe54cbdf35ab2706bc60e5c8042f912de3580b934b645d144ce801b3a8f9d
-
Filesize
175KB
MD5bd22c4b054d101821699c41241d57724
SHA1f335a5360c0005fe48e752b3d33faffa5c12f203
SHA256f2fc55815b11d7bcf111eef35d8c091cf168ec85ff9150578ec83039930734dc
SHA512248d59629ff25ab82ff348061172303242238fef7a581f2988f25e4a904cb1d50bbfe54cbdf35ab2706bc60e5c8042f912de3580b934b645d144ce801b3a8f9d
-
Filesize
516KB
MD5a527581ef86200422f0ec552eef86499
SHA118e3e49cc43ff9f7783d6bd6e39116dd3d9e0865
SHA25665d2508f9c314a5ddd30bd2601f1454184a27a84cbb5446fb6626577bc7cd7fc
SHA5121a214f94256af3ffefbd36862df78a941a78078fa1ed8d36d1a84fe2fcaeceb99d88d0791e6ee8261a65bb55b9fc916cccaeecf64bd342f0b15cf1b789610587
-
Filesize
516KB
MD5a527581ef86200422f0ec552eef86499
SHA118e3e49cc43ff9f7783d6bd6e39116dd3d9e0865
SHA25665d2508f9c314a5ddd30bd2601f1454184a27a84cbb5446fb6626577bc7cd7fc
SHA5121a214f94256af3ffefbd36862df78a941a78078fa1ed8d36d1a84fe2fcaeceb99d88d0791e6ee8261a65bb55b9fc916cccaeecf64bd342f0b15cf1b789610587
-
Filesize
275KB
MD58786eafcb95e1c12ef47369628ad4564
SHA16a3ff75ff3d110960cedf9121de397b60fcf169a
SHA256950b311434aa8de64d3665a60e6adef4954e72aef1ce7ce44945b758d8d2e866
SHA5125fdc78aa1fcffd4bb3099895ebfb3e283c05cc5d90aa775c0e3d0a974bfb96d15b23fc52f30aa4a0cb7bc0077e6a26c8587fd8a192758b70d7843c107ffd7906
-
Filesize
275KB
MD58786eafcb95e1c12ef47369628ad4564
SHA16a3ff75ff3d110960cedf9121de397b60fcf169a
SHA256950b311434aa8de64d3665a60e6adef4954e72aef1ce7ce44945b758d8d2e866
SHA5125fdc78aa1fcffd4bb3099895ebfb3e283c05cc5d90aa775c0e3d0a974bfb96d15b23fc52f30aa4a0cb7bc0077e6a26c8587fd8a192758b70d7843c107ffd7906
-
Filesize
333KB
MD5ae34c9eec5ccf40efbf1009bdb729cec
SHA1aeb9e61347df879cd28f0fc0101806cec31750e8
SHA256d03d46bb1d40b1c0ac9a342dbc536158af1c107220b81bb9647dbaf8b9f20519
SHA512d15b9b2e2500025ef77432509a2910be4bcb7fdf3712a802da92b07df5b700d5ad6f9be725a16ad0805ca895c6d5bc89b78615b7cb1e6a1d8f0cef8add0542d0
-
Filesize
333KB
MD5ae34c9eec5ccf40efbf1009bdb729cec
SHA1aeb9e61347df879cd28f0fc0101806cec31750e8
SHA256d03d46bb1d40b1c0ac9a342dbc536158af1c107220b81bb9647dbaf8b9f20519
SHA512d15b9b2e2500025ef77432509a2910be4bcb7fdf3712a802da92b07df5b700d5ad6f9be725a16ad0805ca895c6d5bc89b78615b7cb1e6a1d8f0cef8add0542d0