Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
31/03/2023, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe
Resource
win10-20230220-en
General
-
Target
e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe
-
Size
534KB
-
MD5
a97c2e22294a3d15c0473567be596cfe
-
SHA1
6329501f0e32f9419ef8fd2bc0502ce2be636fbf
-
SHA256
e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12
-
SHA512
e9c58aa6ab1276dd1021f388d475bdf6d347dfd353c39410b832f5ce5b7108fb3c0d8fea8d90026150816ab19753008cb605e3cb431ae5d7630560a3c8d7c402
-
SSDEEP
12288:9MrQy905UCuWp3N+ysyXRKWTT/O61FY0jCvmSUH1:pyoOWp3r/BH1DCvmSUV
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr309558.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr309558.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr309558.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr309558.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr309558.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4236-137-0x00000000049E0000-0x0000000004A26000-memory.dmp family_redline behavioral1/memory/4236-140-0x0000000004F80000-0x0000000004FC4000-memory.dmp family_redline behavioral1/memory/4236-144-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-145-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-147-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-149-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-151-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-153-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-155-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-157-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-159-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-161-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-163-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-165-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-167-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-169-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-171-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-173-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-175-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-177-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-179-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-181-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-183-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-185-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-189-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-191-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-187-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-193-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-195-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-197-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-199-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-201-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-203-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-205-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline behavioral1/memory/4236-207-0x0000000004F80000-0x0000000004FBF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4104 ziHT4786.exe 4120 jr309558.exe 4236 ku801077.exe 4364 lr795655.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr309558.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziHT4786.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziHT4786.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4120 jr309558.exe 4120 jr309558.exe 4236 ku801077.exe 4236 ku801077.exe 4364 lr795655.exe 4364 lr795655.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4120 jr309558.exe Token: SeDebugPrivilege 4236 ku801077.exe Token: SeDebugPrivilege 4364 lr795655.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3476 wrote to memory of 4104 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 66 PID 3476 wrote to memory of 4104 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 66 PID 3476 wrote to memory of 4104 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 66 PID 4104 wrote to memory of 4120 4104 ziHT4786.exe 67 PID 4104 wrote to memory of 4120 4104 ziHT4786.exe 67 PID 4104 wrote to memory of 4236 4104 ziHT4786.exe 68 PID 4104 wrote to memory of 4236 4104 ziHT4786.exe 68 PID 4104 wrote to memory of 4236 4104 ziHT4786.exe 68 PID 3476 wrote to memory of 4364 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 70 PID 3476 wrote to memory of 4364 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 70 PID 3476 wrote to memory of 4364 3476 e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe"C:\Users\Admin\AppData\Local\Temp\e9513decae92b8dc0d414a2f486d1ca427237b70a4af6a817e1f65dd4b767f12.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHT4786.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr309558.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801077.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr795655.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD53744f630c55fdec7a90b35397597eabb
SHA16edd3b6a0fbade60492aa57d3c624dea6f92465c
SHA256bdda940775912b85ee2905982a3d2f31ce993542690ddabf9efa72784ce0fd71
SHA51237937b01350f8d9e97a80ecb1396f63c54e50385cee41d699c7a75e3103512762e5458007de01b177a2ec062c48530e59c6a226f859d6233186b908c6c71524e
-
Filesize
175KB
MD53744f630c55fdec7a90b35397597eabb
SHA16edd3b6a0fbade60492aa57d3c624dea6f92465c
SHA256bdda940775912b85ee2905982a3d2f31ce993542690ddabf9efa72784ce0fd71
SHA51237937b01350f8d9e97a80ecb1396f63c54e50385cee41d699c7a75e3103512762e5458007de01b177a2ec062c48530e59c6a226f859d6233186b908c6c71524e
-
Filesize
392KB
MD58f53cbb6e5c4bcb61b8572aee47ab431
SHA1a2158e7c99939ae21a6127467e1484d814b37ca9
SHA2561c083bb6e0de60d79e954e4deaa280b4852359e2cd5ca570c029666efa7affb8
SHA5121df1fcbe19d9985b9fff20f934ec541afca2f54c51b7ca02a37aa901001de98514346220d6630a6156121a0e0df9ce98d048a43995df5e9b05270e207a900bab
-
Filesize
392KB
MD58f53cbb6e5c4bcb61b8572aee47ab431
SHA1a2158e7c99939ae21a6127467e1484d814b37ca9
SHA2561c083bb6e0de60d79e954e4deaa280b4852359e2cd5ca570c029666efa7affb8
SHA5121df1fcbe19d9985b9fff20f934ec541afca2f54c51b7ca02a37aa901001de98514346220d6630a6156121a0e0df9ce98d048a43995df5e9b05270e207a900bab
-
Filesize
11KB
MD5b975d3458649d99f72a20025f14c1a0b
SHA18f8f73e48c8551367ea9f963d46c95478ec344fa
SHA256405ee0e68d1e7888c944ea842e2b6bfda9a6f1ce20e6936969bdc5c28e152c50
SHA51245fa5bc5d9eb93744e47f65cacb93042b16448a56ac5930a1b69bdf05297bc9e2e4c82c172f14a832c3d69e144b9304de05c517d87edcd3555c31a9501ccb7d8
-
Filesize
11KB
MD5b975d3458649d99f72a20025f14c1a0b
SHA18f8f73e48c8551367ea9f963d46c95478ec344fa
SHA256405ee0e68d1e7888c944ea842e2b6bfda9a6f1ce20e6936969bdc5c28e152c50
SHA51245fa5bc5d9eb93744e47f65cacb93042b16448a56ac5930a1b69bdf05297bc9e2e4c82c172f14a832c3d69e144b9304de05c517d87edcd3555c31a9501ccb7d8
-
Filesize
318KB
MD5d3bb52773905415cdcfea5735a217f71
SHA16ae3fa696b6eac5683c0ba3560b1ebd47114b272
SHA256cdf6ca0d71a47239062bcdaeb15eb652986930012025167ffe625b9bc6305321
SHA512ee160bf809adfd077b087356a9ffb7b902dd270d73902f128b1522d8904bc5a7152dd440bb3d2a5f02b915445a2c3d98b47231f67cdc52cc8623299981ca5e28
-
Filesize
318KB
MD5d3bb52773905415cdcfea5735a217f71
SHA16ae3fa696b6eac5683c0ba3560b1ebd47114b272
SHA256cdf6ca0d71a47239062bcdaeb15eb652986930012025167ffe625b9bc6305321
SHA512ee160bf809adfd077b087356a9ffb7b902dd270d73902f128b1522d8904bc5a7152dd440bb3d2a5f02b915445a2c3d98b47231f67cdc52cc8623299981ca5e28