Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
75s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01/04/2023, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe
Resource
win10-20230220-en
General
-
Target
226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe
-
Size
659KB
-
MD5
db407680b28f2e48a9482f75dce213e4
-
SHA1
a43fc9985cacc74c6bbe7c68ed4edab9549445ab
-
SHA256
226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364
-
SHA512
2ba260989e777abf7dd8ec84de282fdab0130cda9995bc1f29d0d5a81754573ed0eb96f74728e24856c0de88b15781941bbb5cb83352f32a0c74b0a4f85022a1
-
SSDEEP
12288:aMrjy90PqRIC3iJobDiuSXfuY4wxE1+of5K/a/4mlrqxMJ3Gp2I:VygO3K2cxE1XArml+wWYI
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0640.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 22 IoCs
resource yara_rule behavioral1/memory/1388-180-0x0000000004B00000-0x0000000004B46000-memory.dmp family_redline behavioral1/memory/1388-181-0x0000000004B80000-0x0000000004BC4000-memory.dmp family_redline behavioral1/memory/1388-182-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-183-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-185-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-187-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-189-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-191-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-193-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-195-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-197-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-199-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-201-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-203-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-205-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-207-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-209-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-211-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-213-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-215-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/1388-226-0x0000000004C70000-0x0000000004C80000-memory.dmp family_redline behavioral1/memory/1388-1101-0x0000000004C70000-0x0000000004C80000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1660 un454408.exe 2088 pro0640.exe 1388 qu3808.exe 2444 si703897.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0640.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un454408.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un454408.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2088 pro0640.exe 2088 pro0640.exe 1388 qu3808.exe 1388 qu3808.exe 2444 si703897.exe 2444 si703897.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2088 pro0640.exe Token: SeDebugPrivilege 1388 qu3808.exe Token: SeDebugPrivilege 2444 si703897.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4116 wrote to memory of 1660 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 66 PID 4116 wrote to memory of 1660 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 66 PID 4116 wrote to memory of 1660 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 66 PID 1660 wrote to memory of 2088 1660 un454408.exe 67 PID 1660 wrote to memory of 2088 1660 un454408.exe 67 PID 1660 wrote to memory of 2088 1660 un454408.exe 67 PID 1660 wrote to memory of 1388 1660 un454408.exe 68 PID 1660 wrote to memory of 1388 1660 un454408.exe 68 PID 1660 wrote to memory of 1388 1660 un454408.exe 68 PID 4116 wrote to memory of 2444 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 70 PID 4116 wrote to memory of 2444 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 70 PID 4116 wrote to memory of 2444 4116 226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe"C:\Users\Admin\AppData\Local\Temp\226c12a3d8af5ff9357e1681e4332b0cfc9a8362643f7785117b83b867189364.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454408.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un454408.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0640.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0640.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3808.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si703897.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si703897.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5f8b04c57e3ce5d50910f1e68dbef480f
SHA1f2a0c360ea7a8ff2f7412939b1f3ca19fa3fbc95
SHA256b1195f131d6c44221fd33b5538afd715b36241d3e20d57d646cc515215d206a2
SHA512e42bc2c4bc24237c590cc2ef4cc6612c6fa3634174c3d80ca276732a2c668a8dbdd447710ec95138c9f4bdea0f7a4b13d28810e2b313c4afe2a14b5f771861d9
-
Filesize
176KB
MD5f8b04c57e3ce5d50910f1e68dbef480f
SHA1f2a0c360ea7a8ff2f7412939b1f3ca19fa3fbc95
SHA256b1195f131d6c44221fd33b5538afd715b36241d3e20d57d646cc515215d206a2
SHA512e42bc2c4bc24237c590cc2ef4cc6612c6fa3634174c3d80ca276732a2c668a8dbdd447710ec95138c9f4bdea0f7a4b13d28810e2b313c4afe2a14b5f771861d9
-
Filesize
518KB
MD57f562a0ebca3f7d94f27a01c3a4004c1
SHA1c73fc1489a9d79946de70410429e15d4b10bd545
SHA256118ea45f8a8d71e88b033a19e23432690848438024017612dfa7f8aca20360d8
SHA5129b5887fec211d1ac2420948c580bb14200c6ca80b177448e5dc2452a3e5f302c0eef301a31d58eac982f04208a587fb7374717d54d66f3f54058a487e6538055
-
Filesize
518KB
MD57f562a0ebca3f7d94f27a01c3a4004c1
SHA1c73fc1489a9d79946de70410429e15d4b10bd545
SHA256118ea45f8a8d71e88b033a19e23432690848438024017612dfa7f8aca20360d8
SHA5129b5887fec211d1ac2420948c580bb14200c6ca80b177448e5dc2452a3e5f302c0eef301a31d58eac982f04208a587fb7374717d54d66f3f54058a487e6538055
-
Filesize
376KB
MD5b0330656100c8f0da4b1bd2177e2405e
SHA1e5d67ea12fcfd6ef0832637cec3849cd871d93cb
SHA256f8a1c94062407b16debea6e9876ea923ddada90d8f4f0da1f25b09892dc79cf4
SHA512a81643c0f72c28cda691a70fd79d9a5393ef5aa85c18884b2823cc1ac98613047eff0a9ab654f2ab6abfd4816d24c0dcae9b00240c82bc4d96bdc7eaa83b00ac
-
Filesize
376KB
MD5b0330656100c8f0da4b1bd2177e2405e
SHA1e5d67ea12fcfd6ef0832637cec3849cd871d93cb
SHA256f8a1c94062407b16debea6e9876ea923ddada90d8f4f0da1f25b09892dc79cf4
SHA512a81643c0f72c28cda691a70fd79d9a5393ef5aa85c18884b2823cc1ac98613047eff0a9ab654f2ab6abfd4816d24c0dcae9b00240c82bc4d96bdc7eaa83b00ac
-
Filesize
434KB
MD59cf554876b73773a8284ab94bf0e8dd8
SHA1bc77726824fe7c471d0daa1b8eddb825053c79ae
SHA2565eb3253d832a3d67ce679b8e3eac79b05f05707d97d3734cf5d384cc4cf404bb
SHA5122e8869a947c1d62033e5e98fa63599c12357df8e88ca6f5fdf10e89495ce96135a0310ecdbd5432c0706154df75a6708a3d38f2f43b2fb67774136b4b53aa261
-
Filesize
434KB
MD59cf554876b73773a8284ab94bf0e8dd8
SHA1bc77726824fe7c471d0daa1b8eddb825053c79ae
SHA2565eb3253d832a3d67ce679b8e3eac79b05f05707d97d3734cf5d384cc4cf404bb
SHA5122e8869a947c1d62033e5e98fa63599c12357df8e88ca6f5fdf10e89495ce96135a0310ecdbd5432c0706154df75a6708a3d38f2f43b2fb67774136b4b53aa261