Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
65s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01/04/2023, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
Resource
win10-20230220-en
General
-
Target
8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
-
Size
530KB
-
MD5
526bd70f0dc169ad212ec2af3834422d
-
SHA1
6aca1ab6ac74a1eb12b54befdbb097faecf7faca
-
SHA256
8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a
-
SHA512
38267139e950c3c2c74b2c6125ac699567cfeaba6510ae3b0e01b09aee795de9f07c02f0ef638782ca003cc48ea6e25e765f21af042cfb9fb42e583200b29e32
-
SSDEEP
12288:LMr2y905kn9qiQO2jV4bmFf5KXa/4mMMYJ1FC0D9os:1ymk9xD4AfmVY7FC0Jos
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr350483.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr350483.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr350483.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr350483.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr350483.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3892-140-0x00000000023E0000-0x0000000002426000-memory.dmp family_redline behavioral1/memory/3892-142-0x0000000002630000-0x0000000002674000-memory.dmp family_redline behavioral1/memory/3892-147-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-148-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-150-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-152-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-154-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-156-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-158-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-160-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-162-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-164-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-166-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-168-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-170-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-172-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-174-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-176-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-178-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-180-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-184-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-182-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-186-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-188-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-190-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-192-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-194-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-196-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-198-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-200-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-202-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-204-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-206-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-208-0x0000000002630000-0x000000000266F000-memory.dmp family_redline behavioral1/memory/3892-210-0x0000000002630000-0x000000000266F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4044 ziGu9219.exe 1720 jr350483.exe 3892 ku895889.exe 4728 lr948369.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr350483.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziGu9219.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziGu9219.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1720 jr350483.exe 1720 jr350483.exe 3892 ku895889.exe 3892 ku895889.exe 4728 lr948369.exe 4728 lr948369.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1720 jr350483.exe Token: SeDebugPrivilege 3892 ku895889.exe Token: SeDebugPrivilege 4728 lr948369.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4044 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 66 PID 4300 wrote to memory of 4044 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 66 PID 4300 wrote to memory of 4044 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 66 PID 4044 wrote to memory of 1720 4044 ziGu9219.exe 67 PID 4044 wrote to memory of 1720 4044 ziGu9219.exe 67 PID 4044 wrote to memory of 3892 4044 ziGu9219.exe 68 PID 4044 wrote to memory of 3892 4044 ziGu9219.exe 68 PID 4044 wrote to memory of 3892 4044 ziGu9219.exe 68 PID 4300 wrote to memory of 4728 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 70 PID 4300 wrote to memory of 4728 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 70 PID 4300 wrote to memory of 4728 4300 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr948369.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5525ae3187dd01aad55954e30c22f1a63
SHA1e84d665f57bb7bee917308676f7aa0d72583bb05
SHA25657ff5d0cc8d8d4c53048ab0ecf39013a59fb6a1294685d58e842039d24c60380
SHA512f75c3b02a6bf4f75d7e686fac43cfcd2cb0f458313819106124cff62f4c83cb51c65fc5dc0919014456812b22ec5402ac1dbcfd6636cd3ea864296059e7df4d8
-
Filesize
176KB
MD5525ae3187dd01aad55954e30c22f1a63
SHA1e84d665f57bb7bee917308676f7aa0d72583bb05
SHA25657ff5d0cc8d8d4c53048ab0ecf39013a59fb6a1294685d58e842039d24c60380
SHA512f75c3b02a6bf4f75d7e686fac43cfcd2cb0f458313819106124cff62f4c83cb51c65fc5dc0919014456812b22ec5402ac1dbcfd6636cd3ea864296059e7df4d8
-
Filesize
388KB
MD53e91b0adc4ce2421d09efd4231a2b9e1
SHA145688cee5dd411d460670ca1a1d5e68c8702b634
SHA25654d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93
SHA512e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58
-
Filesize
388KB
MD53e91b0adc4ce2421d09efd4231a2b9e1
SHA145688cee5dd411d460670ca1a1d5e68c8702b634
SHA25654d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93
SHA512e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58
-
Filesize
11KB
MD578c3c8212cb8c23b1adfa1c970a5ea61
SHA170cb7000ca8a18ed2da17a59ead6f905fc13eaee
SHA25604cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48
SHA51287474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a
-
Filesize
11KB
MD578c3c8212cb8c23b1adfa1c970a5ea61
SHA170cb7000ca8a18ed2da17a59ead6f905fc13eaee
SHA25604cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48
SHA51287474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a
-
Filesize
434KB
MD599fe8a12de549bc4afa5ddfe635fae38
SHA16f339d74d8913b23384b9236463b8978f4af1bb6
SHA2565f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd
SHA512af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226
-
Filesize
434KB
MD599fe8a12de549bc4afa5ddfe635fae38
SHA16f339d74d8913b23384b9236463b8978f4af1bb6
SHA2565f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd
SHA512af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226