Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01/04/2023, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe
Resource
win10-20230220-en
General
-
Target
0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe
-
Size
534KB
-
MD5
c0971643c438954b7d61e88c4cd0d604
-
SHA1
a581e5c45199a37646b1acc90820ee128fbe0232
-
SHA256
0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22
-
SHA512
d440f871a16c2a4fe963f8e1be97921473b10ad17e7535eb308f5eb8d19caa25da3ecef9eb4243255ab6b553cc7f0277ed01e8166bffaf603c581020dc920c3b
-
SSDEEP
12288:EMr4y90Z7hQ5lStI+nqNb+zSbeWzifg/PIf:MyE7hQEx4b+z6eysf
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr542141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr542141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr542141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr542141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr542141.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4888-143-0x0000000002120000-0x0000000002166000-memory.dmp family_redline behavioral1/memory/4888-145-0x0000000002470000-0x00000000024B4000-memory.dmp family_redline behavioral1/memory/4888-148-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-149-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-151-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-153-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-155-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-157-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-159-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-161-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-163-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-165-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-167-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-169-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-171-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-173-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-175-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-177-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-179-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-181-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-183-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-185-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-187-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-189-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-191-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-193-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-195-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-197-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-199-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-201-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-203-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-205-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-207-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-209-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline behavioral1/memory/4888-211-0x0000000002470000-0x00000000024AF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2548 ziXM0912.exe 2984 jr542141.exe 4888 ku724473.exe 3624 lr115091.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr542141.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziXM0912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziXM0912.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2984 jr542141.exe 2984 jr542141.exe 4888 ku724473.exe 4888 ku724473.exe 3624 lr115091.exe 3624 lr115091.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2984 jr542141.exe Token: SeDebugPrivilege 4888 ku724473.exe Token: SeDebugPrivilege 3624 lr115091.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2548 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 66 PID 2268 wrote to memory of 2548 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 66 PID 2268 wrote to memory of 2548 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 66 PID 2548 wrote to memory of 2984 2548 ziXM0912.exe 67 PID 2548 wrote to memory of 2984 2548 ziXM0912.exe 67 PID 2548 wrote to memory of 4888 2548 ziXM0912.exe 68 PID 2548 wrote to memory of 4888 2548 ziXM0912.exe 68 PID 2548 wrote to memory of 4888 2548 ziXM0912.exe 68 PID 2268 wrote to memory of 3624 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 70 PID 2268 wrote to memory of 3624 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 70 PID 2268 wrote to memory of 3624 2268 0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe"C:\Users\Admin\AppData\Local\Temp\0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD54d13ceb3d7542c2d024cba0af6efbb5d
SHA1ca79e7e4d2680fbee860a27d4ff6a630c08c77f6
SHA2563f7bb181b45f9679f99e36e6d1b6bf48e04f9276bdf5d084a6bfa8d1ce98b1b5
SHA51263465e3b49799358bf1038a2065b50cd57a1612bca04cf5dfc9e50bfba28d928125fbace4bada8ae180d3959fbc197e5ea9c1cacfafb7a0930b6accde3c16d58
-
Filesize
176KB
MD54d13ceb3d7542c2d024cba0af6efbb5d
SHA1ca79e7e4d2680fbee860a27d4ff6a630c08c77f6
SHA2563f7bb181b45f9679f99e36e6d1b6bf48e04f9276bdf5d084a6bfa8d1ce98b1b5
SHA51263465e3b49799358bf1038a2065b50cd57a1612bca04cf5dfc9e50bfba28d928125fbace4bada8ae180d3959fbc197e5ea9c1cacfafb7a0930b6accde3c16d58
-
Filesize
392KB
MD59453f737ccb442c5929aabb045be325f
SHA1dfe3fe13b65ec2c618ef204fecc4dfc060e177c3
SHA256a8ec2bbcb9561ad47acb05a650ce78c6257903ce93cd8a7e6cafa0c6d741fb67
SHA51292bf2336c80d78d7e6afa0a6611347ba7e4771a4338577284c4471082c125c13624559b471322f7b954bd5c4f2aed342833fb5397b65ad4e17bbcec65ef9c8b9
-
Filesize
392KB
MD59453f737ccb442c5929aabb045be325f
SHA1dfe3fe13b65ec2c618ef204fecc4dfc060e177c3
SHA256a8ec2bbcb9561ad47acb05a650ce78c6257903ce93cd8a7e6cafa0c6d741fb67
SHA51292bf2336c80d78d7e6afa0a6611347ba7e4771a4338577284c4471082c125c13624559b471322f7b954bd5c4f2aed342833fb5397b65ad4e17bbcec65ef9c8b9
-
Filesize
12KB
MD51ed6d22b694fc9366f873e4d7df7cf2a
SHA1cf1313030b45b1286d3ef8c8065da3acfc70702d
SHA256fe0ec79fe583ca372a3dae5cabaa13fc872b55d095822baf6b224c2eba43686d
SHA51207906f0e7f53d24c33a2d2dfefa392bedc37541c496191889951372e43fc7243f7585badc435a5d3a8b5eadecd771730bf757ac5f93478580ee6f7369d91131b
-
Filesize
12KB
MD51ed6d22b694fc9366f873e4d7df7cf2a
SHA1cf1313030b45b1286d3ef8c8065da3acfc70702d
SHA256fe0ec79fe583ca372a3dae5cabaa13fc872b55d095822baf6b224c2eba43686d
SHA51207906f0e7f53d24c33a2d2dfefa392bedc37541c496191889951372e43fc7243f7585badc435a5d3a8b5eadecd771730bf757ac5f93478580ee6f7369d91131b
-
Filesize
319KB
MD55a3916e7685e26b10b049e7f1c4b3523
SHA1e50a263bdc1ee4317f653e804f191031f08393bb
SHA2569aa75a294568f0e0544a178fff874c2655130a63b9650e250f5a961c5f80646b
SHA51226f1ba525271caae5bded135468447570f2e4f7fd7fca0365178ec4f98d9d7961c16bdcc78ea2550643283f23438345a6885d7ac5d70fdbcb5ec5f6c8e74a3f0
-
Filesize
319KB
MD55a3916e7685e26b10b049e7f1c4b3523
SHA1e50a263bdc1ee4317f653e804f191031f08393bb
SHA2569aa75a294568f0e0544a178fff874c2655130a63b9650e250f5a961c5f80646b
SHA51226f1ba525271caae5bded135468447570f2e4f7fd7fca0365178ec4f98d9d7961c16bdcc78ea2550643283f23438345a6885d7ac5d70fdbcb5ec5f6c8e74a3f0