Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02/04/2023, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe
Resource
win10-20230220-en
General
-
Target
b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe
-
Size
538KB
-
MD5
e897d6c60d74c348e336bf337e9d48f7
-
SHA1
2b55c1e23b16afb7d50baa9f49b3bf9dcf699e23
-
SHA256
b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94
-
SHA512
2fe01439ac971fb9e65427ee3721c92e7ce3e866c39b8cffaca6ceacf0e33dd50a67c51b93553273475367a795692a08efc0d9a321121c5d569bc7ad86b287d7
-
SSDEEP
12288:zMrwy90HcWOAcgZBfFBo/QgPMWnuAQbaIBBjpq6iq:jymDOAcENWYKM1Ta6q6
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr535624.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr535624.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr535624.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr535624.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr535624.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3656-141-0x0000000002570000-0x00000000025B6000-memory.dmp family_redline behavioral1/memory/3656-143-0x0000000002600000-0x0000000002644000-memory.dmp family_redline behavioral1/memory/3656-144-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-145-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-147-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-149-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-151-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-154-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-158-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-161-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-171-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-169-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-167-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-165-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-173-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-163-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-175-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-177-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-179-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-181-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-183-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-187-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-191-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-193-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-195-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-189-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-197-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-199-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-185-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-203-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-201-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-207-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-209-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-211-0x0000000002600000-0x000000000263F000-memory.dmp family_redline behavioral1/memory/3656-205-0x0000000002600000-0x000000000263F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2112 zitz1121.exe 5008 jr535624.exe 3656 ku931072.exe 5072 lr596845.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr535624.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zitz1121.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zitz1121.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5008 jr535624.exe 5008 jr535624.exe 3656 ku931072.exe 3656 ku931072.exe 5072 lr596845.exe 5072 lr596845.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5008 jr535624.exe Token: SeDebugPrivilege 3656 ku931072.exe Token: SeDebugPrivilege 5072 lr596845.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2112 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 66 PID 2900 wrote to memory of 2112 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 66 PID 2900 wrote to memory of 2112 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 66 PID 2112 wrote to memory of 5008 2112 zitz1121.exe 67 PID 2112 wrote to memory of 5008 2112 zitz1121.exe 67 PID 2112 wrote to memory of 3656 2112 zitz1121.exe 68 PID 2112 wrote to memory of 3656 2112 zitz1121.exe 68 PID 2112 wrote to memory of 3656 2112 zitz1121.exe 68 PID 2900 wrote to memory of 5072 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 70 PID 2900 wrote to memory of 5072 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 70 PID 2900 wrote to memory of 5072 2900 b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe"C:\Users\Admin\AppData\Local\Temp\b7b1e5a74ed7024ebd876b849469d2258eacaa3a709e9d930d80a43df6a0ac94.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitz1121.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitz1121.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr535624.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr535624.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku931072.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku931072.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr596845.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr596845.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56994a95f2b4f5a115560bf23a1c477de
SHA12f296e2551c8362aff2b9c2f26b9737b3de37e0e
SHA2568cfb35d4cc565d57ba573910a59710058122eab4aa53d02d2b30201963d73975
SHA512b6572363f322219e46a513337e36085d248ee599165fe383b8bbfd24a7b7e51b9d8dbcec6a1a20de9c903ee5dbe1b1bab5523f264a5f731c4e104e5bf643f3ef
-
Filesize
175KB
MD56994a95f2b4f5a115560bf23a1c477de
SHA12f296e2551c8362aff2b9c2f26b9737b3de37e0e
SHA2568cfb35d4cc565d57ba573910a59710058122eab4aa53d02d2b30201963d73975
SHA512b6572363f322219e46a513337e36085d248ee599165fe383b8bbfd24a7b7e51b9d8dbcec6a1a20de9c903ee5dbe1b1bab5523f264a5f731c4e104e5bf643f3ef
-
Filesize
395KB
MD560fd19b1639279a95011d8cd3ed7dc95
SHA1b5d3eb1513d10014f3b4a545ff5987bc4e6d57f8
SHA25637c7209ebe86b4a417f7bb289cc9443b7f7fc4fd947db27e40e868d52415df5d
SHA51285ff17675901eb1039648c3489ff6b3c687eadd0d9b6a676e5a7e55d540d7e80a93082207bd88151956cf8bb80de718f6bd25b5cf9793d028ebfa03c731f2270
-
Filesize
395KB
MD560fd19b1639279a95011d8cd3ed7dc95
SHA1b5d3eb1513d10014f3b4a545ff5987bc4e6d57f8
SHA25637c7209ebe86b4a417f7bb289cc9443b7f7fc4fd947db27e40e868d52415df5d
SHA51285ff17675901eb1039648c3489ff6b3c687eadd0d9b6a676e5a7e55d540d7e80a93082207bd88151956cf8bb80de718f6bd25b5cf9793d028ebfa03c731f2270
-
Filesize
13KB
MD580a4fcce84c3982243d83327c03bdce9
SHA1b86150634eab4ca18516b82b20b9a0e02b915d13
SHA2563f38b0942317adc72b337f88d162b485028f620e600e112c0e7bf26933ea65a5
SHA5124e2bec4ff30958d3877a86ed7d5b9cc79d803c0cb0964d6f213dce3ac66c26e678bd9d6ba55802f737493a6d9e26276b0a540b1a92a121ad8508983722a9f057
-
Filesize
13KB
MD580a4fcce84c3982243d83327c03bdce9
SHA1b86150634eab4ca18516b82b20b9a0e02b915d13
SHA2563f38b0942317adc72b337f88d162b485028f620e600e112c0e7bf26933ea65a5
SHA5124e2bec4ff30958d3877a86ed7d5b9cc79d803c0cb0964d6f213dce3ac66c26e678bd9d6ba55802f737493a6d9e26276b0a540b1a92a121ad8508983722a9f057
-
Filesize
353KB
MD5e597138c49d235094807cff4e238e065
SHA13219d2c5ff386a03aea4b1bef9a3209d2aa92ec5
SHA256fbd604260ec431cbcafdb7deb63001bc535ea1adc4f047c667262a5a71df89ac
SHA5128a1584ffa0fad3def7b013f87095e2e629104241baac9d46c5e5331f85332c3f73687ed3a3a453a99649b9688dfc9c11b7dc279f5053d8a2aa60bff40f387226
-
Filesize
353KB
MD5e597138c49d235094807cff4e238e065
SHA13219d2c5ff386a03aea4b1bef9a3209d2aa92ec5
SHA256fbd604260ec431cbcafdb7deb63001bc535ea1adc4f047c667262a5a71df89ac
SHA5128a1584ffa0fad3def7b013f87095e2e629104241baac9d46c5e5331f85332c3f73687ed3a3a453a99649b9688dfc9c11b7dc279f5053d8a2aa60bff40f387226