Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/04/2023, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe
Resource
win10-20230220-en
General
-
Target
0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe
-
Size
537KB
-
MD5
c5058b34261ec79c0490894de016851a
-
SHA1
b87af8ab46c7b97eed7ff20a5dd81bd4e0a0783a
-
SHA256
0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4
-
SHA512
fbe4c51df9324d0518eccde80c3ae89ba81b3ae09a258b36b0c10935f86bd25af2a53e53ce238b61c0c7999b5916e1f7ba15ab348ad449b1fb4029d7290ad47b
-
SSDEEP
12288:zMrKy9032usXT1Wi1vJsqNrU0NH/wNaKZ4AfuvwTY:dy42u0WQ5r9fwNLZ4AfFY
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr456474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr456474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr456474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr456474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr456474.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2740-141-0x00000000024A0000-0x00000000024E6000-memory.dmp family_redline behavioral1/memory/2740-143-0x0000000004D80000-0x0000000004DC4000-memory.dmp family_redline behavioral1/memory/2740-148-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-149-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-151-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-153-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-155-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-157-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-159-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-161-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-163-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-165-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-167-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-169-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-171-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-173-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-175-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-177-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-179-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-181-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-183-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-185-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-187-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-189-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-191-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-193-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-195-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-197-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-199-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-201-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-203-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-205-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-207-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-209-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/2740-211-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4032 ziRV0008.exe 4292 jr456474.exe 2740 ku088703.exe 1204 lr416218.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr456474.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziRV0008.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziRV0008.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4292 jr456474.exe 4292 jr456474.exe 2740 ku088703.exe 2740 ku088703.exe 1204 lr416218.exe 1204 lr416218.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4292 jr456474.exe Token: SeDebugPrivilege 2740 ku088703.exe Token: SeDebugPrivilege 1204 lr416218.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2896 wrote to memory of 4032 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 66 PID 2896 wrote to memory of 4032 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 66 PID 2896 wrote to memory of 4032 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 66 PID 4032 wrote to memory of 4292 4032 ziRV0008.exe 67 PID 4032 wrote to memory of 4292 4032 ziRV0008.exe 67 PID 4032 wrote to memory of 2740 4032 ziRV0008.exe 68 PID 4032 wrote to memory of 2740 4032 ziRV0008.exe 68 PID 4032 wrote to memory of 2740 4032 ziRV0008.exe 68 PID 2896 wrote to memory of 1204 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 70 PID 2896 wrote to memory of 1204 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 70 PID 2896 wrote to memory of 1204 2896 0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe"C:\Users\Admin\AppData\Local\Temp\0d3124791b2171bec82a56162fff847d0bff0f6770c74e53c33a449dde1b94f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRV0008.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRV0008.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr456474.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr456474.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088703.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416218.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416218.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD589d59fe34d0d6f341957cef46266813b
SHA1b6cff913fd7d64089d0220068b1aefbe75d2c4b0
SHA25604b4d179eec4e3e7741069d5d5b0f2c4e0ec98ac09e04c6c8c214a8d1d66a0b0
SHA5126707ea0ce63cb0e4bfe12b0bd3e2262c4f6d6a3a203c0efa090052a77e91c7d85f2a844ec312d98a72bbb23dd2b4df3f294f8a492ca0fb776b7ea1bdfdf9f246
-
Filesize
176KB
MD589d59fe34d0d6f341957cef46266813b
SHA1b6cff913fd7d64089d0220068b1aefbe75d2c4b0
SHA25604b4d179eec4e3e7741069d5d5b0f2c4e0ec98ac09e04c6c8c214a8d1d66a0b0
SHA5126707ea0ce63cb0e4bfe12b0bd3e2262c4f6d6a3a203c0efa090052a77e91c7d85f2a844ec312d98a72bbb23dd2b4df3f294f8a492ca0fb776b7ea1bdfdf9f246
-
Filesize
395KB
MD5877206aaec07703445be4af01d1a744b
SHA1760d24c5b5367949871c73af1d64771fc4a54fa5
SHA256cac15b3186fc10284c322a9d338b7995ef59a10d04474bf907e5cd7bedffb409
SHA512db974984237fb49f353924c4c21f9e01f972e69a49fbd4661909ade2eac22ef4bf2dd52028e379fac3b452a6014b3a339da5b47ee4ec45b5d0c5b7593d4aa225
-
Filesize
395KB
MD5877206aaec07703445be4af01d1a744b
SHA1760d24c5b5367949871c73af1d64771fc4a54fa5
SHA256cac15b3186fc10284c322a9d338b7995ef59a10d04474bf907e5cd7bedffb409
SHA512db974984237fb49f353924c4c21f9e01f972e69a49fbd4661909ade2eac22ef4bf2dd52028e379fac3b452a6014b3a339da5b47ee4ec45b5d0c5b7593d4aa225
-
Filesize
13KB
MD5b7abdc2d3baa5f0ceb8324b12e72a939
SHA11e03f64d7aefcac75672f9fa0aa00986df69e274
SHA256dc7696816904842958075f4326df0923fd046ed48777143ed23239f52ef15062
SHA512431b2705aac2bf1fec07e10da6d909d80e5a3f059b02d2ca8cbcf7f6ebd6a03b47870a8348aae0461ec82d36b059b00a48c8852c8dd706c24b3a362a14f37f69
-
Filesize
13KB
MD5b7abdc2d3baa5f0ceb8324b12e72a939
SHA11e03f64d7aefcac75672f9fa0aa00986df69e274
SHA256dc7696816904842958075f4326df0923fd046ed48777143ed23239f52ef15062
SHA512431b2705aac2bf1fec07e10da6d909d80e5a3f059b02d2ca8cbcf7f6ebd6a03b47870a8348aae0461ec82d36b059b00a48c8852c8dd706c24b3a362a14f37f69
-
Filesize
352KB
MD5bba0d30a9c2bf39cc3b8dc50721132a3
SHA16d24df600b0a852f1851b0e5198abf99e8a969bc
SHA2567c1e0e1e266216db0e703693135365bda3953a38ea7d3f2e846e444a5f7f1d37
SHA512edba267f00d68d8014dc6ea1d115a646e4ca3a7f325fd268b7d572a61781f165f3525167919ce7553a361afe72f8b810a681cfa8955bdcbe90817ded3bd9a25d
-
Filesize
352KB
MD5bba0d30a9c2bf39cc3b8dc50721132a3
SHA16d24df600b0a852f1851b0e5198abf99e8a969bc
SHA2567c1e0e1e266216db0e703693135365bda3953a38ea7d3f2e846e444a5f7f1d37
SHA512edba267f00d68d8014dc6ea1d115a646e4ca3a7f325fd268b7d572a61781f165f3525167919ce7553a361afe72f8b810a681cfa8955bdcbe90817ded3bd9a25d