Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/04/2023, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe
Resource
win10-20230220-en
General
-
Target
0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe
-
Size
658KB
-
MD5
1e54db1d7053a2b068897bbf82827459
-
SHA1
adc578c25607fc6114339e975665ed492781bf52
-
SHA256
0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300
-
SHA512
4f57b08469aa5fe2b06738ab6acc8f1212833a2a006020aff6724d1eded899f9a7a519e1b4d089b08cf36e586bc1ec396ae22598d81c78425839c3fcc45fe357
-
SSDEEP
12288:MMrIy90qdadslLWpBk/EQ5eg9ohUOF3Bjpc01MRjg92HQKR1R:0yfcdqL4BqEeeJVBLKj62HBjR
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1125.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2804-179-0x0000000002420000-0x0000000002466000-memory.dmp family_redline behavioral1/memory/2804-180-0x00000000024E0000-0x0000000002524000-memory.dmp family_redline behavioral1/memory/2804-181-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-182-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-184-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-186-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-188-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-190-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-192-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-194-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-196-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-198-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-200-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-203-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-207-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-209-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-211-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-215-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-213-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline behavioral1/memory/2804-217-0x00000000024E0000-0x000000000251F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4032 un807216.exe 4292 pro1125.exe 2804 qu0817.exe 3508 si962374.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1125.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un807216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un807216.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4292 pro1125.exe 4292 pro1125.exe 2804 qu0817.exe 2804 qu0817.exe 3508 si962374.exe 3508 si962374.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4292 pro1125.exe Token: SeDebugPrivilege 2804 qu0817.exe Token: SeDebugPrivilege 3508 si962374.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3012 wrote to memory of 4032 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 66 PID 3012 wrote to memory of 4032 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 66 PID 3012 wrote to memory of 4032 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 66 PID 4032 wrote to memory of 4292 4032 un807216.exe 67 PID 4032 wrote to memory of 4292 4032 un807216.exe 67 PID 4032 wrote to memory of 4292 4032 un807216.exe 67 PID 4032 wrote to memory of 2804 4032 un807216.exe 68 PID 4032 wrote to memory of 2804 4032 un807216.exe 68 PID 4032 wrote to memory of 2804 4032 un807216.exe 68 PID 3012 wrote to memory of 3508 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 70 PID 3012 wrote to memory of 3508 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 70 PID 3012 wrote to memory of 3508 3012 0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe"C:\Users\Admin\AppData\Local\Temp\0e7e59d429f9c9a55dccaddc564930438192769cbba970b4b55294826cf76300.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807216.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807216.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1125.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1125.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0817.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0817.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si962374.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si962374.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
516KB
MD5d8b17b46701b181f9aec1253bb0d7d6e
SHA131cd405872853d6ae1bcd957a56b192ef5d59f45
SHA2562f4e811a93d11991fcba631ba2ead7c5fd325f6458d6d57b1eb0888c0b31cc39
SHA51247bfc11e72c13f9a7552a04295472ea9fc44e721a44d2690d9f5f89a904e9bf1c81b2eaaf98befd5b42f704ea56306f9b1cc3b59043d2d10daa903f63f78f295
-
Filesize
516KB
MD5d8b17b46701b181f9aec1253bb0d7d6e
SHA131cd405872853d6ae1bcd957a56b192ef5d59f45
SHA2562f4e811a93d11991fcba631ba2ead7c5fd325f6458d6d57b1eb0888c0b31cc39
SHA51247bfc11e72c13f9a7552a04295472ea9fc44e721a44d2690d9f5f89a904e9bf1c81b2eaaf98befd5b42f704ea56306f9b1cc3b59043d2d10daa903f63f78f295
-
Filesize
236KB
MD5360274b14ca08421bcdff4a4dfcfaea9
SHA1251cc3b07c45b72b6718a6a1614a415872144324
SHA256f59479d162fe11c4a9dbc055da1830a3ee71c971249a8f3fb2fb9d853196db32
SHA51223916bdfd30a41de985dbfa1b6ab9ee0d0cbcea4f7de547e262737417f7d2a547094c1bf3a820bf5975c4cc6912fe81dc85acff824cbaf8841a7655ddbeafbc7
-
Filesize
236KB
MD5360274b14ca08421bcdff4a4dfcfaea9
SHA1251cc3b07c45b72b6718a6a1614a415872144324
SHA256f59479d162fe11c4a9dbc055da1830a3ee71c971249a8f3fb2fb9d853196db32
SHA51223916bdfd30a41de985dbfa1b6ab9ee0d0cbcea4f7de547e262737417f7d2a547094c1bf3a820bf5975c4cc6912fe81dc85acff824cbaf8841a7655ddbeafbc7
-
Filesize
294KB
MD59b8d12a94ef8f8e07dcd993c64ecfced
SHA18dd7b184a1f462c7220121d59153151b28fbdf06
SHA25692f1fbae678339c71382d336cff593b6ab90e0066327e80e11a1405b5cde97e7
SHA51254cb389fa83c07495be26f6b1c58e2ab11760e455f112067362c1a2a1b3cedd45e6922331991d5cc6a75c83778985e7488b409cdc8a0876848f3e13ca608b383
-
Filesize
294KB
MD59b8d12a94ef8f8e07dcd993c64ecfced
SHA18dd7b184a1f462c7220121d59153151b28fbdf06
SHA25692f1fbae678339c71382d336cff593b6ab90e0066327e80e11a1405b5cde97e7
SHA51254cb389fa83c07495be26f6b1c58e2ab11760e455f112067362c1a2a1b3cedd45e6922331991d5cc6a75c83778985e7488b409cdc8a0876848f3e13ca608b383