Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
11/04/2023, 00:21
Static task
static1
General
-
Target
1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe
-
Size
924KB
-
MD5
b05d76bd5741761e8f77eb6dea4e30f5
-
SHA1
7786e298b16004c1c8d08bab405a64bc88bea0bb
-
SHA256
1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a
-
SHA512
50eb19baad322e7e25167a15417a2ac4d00496c70f13c538cb5ec83fabe39be884391b7add0ef7c7fd82c7cc76e092dbdd0dfdf6d786c2a6a753661b08f479b4
-
SSDEEP
24576:5yoHQ854Ms7vD/EzNeSJg9re196/QZ650q8:soHQ8y7DqeSJg9r22t0
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr239432.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr239432.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr239432.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr239432.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr239432.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2552-180-0x0000000002140000-0x0000000002186000-memory.dmp family_redline behavioral1/memory/2552-181-0x00000000023F0000-0x0000000002434000-memory.dmp family_redline behavioral1/memory/2552-182-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-183-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-185-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-187-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-189-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-191-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-193-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-195-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-197-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-199-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-201-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-203-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-207-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-211-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-213-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-215-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-217-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline behavioral1/memory/2552-219-0x00000000023F0000-0x000000000242F000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2324 un124478.exe 2416 un707191.exe 2900 pr239432.exe 2552 qu160502.exe 3672 rk081201.exe 1692 si095037.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr239432.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr239432.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un124478.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un124478.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un707191.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un707191.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 1804 1692 WerFault.exe 72 4724 1692 WerFault.exe 72 752 1692 WerFault.exe 72 4856 1692 WerFault.exe 72 4084 1692 WerFault.exe 72 3344 1692 WerFault.exe 72 4352 1692 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2900 pr239432.exe 2900 pr239432.exe 2552 qu160502.exe 2552 qu160502.exe 3672 rk081201.exe 3672 rk081201.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2900 pr239432.exe Token: SeDebugPrivilege 2552 qu160502.exe Token: SeDebugPrivilege 3672 rk081201.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 976 wrote to memory of 2324 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 66 PID 976 wrote to memory of 2324 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 66 PID 976 wrote to memory of 2324 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 66 PID 2324 wrote to memory of 2416 2324 un124478.exe 67 PID 2324 wrote to memory of 2416 2324 un124478.exe 67 PID 2324 wrote to memory of 2416 2324 un124478.exe 67 PID 2416 wrote to memory of 2900 2416 un707191.exe 68 PID 2416 wrote to memory of 2900 2416 un707191.exe 68 PID 2416 wrote to memory of 2900 2416 un707191.exe 68 PID 2416 wrote to memory of 2552 2416 un707191.exe 69 PID 2416 wrote to memory of 2552 2416 un707191.exe 69 PID 2416 wrote to memory of 2552 2416 un707191.exe 69 PID 2324 wrote to memory of 3672 2324 un124478.exe 71 PID 2324 wrote to memory of 3672 2324 un124478.exe 71 PID 2324 wrote to memory of 3672 2324 un124478.exe 71 PID 976 wrote to memory of 1692 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 72 PID 976 wrote to memory of 1692 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 72 PID 976 wrote to memory of 1692 976 1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe"C:\Users\Admin\AppData\Local\Temp\1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124478.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124478.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un707191.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un707191.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr239432.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr239432.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160502.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160502.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk081201.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk081201.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si095037.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si095037.exe2⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 6243⤵
- Program crash
PID:1804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 7083⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 7763⤵
- Program crash
PID:752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8443⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8763⤵
- Program crash
PID:4084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8523⤵
- Program crash
PID:3344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 10803⤵
- Program crash
PID:4352
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD54be9d89cb3308ce100c56b5bdbccafac
SHA1274f57114096a555ece5bcd983fd670f4f971ece
SHA2569f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9
SHA5121095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f
-
Filesize
230KB
MD54be9d89cb3308ce100c56b5bdbccafac
SHA1274f57114096a555ece5bcd983fd670f4f971ece
SHA2569f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9
SHA5121095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f
-
Filesize
660KB
MD5e4e6d3640e0f4a3bb0dba13e2a6e50b1
SHA14f3f83398b34084cb327d3685681f21252346e49
SHA2562b007d4cc02396a720a93b9c7cebe7de37c6fe3317251e41a3258d3b1ea3f5d6
SHA51226b4948580639e92c6733a5a79e15a45e3a2512e065654f57642240ab7b982192177a563dd84ef3b0a89168ebff9760ced24b847562d0194ad7bc43cac12a51c
-
Filesize
660KB
MD5e4e6d3640e0f4a3bb0dba13e2a6e50b1
SHA14f3f83398b34084cb327d3685681f21252346e49
SHA2562b007d4cc02396a720a93b9c7cebe7de37c6fe3317251e41a3258d3b1ea3f5d6
SHA51226b4948580639e92c6733a5a79e15a45e3a2512e065654f57642240ab7b982192177a563dd84ef3b0a89168ebff9760ced24b847562d0194ad7bc43cac12a51c
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
518KB
MD597d529a903c811fd5142c1436958e4bc
SHA14a77c88eb83f8b0cd132f9d4dbe8ed554c6c7d0d
SHA25671fd6226001c707287ad6d7aae7d1174ad6aa21352c2ccbeff8c4402b2601bfa
SHA5122ab8fb7b3198e64fcfb8215a7dc64b79e26f7b1dd4c1b2b0f0a965204cff37217e65cc5cf655d8c0c8bbd5d07ebcbdd6ac1ec456dc6269937ba76564512b2f0e
-
Filesize
518KB
MD597d529a903c811fd5142c1436958e4bc
SHA14a77c88eb83f8b0cd132f9d4dbe8ed554c6c7d0d
SHA25671fd6226001c707287ad6d7aae7d1174ad6aa21352c2ccbeff8c4402b2601bfa
SHA5122ab8fb7b3198e64fcfb8215a7dc64b79e26f7b1dd4c1b2b0f0a965204cff37217e65cc5cf655d8c0c8bbd5d07ebcbdd6ac1ec456dc6269937ba76564512b2f0e
-
Filesize
238KB
MD5d265c39e6a330a862d7471deb8b1d862
SHA1ae4029f1b8db6b055b4239e86e8e96b456917fbb
SHA2564ec2fb806808d376d72f83d0c9a4ba35afaa58ef9f066b8d21b70d24dae8516e
SHA5125689d72e9def89f1746b44668b5ccedbe7366fdc5d1fe7b05b128ff71327fd76f56c6a5430ab0c2262ab1dc869d3ffe22ad808cb771505e9c32b81cbff26599c
-
Filesize
238KB
MD5d265c39e6a330a862d7471deb8b1d862
SHA1ae4029f1b8db6b055b4239e86e8e96b456917fbb
SHA2564ec2fb806808d376d72f83d0c9a4ba35afaa58ef9f066b8d21b70d24dae8516e
SHA5125689d72e9def89f1746b44668b5ccedbe7366fdc5d1fe7b05b128ff71327fd76f56c6a5430ab0c2262ab1dc869d3ffe22ad808cb771505e9c32b81cbff26599c
-
Filesize
297KB
MD5719ab766f5df705c5acad58ec3844c1b
SHA1d845969ba7885e5f9a484d1cb36cdfba5fc2d885
SHA2560ee5a7e86c29e6dd99bd5f4485dcb53ad6788663901901071d612ac8ed4fbc0c
SHA512fd1d5ac9220df4419505528e37d65bf7a709ca6b9b1547f8520bd59e3975ab2aaead6c9c42a12a71b431308bf4e16d61561ea849019fb5044242f1d5bee50366
-
Filesize
297KB
MD5719ab766f5df705c5acad58ec3844c1b
SHA1d845969ba7885e5f9a484d1cb36cdfba5fc2d885
SHA2560ee5a7e86c29e6dd99bd5f4485dcb53ad6788663901901071d612ac8ed4fbc0c
SHA512fd1d5ac9220df4419505528e37d65bf7a709ca6b9b1547f8520bd59e3975ab2aaead6c9c42a12a71b431308bf4e16d61561ea849019fb5044242f1d5bee50366