Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
104s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13/04/2023, 13:38
Static task
static1
General
-
Target
86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe
-
Size
940KB
-
MD5
1a2c90ff28af428fca34e56320fbec88
-
SHA1
517bf2995c3c048fef2d91f248f3549238793a6d
-
SHA256
86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a
-
SHA512
7eb6a4f21a1d98c7e9347d709f67d8503f42a0d914fa603488e2fe351f5fa822573ecf350c6e931740de4cf29d2cdcc2524581d4bddb185bce42b85d91708a1c
-
SSDEEP
24576:vylRe0mMydLygKTnBtANtJnYTmJsb08Cktv6:6reL3s0NsyybX
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diro
185.161.248.90:4125
-
auth_value
ae95bda0dd2e95169886a3a68138568b
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it193709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it193709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it193709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it193709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it193709.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2884 ziGE7611.exe 5096 zijZ5452.exe 4548 it193709.exe 4152 jr926066.exe 312 1.exe 1864 kp643776.exe 2228 lr173538.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it193709.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziGE7611.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziGE7611.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zijZ5452.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zijZ5452.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 3376 2228 WerFault.exe 73 4708 2228 WerFault.exe 73 4548 2228 WerFault.exe 73 3944 2228 WerFault.exe 73 3748 2228 WerFault.exe 73 3724 2228 WerFault.exe 73 1292 2228 WerFault.exe 73 3524 2228 WerFault.exe 73 2924 2228 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4548 it193709.exe 4548 it193709.exe 312 1.exe 312 1.exe 1864 kp643776.exe 1864 kp643776.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4548 it193709.exe Token: SeDebugPrivilege 4152 jr926066.exe Token: SeDebugPrivilege 312 1.exe Token: SeDebugPrivilege 1864 kp643776.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2884 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 66 PID 2544 wrote to memory of 2884 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 66 PID 2544 wrote to memory of 2884 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 66 PID 2884 wrote to memory of 5096 2884 ziGE7611.exe 67 PID 2884 wrote to memory of 5096 2884 ziGE7611.exe 67 PID 2884 wrote to memory of 5096 2884 ziGE7611.exe 67 PID 5096 wrote to memory of 4548 5096 zijZ5452.exe 68 PID 5096 wrote to memory of 4548 5096 zijZ5452.exe 68 PID 5096 wrote to memory of 4152 5096 zijZ5452.exe 69 PID 5096 wrote to memory of 4152 5096 zijZ5452.exe 69 PID 5096 wrote to memory of 4152 5096 zijZ5452.exe 69 PID 4152 wrote to memory of 312 4152 jr926066.exe 70 PID 4152 wrote to memory of 312 4152 jr926066.exe 70 PID 4152 wrote to memory of 312 4152 jr926066.exe 70 PID 2884 wrote to memory of 1864 2884 ziGE7611.exe 71 PID 2884 wrote to memory of 1864 2884 ziGE7611.exe 71 PID 2884 wrote to memory of 1864 2884 ziGE7611.exe 71 PID 2544 wrote to memory of 2228 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 73 PID 2544 wrote to memory of 2228 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 73 PID 2544 wrote to memory of 2228 2544 86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe"C:\Users\Admin\AppData\Local\Temp\86e04407dd16424ca4092a92bedaa961ce1cf89e05f7187794342a62bc28120a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGE7611.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGE7611.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zijZ5452.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zijZ5452.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it193709.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it193709.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr926066.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr926066.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp643776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp643776.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr173538.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr173538.exe2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 6163⤵
- Program crash
PID:3376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 7083⤵
- Program crash
PID:4708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 8363⤵
- Program crash
PID:4548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 6403⤵
- Program crash
PID:3944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 8723⤵
- Program crash
PID:3748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 8323⤵
- Program crash
PID:3724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 11163⤵
- Program crash
PID:1292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 11483⤵
- Program crash
PID:3524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 11443⤵
- Program crash
PID:2924
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD5ccf548678a6b0c7fa4eb57c8c8d68d8a
SHA1cee33b5a6f8d99181c7f763472e2518f690015d2
SHA25656c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc
SHA51299fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b
-
Filesize
253KB
MD5ccf548678a6b0c7fa4eb57c8c8d68d8a
SHA1cee33b5a6f8d99181c7f763472e2518f690015d2
SHA25656c2b6454635520e95bf5040b0bb9cfe1f6c2fb9503bd12790aacfe1250ec8fc
SHA51299fe9d93284a80ea536a2456c843a165ee03123d914a9f68e066de1bb432dedb2a48f258286b27c5621e36684b10b6630b3498e110844ca238bcaf260878317b
-
Filesize
668KB
MD59fa92165b27cc29c8c5a83ba0849e391
SHA1eec5d303045d7f78788ba41ea78d3c07416f1d12
SHA25693d038329083f08cf6cdf314e35b4c2bf417e16cf0fb5fd97da8ee4b9c8c8674
SHA512fc8ce2c43c05006a9f38041fa5dd394ab023b76944a47f929391c54acb550b64f27b98110d45ee69ae2bd8e058d5633f64d08543be693555eec6dddce4f29d2f
-
Filesize
668KB
MD59fa92165b27cc29c8c5a83ba0849e391
SHA1eec5d303045d7f78788ba41ea78d3c07416f1d12
SHA25693d038329083f08cf6cdf314e35b4c2bf417e16cf0fb5fd97da8ee4b9c8c8674
SHA512fc8ce2c43c05006a9f38041fa5dd394ab023b76944a47f929391c54acb550b64f27b98110d45ee69ae2bd8e058d5633f64d08543be693555eec6dddce4f29d2f
-
Filesize
168KB
MD541457be49d07712ed2a33bf002fb07bf
SHA155c9d2a031c26864b82ad3693eca165f33d75ba6
SHA256b56d9563eabaf1619471b1fc7af683a29225acfcd766005e4d7bbc433f7d980a
SHA5122645f6607feb6de93ffe052ae2ad0df3077d73517f748d0b23a91d5a2423520df0d3c8cf42fe63aa5836a73489d73dd2e0c083ebd305cdbdf54b20c942beecf6
-
Filesize
168KB
MD541457be49d07712ed2a33bf002fb07bf
SHA155c9d2a031c26864b82ad3693eca165f33d75ba6
SHA256b56d9563eabaf1619471b1fc7af683a29225acfcd766005e4d7bbc433f7d980a
SHA5122645f6607feb6de93ffe052ae2ad0df3077d73517f748d0b23a91d5a2423520df0d3c8cf42fe63aa5836a73489d73dd2e0c083ebd305cdbdf54b20c942beecf6
-
Filesize
514KB
MD5fefb8eea8fcc318412bd2b352c628ab2
SHA113e42886b247971fa8c905de21073beea96cb16e
SHA2566f7fa3ef58d18a4f590653a7881262d27b4f1740c89383370afedbdb18e12eb9
SHA5125f9b24ee53b997406b936e4696b40dbd9fbb7d09fe400572bed4315b1c0d43bcb5d9ec297c9354f80facc554671c20b4496a82cc5fdc61f812bb2f1767856ff6
-
Filesize
514KB
MD5fefb8eea8fcc318412bd2b352c628ab2
SHA113e42886b247971fa8c905de21073beea96cb16e
SHA2566f7fa3ef58d18a4f590653a7881262d27b4f1740c89383370afedbdb18e12eb9
SHA5125f9b24ee53b997406b936e4696b40dbd9fbb7d09fe400572bed4315b1c0d43bcb5d9ec297c9354f80facc554671c20b4496a82cc5fdc61f812bb2f1767856ff6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
445KB
MD5c1fdb8ffc5a520015259bcc8d882b0ba
SHA13b51ea868e204ba0da769c5d68d9bcc7b0006f11
SHA256f218c3c3eb1e01f61820801b605df21d1368cc23a9d2f211161ec9d02d8da562
SHA5128886ffc8ae8f0136253a746957f5998c14dbeaa5911e7f61b8a41680497cd16dcbffae9735cf57b83bb962104a0194e6ed877ccab40ea48e3251a2e201d1f1dc
-
Filesize
445KB
MD5c1fdb8ffc5a520015259bcc8d882b0ba
SHA13b51ea868e204ba0da769c5d68d9bcc7b0006f11
SHA256f218c3c3eb1e01f61820801b605df21d1368cc23a9d2f211161ec9d02d8da562
SHA5128886ffc8ae8f0136253a746957f5998c14dbeaa5911e7f61b8a41680497cd16dcbffae9735cf57b83bb962104a0194e6ed877ccab40ea48e3251a2e201d1f1dc
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1