Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
110s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14/04/2023, 03:35
Static task
static1
General
-
Target
f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe
-
Size
1.2MB
-
MD5
da3079cc55822bb7cdbcbc59bc76d638
-
SHA1
ab970c59d314c28504bb9da0f60a1f7a505f48ff
-
SHA256
f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d
-
SHA512
48023fdaa512f092d9206dae57ce0663a34ed91a784f91ac56da4076442f3845f5604b395160a5c20a05caf82464eced1ffcb7057f80058a1a0573fb3cd06d9f
-
SSDEEP
24576:9ye983CiQ+88RKXN6/DlnOYUfNTsijz99YJrkAEQk:YyYQND6i1TsdJEQ
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr096485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr096485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr096485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr096485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr096485.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3320 un063455.exe 3572 un923715.exe 304 pr096485.exe 4752 qu609140.exe 2844 1.exe 3180 rk768430.exe 4708 si176184.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr096485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr096485.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un063455.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un063455.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un923715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un923715.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 4416 4708 WerFault.exe 73 2680 4708 WerFault.exe 73 3000 4708 WerFault.exe 73 4712 4708 WerFault.exe 73 4056 4708 WerFault.exe 73 1172 4708 WerFault.exe 73 4264 4708 WerFault.exe 73 4144 4708 WerFault.exe 73 4836 4708 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 304 pr096485.exe 304 pr096485.exe 2844 1.exe 3180 rk768430.exe 2844 1.exe 3180 rk768430.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 304 pr096485.exe Token: SeDebugPrivilege 4752 qu609140.exe Token: SeDebugPrivilege 2844 1.exe Token: SeDebugPrivilege 3180 rk768430.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4064 wrote to memory of 3320 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 66 PID 4064 wrote to memory of 3320 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 66 PID 4064 wrote to memory of 3320 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 66 PID 3320 wrote to memory of 3572 3320 un063455.exe 67 PID 3320 wrote to memory of 3572 3320 un063455.exe 67 PID 3320 wrote to memory of 3572 3320 un063455.exe 67 PID 3572 wrote to memory of 304 3572 un923715.exe 68 PID 3572 wrote to memory of 304 3572 un923715.exe 68 PID 3572 wrote to memory of 304 3572 un923715.exe 68 PID 3572 wrote to memory of 4752 3572 un923715.exe 69 PID 3572 wrote to memory of 4752 3572 un923715.exe 69 PID 3572 wrote to memory of 4752 3572 un923715.exe 69 PID 4752 wrote to memory of 2844 4752 qu609140.exe 70 PID 4752 wrote to memory of 2844 4752 qu609140.exe 70 PID 4752 wrote to memory of 2844 4752 qu609140.exe 70 PID 3320 wrote to memory of 3180 3320 un063455.exe 71 PID 3320 wrote to memory of 3180 3320 un063455.exe 71 PID 3320 wrote to memory of 3180 3320 un063455.exe 71 PID 4064 wrote to memory of 4708 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 73 PID 4064 wrote to memory of 4708 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 73 PID 4064 wrote to memory of 4708 4064 f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe"C:\Users\Admin\AppData\Local\Temp\f760e7df17d296c44e06b23ecbc23710bdb1eb5434186a4891e5f84fb98adb0d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063455.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063455.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un923715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un923715.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr096485.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr096485.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu609140.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu609140.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768430.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768430.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si176184.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si176184.exe2⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 6323⤵
- Program crash
PID:4416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 7083⤵
- Program crash
PID:2680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 8083⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 8563⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 8843⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 8123⤵
- Program crash
PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 11323⤵
- Program crash
PID:4264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 11603⤵
- Program crash
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 11443⤵
- Program crash
PID:4836
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
865KB
MD565f2e13b0ee3e43967a11bc232468f15
SHA1ed429391ed9716a0fea74446ef87c3807bf278eb
SHA256dd7f9cf01dd2d880d5b002df2a1eb0888200d4ae7f36aa722811b9f2454035cd
SHA5129dd97d9f192ea0576411b67cae8e0b9f7f723bcde9b5c109796fb653278f362bd6dc6f05cf703fb28ea1a1c981278ade53918317148e0913d7af6cae170fa312
-
Filesize
865KB
MD565f2e13b0ee3e43967a11bc232468f15
SHA1ed429391ed9716a0fea74446ef87c3807bf278eb
SHA256dd7f9cf01dd2d880d5b002df2a1eb0888200d4ae7f36aa722811b9f2454035cd
SHA5129dd97d9f192ea0576411b67cae8e0b9f7f723bcde9b5c109796fb653278f362bd6dc6f05cf703fb28ea1a1c981278ade53918317148e0913d7af6cae170fa312
-
Filesize
169KB
MD571f9e4774fc3869cf4c53fa9c370af65
SHA124fc0601f560a24f7fd7c04b58981c96a2a7fa9f
SHA2566a551787a1ebbf37e3499fc1b11afc3e5d3c95b75e825160f3d021f0e3ad904c
SHA5123c06dec3ca99ec9b7eb38de5cc74a0547fcc3181672ea90102d72a0bbe4a655b3e0e32981a5c5fb52afc7fff5d27a634b488b4c9e2bd6715a8cefb0fbefad8bb
-
Filesize
169KB
MD571f9e4774fc3869cf4c53fa9c370af65
SHA124fc0601f560a24f7fd7c04b58981c96a2a7fa9f
SHA2566a551787a1ebbf37e3499fc1b11afc3e5d3c95b75e825160f3d021f0e3ad904c
SHA5123c06dec3ca99ec9b7eb38de5cc74a0547fcc3181672ea90102d72a0bbe4a655b3e0e32981a5c5fb52afc7fff5d27a634b488b4c9e2bd6715a8cefb0fbefad8bb
-
Filesize
711KB
MD5ae325126b1fdd68cd7ed4245c65ae29b
SHA14bb73e3c14cbfb97da6bd718b9379c57194374f3
SHA256e2748b5d6a8c853db739aeb32484f47a7ae4e881a0a99dd2e33d5019d713ba1f
SHA512fd417e75103f3e22d980377f2ff78ada1e79598cdb2e1c5c7ba07e5327deb8f2337754dcb18f0ef5c58cac797f267d08367ebb0744fbaa055e26f93f336c0a3b
-
Filesize
711KB
MD5ae325126b1fdd68cd7ed4245c65ae29b
SHA14bb73e3c14cbfb97da6bd718b9379c57194374f3
SHA256e2748b5d6a8c853db739aeb32484f47a7ae4e881a0a99dd2e33d5019d713ba1f
SHA512fd417e75103f3e22d980377f2ff78ada1e79598cdb2e1c5c7ba07e5327deb8f2337754dcb18f0ef5c58cac797f267d08367ebb0744fbaa055e26f93f336c0a3b
-
Filesize
405KB
MD5fda00e7c37049d9c7a4f3acc0ae159f8
SHA13c70835a75d5665d6c3f5ed079bcc28d34afb845
SHA25612b425c97090f2b23ab064c8b1c631cf17e8eba5a1195a2a8eeddc36f4a4a97f
SHA51280f0a24a645904338dfa29a372dd5a336a1f3a539fcc5868c4a7eac70628e7993ccb7189c498e0055bdc112d56c37e5ac50ca4218a3d8de31e8651dc39be585d
-
Filesize
405KB
MD5fda00e7c37049d9c7a4f3acc0ae159f8
SHA13c70835a75d5665d6c3f5ed079bcc28d34afb845
SHA25612b425c97090f2b23ab064c8b1c631cf17e8eba5a1195a2a8eeddc36f4a4a97f
SHA51280f0a24a645904338dfa29a372dd5a336a1f3a539fcc5868c4a7eac70628e7993ccb7189c498e0055bdc112d56c37e5ac50ca4218a3d8de31e8651dc39be585d
-
Filesize
588KB
MD521546331b147aaee970fd4af71d1f9fe
SHA1ccc6dd9581f70052833df7d89368ae0d1a8b6298
SHA25623a0d729e44ed3989a9c0907bea9fd6da09eeee46aba6a31b42d7e934fa2e702
SHA512a0f92281fa66769c45faf713512852086ede5541bb4bcaa8eeee19b17335a1be70c1de771523f71b2f0ba7216e4e8fa01b7672be7f00f9ac7382b4b39394429b
-
Filesize
588KB
MD521546331b147aaee970fd4af71d1f9fe
SHA1ccc6dd9581f70052833df7d89368ae0d1a8b6298
SHA25623a0d729e44ed3989a9c0907bea9fd6da09eeee46aba6a31b42d7e934fa2e702
SHA512a0f92281fa66769c45faf713512852086ede5541bb4bcaa8eeee19b17335a1be70c1de771523f71b2f0ba7216e4e8fa01b7672be7f00f9ac7382b4b39394429b
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1