Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14/04/2023, 03:46
Static task
static1
General
-
Target
4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe
-
Size
1.0MB
-
MD5
55a536ad2885e6176eacf48e1496c88f
-
SHA1
3227347217a682bd8791ae038b30262c1cdbd3c9
-
SHA256
4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c
-
SHA512
9ae74537c0c94a857a41f61a2ecd9be14c85e3d291a543d537628a4b0695dbcd1ee21066c4302b776ef06bc29f5fce83132de1f56ddb3f9dfa05df209c3815aa
-
SSDEEP
24576:hyzOrKi8KgLXWyIjbgT2wjrOlnty++HHkeCuioR8RCv:U1iuWyeErCM+MkdboiRC
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it255811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it255811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it255811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it255811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it255811.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3320 ziGP0236.exe 3572 zias1201.exe 304 it255811.exe 3924 jr328294.exe 2012 1.exe 1820 kp003892.exe 4088 lr016842.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it255811.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziGP0236.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zias1201.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zias1201.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziGP0236.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 1416 4088 WerFault.exe 73 992 4088 WerFault.exe 73 304 4088 WerFault.exe 73 4732 4088 WerFault.exe 73 4692 4088 WerFault.exe 73 1904 4088 WerFault.exe 73 4180 4088 WerFault.exe 73 3000 4088 WerFault.exe 73 4700 4088 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 304 it255811.exe 304 it255811.exe 1820 kp003892.exe 2012 1.exe 2012 1.exe 1820 kp003892.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 304 it255811.exe Token: SeDebugPrivilege 3924 jr328294.exe Token: SeDebugPrivilege 2012 1.exe Token: SeDebugPrivilege 1820 kp003892.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4088 lr016842.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4064 wrote to memory of 3320 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 66 PID 4064 wrote to memory of 3320 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 66 PID 4064 wrote to memory of 3320 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 66 PID 3320 wrote to memory of 3572 3320 ziGP0236.exe 67 PID 3320 wrote to memory of 3572 3320 ziGP0236.exe 67 PID 3320 wrote to memory of 3572 3320 ziGP0236.exe 67 PID 3572 wrote to memory of 304 3572 zias1201.exe 68 PID 3572 wrote to memory of 304 3572 zias1201.exe 68 PID 3572 wrote to memory of 3924 3572 zias1201.exe 69 PID 3572 wrote to memory of 3924 3572 zias1201.exe 69 PID 3572 wrote to memory of 3924 3572 zias1201.exe 69 PID 3924 wrote to memory of 2012 3924 jr328294.exe 70 PID 3924 wrote to memory of 2012 3924 jr328294.exe 70 PID 3924 wrote to memory of 2012 3924 jr328294.exe 70 PID 3320 wrote to memory of 1820 3320 ziGP0236.exe 71 PID 3320 wrote to memory of 1820 3320 ziGP0236.exe 71 PID 3320 wrote to memory of 1820 3320 ziGP0236.exe 71 PID 4064 wrote to memory of 4088 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 73 PID 4064 wrote to memory of 4088 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 73 PID 4064 wrote to memory of 4088 4064 4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe"C:\Users\Admin\AppData\Local\Temp\4405f9b5e9321518a0b73255af4c16cd69b376348ea5cab0b157a67c7abfd65c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGP0236.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGP0236.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zias1201.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zias1201.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it255811.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it255811.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr328294.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr328294.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp003892.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp003892.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr016842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr016842.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 6323⤵
- Program crash
PID:1416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 7083⤵
- Program crash
PID:992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 8363⤵
- Program crash
PID:304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 8563⤵
- Program crash
PID:4732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 8923⤵
- Program crash
PID:4692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 8723⤵
- Program crash
PID:1904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 11363⤵
- Program crash
PID:4180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 11603⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 11683⤵
- Program crash
PID:4700
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
723KB
MD52c99ac2b5351ae85f76a8a686c59903f
SHA1b37d00433ff1c8da752f14da2c12dcdbf725c923
SHA256fae702b0ee59e650d7e62f02cb6b32d273db4e78c2fb82f22035fe832cb22cce
SHA51298a0c6bfcc482052703acfba5269bebf96380e3b6705ab02d8e5044eb1b53d0b6aa9b54b7ea1e48ff8f8bc61c236a0d80222fc00e7e44e24ec69019cf4675df4
-
Filesize
723KB
MD52c99ac2b5351ae85f76a8a686c59903f
SHA1b37d00433ff1c8da752f14da2c12dcdbf725c923
SHA256fae702b0ee59e650d7e62f02cb6b32d273db4e78c2fb82f22035fe832cb22cce
SHA51298a0c6bfcc482052703acfba5269bebf96380e3b6705ab02d8e5044eb1b53d0b6aa9b54b7ea1e48ff8f8bc61c236a0d80222fc00e7e44e24ec69019cf4675df4
-
Filesize
169KB
MD5fd32c1ff9983eb9666877eff376f4259
SHA183268888c97eb33f0500c78f3453be42a98eec2a
SHA256e2e3b8fc6256ab9e28536c728a2d9ea2f29597247931b433e252e12f81e57ddb
SHA512bccae9d03db4ca4cfa0f587b71c48b7a565c6acd3f89f67d2fe2ac2367a28914fb71f8b63c28eddf6a7872bd414c326eca952163bb55d15c8613e9814b05df60
-
Filesize
169KB
MD5fd32c1ff9983eb9666877eff376f4259
SHA183268888c97eb33f0500c78f3453be42a98eec2a
SHA256e2e3b8fc6256ab9e28536c728a2d9ea2f29597247931b433e252e12f81e57ddb
SHA512bccae9d03db4ca4cfa0f587b71c48b7a565c6acd3f89f67d2fe2ac2367a28914fb71f8b63c28eddf6a7872bd414c326eca952163bb55d15c8613e9814b05df60
-
Filesize
569KB
MD5384df28a0e7bb501d97b0047902b7e2a
SHA116b31f33d3c25f78dfb10edd1987841b70f74707
SHA2569c7a8c6c619776e7fa2b5b8f0fe3d4bb1aec1e22ed5f35661193e780090625f9
SHA512b0b027eb2018ffe3e6472a49cdfd85b44d6040a6109528e5bcfa61663dd7bede82550de6096300682cf9ae6177ffd1e93b151ee271666bc94534942eec703064
-
Filesize
569KB
MD5384df28a0e7bb501d97b0047902b7e2a
SHA116b31f33d3c25f78dfb10edd1987841b70f74707
SHA2569c7a8c6c619776e7fa2b5b8f0fe3d4bb1aec1e22ed5f35661193e780090625f9
SHA512b0b027eb2018ffe3e6472a49cdfd85b44d6040a6109528e5bcfa61663dd7bede82550de6096300682cf9ae6177ffd1e93b151ee271666bc94534942eec703064
-
Filesize
11KB
MD5d40d25877fc2e532a92dec2f42cc746b
SHA1a7bc67d783582d65825a6a3f9974f54e4a087ac0
SHA2567ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728
SHA5120766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860
-
Filesize
11KB
MD5d40d25877fc2e532a92dec2f42cc746b
SHA1a7bc67d783582d65825a6a3f9974f54e4a087ac0
SHA2567ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728
SHA5120766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860
-
Filesize
588KB
MD53b2561035ea462665ec96928c23f13d8
SHA14a4ccbdfd0b134e92e2d724d0246931dfd2d4718
SHA256f978671bd1e58bac0c25877aeb7c11e1474c090c148055464c82f7eea5630d8a
SHA512e9d84779ef06db39cebe680a258ee92af93f0d05eb7f6e88b5b427665feaed1831459571968a3960b35a52c66762f40b1fa7f0e91dbb14e95d1770358e85a361
-
Filesize
588KB
MD53b2561035ea462665ec96928c23f13d8
SHA14a4ccbdfd0b134e92e2d724d0246931dfd2d4718
SHA256f978671bd1e58bac0c25877aeb7c11e1474c090c148055464c82f7eea5630d8a
SHA512e9d84779ef06db39cebe680a258ee92af93f0d05eb7f6e88b5b427665feaed1831459571968a3960b35a52c66762f40b1fa7f0e91dbb14e95d1770358e85a361
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1