Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/05/2023, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe
Resource
win10-20230220-en
General
-
Target
099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe
-
Size
566KB
-
MD5
417506a7d99eb6b7e08667a2e42a4568
-
SHA1
f338f6a5d2a1eb66effd8c799b4aead5d96a8c29
-
SHA256
099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809
-
SHA512
099973cb02835cf9d73fb12e1a03a97c59de1fb66c46c9de5fd7409537f87e9e09181c2a4441590c296c70775e4fb84e0f1b4f70265549e88634af35feeb14cf
-
SSDEEP
12288:kMrTy90VDzI7Zk1tUqlG3Rd/WKHX2C7OzjY9:fy0zI7ZkkJT/WdCt9
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" l2539626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" l2539626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" l2539626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" l2539626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" l2539626.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 3448 y8051432.exe 3960 k3015004.exe 396 l2539626.exe 2052 m6723470.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features l2539626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" l2539626.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8051432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8051432.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3560 2052 WerFault.exe 70 3980 2052 WerFault.exe 70 3724 2052 WerFault.exe 70 3684 2052 WerFault.exe 70 340 2052 WerFault.exe 70 228 2052 WerFault.exe 70 1256 2052 WerFault.exe 70 2428 2052 WerFault.exe 70 3296 2052 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3960 k3015004.exe 3960 k3015004.exe 396 l2539626.exe 396 l2539626.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3960 k3015004.exe Token: SeDebugPrivilege 396 l2539626.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2052 m6723470.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2652 wrote to memory of 3448 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 66 PID 2652 wrote to memory of 3448 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 66 PID 2652 wrote to memory of 3448 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 66 PID 3448 wrote to memory of 3960 3448 y8051432.exe 67 PID 3448 wrote to memory of 3960 3448 y8051432.exe 67 PID 3448 wrote to memory of 3960 3448 y8051432.exe 67 PID 3448 wrote to memory of 396 3448 y8051432.exe 69 PID 3448 wrote to memory of 396 3448 y8051432.exe 69 PID 3448 wrote to memory of 396 3448 y8051432.exe 69 PID 2652 wrote to memory of 2052 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 70 PID 2652 wrote to memory of 2052 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 70 PID 2652 wrote to memory of 2052 2652 099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe"C:\Users\Admin\AppData\Local\Temp\099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 6163⤵
- Program crash
PID:3560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 6963⤵
- Program crash
PID:3980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 8363⤵
- Program crash
PID:3724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 8443⤵
- Program crash
PID:3684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 8723⤵
- Program crash
PID:340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 8483⤵
- Program crash
PID:228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 11283⤵
- Program crash
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 11523⤵
- Program crash
PID:2428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 11803⤵
- Program crash
PID:3296
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5d48f3c9103f4936284248ccdd29c0d3c
SHA187246492bb7e7385bd472e0120398f16eae2fc50
SHA25676792c8abdc345ba6147fa23d58a23ffbba4e442b9a9969819806d7d6b07bc1a
SHA512eddd48e28ac3a0eadb0ebf441ca513cfb9bc4fff07ba7353bae0416d8eabc90a2625268d46fc466f5e4492a5f58239036548d592b3550e82ff80af96da9eb380
-
Filesize
268KB
MD5d48f3c9103f4936284248ccdd29c0d3c
SHA187246492bb7e7385bd472e0120398f16eae2fc50
SHA25676792c8abdc345ba6147fa23d58a23ffbba4e442b9a9969819806d7d6b07bc1a
SHA512eddd48e28ac3a0eadb0ebf441ca513cfb9bc4fff07ba7353bae0416d8eabc90a2625268d46fc466f5e4492a5f58239036548d592b3550e82ff80af96da9eb380
-
Filesize
307KB
MD561de670f06cf13f0b881ffc5635a737f
SHA1d1cda566865b6a2db5230b6fce7b166b4e52e360
SHA2564a5005e7064cf4eebb18c63fd71e68b571ea70ff1fbb85d6fe48d0960317d198
SHA512646403e498c08f64e456bd89b7cc8e898ab872bb075019ac6c64b1cf59eecc705cd536c5a371e687c663abef7186f288d85afebd1aab8fdb87ff510fcdfd44ee
-
Filesize
307KB
MD561de670f06cf13f0b881ffc5635a737f
SHA1d1cda566865b6a2db5230b6fce7b166b4e52e360
SHA2564a5005e7064cf4eebb18c63fd71e68b571ea70ff1fbb85d6fe48d0960317d198
SHA512646403e498c08f64e456bd89b7cc8e898ab872bb075019ac6c64b1cf59eecc705cd536c5a371e687c663abef7186f288d85afebd1aab8fdb87ff510fcdfd44ee
-
Filesize
168KB
MD5762b3d6e795e9cc5ac86aff217a6b7b2
SHA19e1e73cc2982198bd4a2863e565cb4362a6ca90c
SHA256df67db6fb21a3b0d13fe1b15e0b90383e35cb2ee0c7b2232e67b49a0656a718d
SHA512f70f4875940409329658734c41c973c8cc80295cb4ba65244c5475d484b8dee185a55dedddc415f26495d05d227a956b142827af976edc3e2c041909a4616e4d
-
Filesize
168KB
MD5762b3d6e795e9cc5ac86aff217a6b7b2
SHA19e1e73cc2982198bd4a2863e565cb4362a6ca90c
SHA256df67db6fb21a3b0d13fe1b15e0b90383e35cb2ee0c7b2232e67b49a0656a718d
SHA512f70f4875940409329658734c41c973c8cc80295cb4ba65244c5475d484b8dee185a55dedddc415f26495d05d227a956b142827af976edc3e2c041909a4616e4d
-
Filesize
178KB
MD5d79f7557142419e9ea6fccc0b386d869
SHA19d75c99c3538adc831f3cace4a0b4319c5a78c2b
SHA256b755974ed8a0cbc51e04501f5a6b752803dac2068471eb133f9f4219c36907f3
SHA512412e433a29780f2ae9d1c484124e137f84787ad29fd8c779f976ff131b68bb0e479673972145e3501ad27d7f60a1e9f2382ddcbe311a45e63dc0237799c06a8a
-
Filesize
178KB
MD5d79f7557142419e9ea6fccc0b386d869
SHA19d75c99c3538adc831f3cace4a0b4319c5a78c2b
SHA256b755974ed8a0cbc51e04501f5a6b752803dac2068471eb133f9f4219c36907f3
SHA512412e433a29780f2ae9d1c484124e137f84787ad29fd8c779f976ff131b68bb0e479673972145e3501ad27d7f60a1e9f2382ddcbe311a45e63dc0237799c06a8a