Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/05/2023, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
Resource
win10-20230220-en
General
-
Target
ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
-
Size
565KB
-
MD5
a34b6a66f18e783517f71360599f9076
-
SHA1
fcca4a790ed34780ec97996529adbe214b02b743
-
SHA256
ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599
-
SHA512
6c18bd0f1a13405f10d221f911eabc7543f3572163ff69175b49121a95b533c9614e168bfb57d112c4ddb9ab400f4150080adaaa473077eb1ed50ee386cb0455
-
SSDEEP
12288:dMr3y903KT2GvJxdCsrYgsJbHzuwcCPhhmw8y:WytfJLCskFJrzuwcCJx
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" l9997390.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" l9997390.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" l9997390.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" l9997390.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" l9997390.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 2560 y9674216.exe 3076 k9971295.exe 4516 l9997390.exe 1332 m9871845.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features l9997390.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" l9997390.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9674216.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y9674216.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3012 1332 WerFault.exe 70 3764 1332 WerFault.exe 70 3108 1332 WerFault.exe 70 4816 1332 WerFault.exe 70 4820 1332 WerFault.exe 70 2772 1332 WerFault.exe 70 4788 1332 WerFault.exe 70 440 1332 WerFault.exe 70 3920 1332 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3076 k9971295.exe 3076 k9971295.exe 4516 l9997390.exe 4516 l9997390.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3076 k9971295.exe Token: SeDebugPrivilege 4516 l9997390.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1332 m9871845.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2560 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 66 PID 2472 wrote to memory of 2560 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 66 PID 2472 wrote to memory of 2560 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 66 PID 2560 wrote to memory of 3076 2560 y9674216.exe 67 PID 2560 wrote to memory of 3076 2560 y9674216.exe 67 PID 2560 wrote to memory of 3076 2560 y9674216.exe 67 PID 2560 wrote to memory of 4516 2560 y9674216.exe 69 PID 2560 wrote to memory of 4516 2560 y9674216.exe 69 PID 2560 wrote to memory of 4516 2560 y9674216.exe 69 PID 2472 wrote to memory of 1332 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 70 PID 2472 wrote to memory of 1332 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 70 PID 2472 wrote to memory of 1332 2472 ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe"C:\Users\Admin\AppData\Local\Temp\ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6163⤵
- Program crash
PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6963⤵
- Program crash
PID:3764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 8243⤵
- Program crash
PID:3108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 8123⤵
- Program crash
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 8763⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 7723⤵
- Program crash
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 11283⤵
- Program crash
PID:4788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 11523⤵
- Program crash
PID:440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 12003⤵
- Program crash
PID:3920
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD51eb477ae167133202dcfa69839bf6999
SHA10d35099fff4c09c16b2eb81106de41f3feb0ddca
SHA2565bb85bd7d2e0407e5bd55e77d642d64c4206bc1cf817e658d07819c70d7bdff3
SHA5121ecae15f5cf11072ab08462d9ede3e366f3c38ff93f2228f0a8c29bdfb11caa82c9b10d84981c4897057affa132e0035102811131adfdb806d9373ef631599f4
-
Filesize
268KB
MD51eb477ae167133202dcfa69839bf6999
SHA10d35099fff4c09c16b2eb81106de41f3feb0ddca
SHA2565bb85bd7d2e0407e5bd55e77d642d64c4206bc1cf817e658d07819c70d7bdff3
SHA5121ecae15f5cf11072ab08462d9ede3e366f3c38ff93f2228f0a8c29bdfb11caa82c9b10d84981c4897057affa132e0035102811131adfdb806d9373ef631599f4
-
Filesize
307KB
MD59b7764d62e7f34c8c7fb1bb16cf9c12a
SHA17bef924e62e245e8f712021dc78e3fd0470fc743
SHA2566a2e2b90e86685b88c8b65884c839f9644a6f9096243aa6618e7bd4d597fe2fa
SHA51206ee50087b9fd9b64ddca1df1dab03c86ccb6afb5e45ee664b5b87d1155bcb5688f509875324bf19aa25a1f70ebd7f8c6d75f2cfe362769461e2a86ee65ad408
-
Filesize
307KB
MD59b7764d62e7f34c8c7fb1bb16cf9c12a
SHA17bef924e62e245e8f712021dc78e3fd0470fc743
SHA2566a2e2b90e86685b88c8b65884c839f9644a6f9096243aa6618e7bd4d597fe2fa
SHA51206ee50087b9fd9b64ddca1df1dab03c86ccb6afb5e45ee664b5b87d1155bcb5688f509875324bf19aa25a1f70ebd7f8c6d75f2cfe362769461e2a86ee65ad408
-
Filesize
168KB
MD596db08473720a6b18aaaefb3b8a77d0c
SHA1d18b58d7752f630b06062a93a53712d32c808f0f
SHA2560b3141ff910bc569ef77dfcfb61ac1ed0919942be16d3a0b3c2362225cb72e82
SHA5128f3e7377e412a61e5d0ea1ec50a37ccda59965da09f6f8559cd79d5071fec337787a4966a1e262cc69e9ddf35d298459a30891880d236402b8b983df512516b1
-
Filesize
168KB
MD596db08473720a6b18aaaefb3b8a77d0c
SHA1d18b58d7752f630b06062a93a53712d32c808f0f
SHA2560b3141ff910bc569ef77dfcfb61ac1ed0919942be16d3a0b3c2362225cb72e82
SHA5128f3e7377e412a61e5d0ea1ec50a37ccda59965da09f6f8559cd79d5071fec337787a4966a1e262cc69e9ddf35d298459a30891880d236402b8b983df512516b1
-
Filesize
178KB
MD5d43fca1a24133de7623febcf2848ea49
SHA1c068a1af4e2eaba04f768b3e2c86f4344a78d88a
SHA2560b709cb498138055eecaea9a7662eb83f224636ea0b906bd5d1fe3e220d688d6
SHA51215921bdffce41dce5e7dd9c1cbcf6cd4ad6463b8edd71098cd4b150674ebe1a4510295ba6d7e1ba44deef831e118a97d02bb193d9d835c3af3523985d01f247a
-
Filesize
178KB
MD5d43fca1a24133de7623febcf2848ea49
SHA1c068a1af4e2eaba04f768b3e2c86f4344a78d88a
SHA2560b709cb498138055eecaea9a7662eb83f224636ea0b906bd5d1fe3e220d688d6
SHA51215921bdffce41dce5e7dd9c1cbcf6cd4ad6463b8edd71098cd4b150674ebe1a4510295ba6d7e1ba44deef831e118a97d02bb193d9d835c3af3523985d01f247a