Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2023, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe
Resource
win10v2004-20220812-en
General
-
Target
534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe
-
Size
817KB
-
MD5
6d4a53922da1179aa6285a91a2ea9200
-
SHA1
3a26be7cc84b649b92a0a7b99035fd2c0c3c1d86
-
SHA256
534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f
-
SHA512
0d7d176b828d92af09f44adbd165e8016d730513bbae929ee261733748933b5aaed2cc6ca7aa736f25523c1ab10091e342a0a691b83094f6ab14aef6adf8ed39
-
SSDEEP
12288:3Mrdy90r0ERCuQmMHVJCWZ57nNl9t/CYP/GoxQW8CF/zGvlDYLQZdJifqTue:6yXaCuQmMvCe5brNmNW8CF/zy4QZxTd
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" red4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" red4980.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" stT7185.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection red4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" red4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" red4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" red4980.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 4960 vWz2696.exe 720 vZg7447.exe 4468 red4980.exe 4896 stT7185.exe 1496 txe05qn.exe 204 urv39xk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" red4980.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features stT7185.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" stT7185.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vWz2696.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vWz2696.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vZg7447.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vZg7447.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4140 4896 WerFault.exe 83 3648 204 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4468 red4980.exe 4468 red4980.exe 4896 stT7185.exe 4896 stT7185.exe 1496 txe05qn.exe 1496 txe05qn.exe 204 urv39xk.exe 204 urv39xk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4468 red4980.exe Token: SeDebugPrivilege 4896 stT7185.exe Token: SeDebugPrivilege 1496 txe05qn.exe Token: SeDebugPrivilege 204 urv39xk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4960 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 80 PID 3444 wrote to memory of 4960 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 80 PID 3444 wrote to memory of 4960 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 80 PID 4960 wrote to memory of 720 4960 vWz2696.exe 81 PID 4960 wrote to memory of 720 4960 vWz2696.exe 81 PID 4960 wrote to memory of 720 4960 vWz2696.exe 81 PID 720 wrote to memory of 4468 720 vZg7447.exe 82 PID 720 wrote to memory of 4468 720 vZg7447.exe 82 PID 720 wrote to memory of 4896 720 vZg7447.exe 83 PID 720 wrote to memory of 4896 720 vZg7447.exe 83 PID 720 wrote to memory of 4896 720 vZg7447.exe 83 PID 4960 wrote to memory of 1496 4960 vWz2696.exe 86 PID 4960 wrote to memory of 1496 4960 vWz2696.exe 86 PID 4960 wrote to memory of 1496 4960 vWz2696.exe 86 PID 3444 wrote to memory of 204 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 88 PID 3444 wrote to memory of 204 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 88 PID 3444 wrote to memory of 204 3444 534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe"C:\Users\Admin\AppData\Local\Temp\534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vWz2696.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vWz2696.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vZg7447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vZg7447.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\red4980.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\red4980.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stT7185.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stT7185.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 10725⤵
- Program crash
PID:4140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txe05qn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txe05qn.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urv39xk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urv39xk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 13403⤵
- Program crash
PID:3648
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4896 -ip 48961⤵PID:4476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 204 -ip 2041⤵PID:3304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD546206315b239aaa7ed7fc548e1580baf
SHA1ae2407c20aaddafc43a5f34c434a18c5a7456698
SHA2566e74bf28e590cdf7f48544ae52bed6b79d490d454776ac45fe30d6b3a3594dde
SHA512ab40025a161e83b8c8d7ddddef3cba1cd0384b365117e10dd0999e78cf36411ed7705cfdb22dd17bb68a1deef249f8c88e241f469cc1d7127cd3e458d249b4da
-
Filesize
303KB
MD546206315b239aaa7ed7fc548e1580baf
SHA1ae2407c20aaddafc43a5f34c434a18c5a7456698
SHA2566e74bf28e590cdf7f48544ae52bed6b79d490d454776ac45fe30d6b3a3594dde
SHA512ab40025a161e83b8c8d7ddddef3cba1cd0384b365117e10dd0999e78cf36411ed7705cfdb22dd17bb68a1deef249f8c88e241f469cc1d7127cd3e458d249b4da
-
Filesize
481KB
MD588b34cc4eeb0eecdb1663781d76e2aa3
SHA1a343ba65719961e95b25b35cf9ebe6582da34b94
SHA256461c9f189e7e69a3425cf4c78dfb09bc6d626010b69e15f754fced62b68c19d8
SHA5128fc27e707cdff3dae80fc74721bc9f94442e83b918bc27502ef17e25d309c487114f589ec7a78aa38c869d51e5edad5d21d33ec27b47979e2a7a45bbe80a5711
-
Filesize
481KB
MD588b34cc4eeb0eecdb1663781d76e2aa3
SHA1a343ba65719961e95b25b35cf9ebe6582da34b94
SHA256461c9f189e7e69a3425cf4c78dfb09bc6d626010b69e15f754fced62b68c19d8
SHA5128fc27e707cdff3dae80fc74721bc9f94442e83b918bc27502ef17e25d309c487114f589ec7a78aa38c869d51e5edad5d21d33ec27b47979e2a7a45bbe80a5711
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
336KB
MD5dbf60c49e646797a595ae3863c7ef8ff
SHA194633845475009574d570e3135da2815631349af
SHA2565df3d32133bd520eb748a0d00626001279bd5c11fc1fe65352c54297b2ebce9c
SHA512d5cb0cd3b0eac3593b2082a51507b7d1befbe56bed20f747761108a7751f9a7e3ad28cccf040880d26dea5ab2ef3ef0418d69087c1784fdea9ec4a736164ce08
-
Filesize
336KB
MD5dbf60c49e646797a595ae3863c7ef8ff
SHA194633845475009574d570e3135da2815631349af
SHA2565df3d32133bd520eb748a0d00626001279bd5c11fc1fe65352c54297b2ebce9c
SHA512d5cb0cd3b0eac3593b2082a51507b7d1befbe56bed20f747761108a7751f9a7e3ad28cccf040880d26dea5ab2ef3ef0418d69087c1784fdea9ec4a736164ce08
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
245KB
MD5bbcaab6d431de6d63e20ec7a085b0526
SHA1e5bb15ef7458b516b37602649498b3d13c4df67d
SHA256e0bd77d953de9c400b8338ca69f2aeb4eadfae945c75081b3c61fcc23ede76ee
SHA5124f9ba138d9b458bb24907b2873a5eb0648858a60c0afac97c7b41adc2a3033d12037770b8d266ec8e2fb821dc8dcefc65c7150af534110e407a9cc672e317ac8
-
Filesize
245KB
MD5bbcaab6d431de6d63e20ec7a085b0526
SHA1e5bb15ef7458b516b37602649498b3d13c4df67d
SHA256e0bd77d953de9c400b8338ca69f2aeb4eadfae945c75081b3c61fcc23ede76ee
SHA5124f9ba138d9b458bb24907b2873a5eb0648858a60c0afac97c7b41adc2a3033d12037770b8d266ec8e2fb821dc8dcefc65c7150af534110e407a9cc672e317ac8