Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2023, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe
Resource
win10v2004-20230220-en
General
-
Target
fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe
-
Size
536KB
-
MD5
bfa4d99a117a4301d2322d422ef4c259
-
SHA1
94aa1c8cb8a45faeb08ffc4eb5010a88e0ea9151
-
SHA256
fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6
-
SHA512
10a5facd01ca6102540b8d11d69b1ffb897fdf830642551835ecec01fa55a86b1b0509c827e8215fdfb7625188af4b390282a993bfbc41cfaf680afbfc152b8c
-
SSDEEP
12288:yMr9y903km7imex7eIKE9AY0PLeoyqbc/TjKgt:zyfmemeB79J0Par1/Kgt
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw18zL39GR34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw18zL39GR34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw18zL39GR34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw18zL39GR34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw18zL39GR34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw18zL39GR34.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/976-156-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-157-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-159-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-161-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-163-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-165-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-167-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-169-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-171-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-173-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-175-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-177-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-179-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-181-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-183-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-185-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-187-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-189-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-191-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-195-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-197-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-199-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-201-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-203-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-205-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-207-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-209-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-211-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-213-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-215-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-217-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-219-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline behavioral1/memory/976-221-0x00000000025E0000-0x000000000261E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4244 vDu4227Am.exe 1252 sw18zL39GR34.exe 976 tnD66kW27.exe 60 uSR73ci65.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw18zL39GR34.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vDu4227Am.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vDu4227Am.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4668 976 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1252 sw18zL39GR34.exe 1252 sw18zL39GR34.exe 976 tnD66kW27.exe 976 tnD66kW27.exe 60 uSR73ci65.exe 60 uSR73ci65.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1252 sw18zL39GR34.exe Token: SeDebugPrivilege 976 tnD66kW27.exe Token: SeDebugPrivilege 60 uSR73ci65.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5032 wrote to memory of 4244 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 86 PID 5032 wrote to memory of 4244 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 86 PID 5032 wrote to memory of 4244 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 86 PID 4244 wrote to memory of 1252 4244 vDu4227Am.exe 87 PID 4244 wrote to memory of 1252 4244 vDu4227Am.exe 87 PID 4244 wrote to memory of 976 4244 vDu4227Am.exe 93 PID 4244 wrote to memory of 976 4244 vDu4227Am.exe 93 PID 4244 wrote to memory of 976 4244 vDu4227Am.exe 93 PID 5032 wrote to memory of 60 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 97 PID 5032 wrote to memory of 60 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 97 PID 5032 wrote to memory of 60 5032 fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe"C:\Users\Admin\AppData\Local\Temp\fedf65bda42af501256549fb1c6b40dafd84b1c108f09c457e608d92dac43fc6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDu4227Am.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDu4227Am.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw18zL39GR34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw18zL39GR34.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnD66kW27.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnD66kW27.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 13484⤵
- Program crash
PID:4668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uSR73ci65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uSR73ci65.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 976 -ip 9761⤵PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5e997e37123bd1f0fe5662707cd5987b1
SHA1786ea5feb09cf3df8792b251361f20d7c10a860a
SHA256064180d394a349426aa8b7e0cd010f0025fa0adcee2f57f74310a059c8f31c45
SHA51244a5b4a7afca83b04ede201a2efb963c907afd8c63ff4819f8d801be017c99f36c3d25b3523f608e6bea6812ec9f716562db0cddb2d9dcaf98e9b69f4b9fbc0e
-
Filesize
177KB
MD5e997e37123bd1f0fe5662707cd5987b1
SHA1786ea5feb09cf3df8792b251361f20d7c10a860a
SHA256064180d394a349426aa8b7e0cd010f0025fa0adcee2f57f74310a059c8f31c45
SHA51244a5b4a7afca83b04ede201a2efb963c907afd8c63ff4819f8d801be017c99f36c3d25b3523f608e6bea6812ec9f716562db0cddb2d9dcaf98e9b69f4b9fbc0e
-
Filesize
391KB
MD533375ab02242930d566020d37e22d7c3
SHA1ceb92bb018fa6c6902ee638f03a13350bb7f4148
SHA256222ecddfafe2b82331f53d5cad9369ad34ae5f866322478e7337da11e88402e3
SHA5122a4eb0601c6a67f5e233ede764ce4a31ce9cc5f14b2f092d20b12c06a2221c99ad402966c519040a38b834e732faba1a45c2c295ed3636743fbd6d1b6f4763c5
-
Filesize
391KB
MD533375ab02242930d566020d37e22d7c3
SHA1ceb92bb018fa6c6902ee638f03a13350bb7f4148
SHA256222ecddfafe2b82331f53d5cad9369ad34ae5f866322478e7337da11e88402e3
SHA5122a4eb0601c6a67f5e233ede764ce4a31ce9cc5f14b2f092d20b12c06a2221c99ad402966c519040a38b834e732faba1a45c2c295ed3636743fbd6d1b6f4763c5
-
Filesize
17KB
MD5ee8461612b6b473e3e0f320614af71f0
SHA153a99492636f59c1611fb941ad782b49b0c06149
SHA25683ca562cc214d3c68635eb1686f3139143a7ff2f1c437c6c2d288b61899eed68
SHA512dfac9d901144faaf469af5059e059466842aa6c7ecd93f1e635fb5f26286e3d7092ca453076f3748342cd0b3c9770ad3fb64c878e9a3bc5d97e7d603fed2ef5e
-
Filesize
17KB
MD5ee8461612b6b473e3e0f320614af71f0
SHA153a99492636f59c1611fb941ad782b49b0c06149
SHA25683ca562cc214d3c68635eb1686f3139143a7ff2f1c437c6c2d288b61899eed68
SHA512dfac9d901144faaf469af5059e059466842aa6c7ecd93f1e635fb5f26286e3d7092ca453076f3748342cd0b3c9770ad3fb64c878e9a3bc5d97e7d603fed2ef5e
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a