Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2023, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe
Resource
win10v2004-20230220-en
General
-
Target
7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe
-
Size
537KB
-
MD5
d19cb4d655e04728642cf71c7b3b65a6
-
SHA1
72830dc74c4899c29fc37b507bc895192bd7e9fd
-
SHA256
7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334
-
SHA512
bbc74da06c207de18be3760136f78335816be0a26a2218798a8abe37c3e0c82368a499b8e9b802b03c2339dd782b049a5feca97da8c1e18dfac89b8d1edc0ecc
-
SSDEEP
12288:EMrVy90YfbJbp4rZhCPP7gHYN6L1w3HRTK3XvVMPNFY2OMVQs:hyJftt4VhC37g4N6L1OdYX9M3Y2OQP
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Extracted
redline
fuba
193.56.146.11:4162
-
auth_value
43015841fc23c63b15ca6ffe1d278d5e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw11gE19VH87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw11gE19VH87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw11gE19VH87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw11gE19VH87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw11gE19VH87.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw11gE19VH87.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3992-156-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-161-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-159-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-157-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-165-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-163-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-167-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-169-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-171-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-173-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-175-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-177-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-181-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-179-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-185-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-183-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-187-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-189-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-191-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-193-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-203-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-205-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-201-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-199-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-209-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-213-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-211-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-207-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-197-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-215-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-219-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-217-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3992-195-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2784 vSg6705mn.exe 3900 sw11gE19VH87.exe 3992 teN05wI51.exe 4000 urZ50SE04.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw11gE19VH87.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vSg6705mn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vSg6705mn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3900 sw11gE19VH87.exe 3900 sw11gE19VH87.exe 3992 teN05wI51.exe 3992 teN05wI51.exe 4000 urZ50SE04.exe 4000 urZ50SE04.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3900 sw11gE19VH87.exe Token: SeDebugPrivilege 3992 teN05wI51.exe Token: SeDebugPrivilege 4000 urZ50SE04.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2784 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 84 PID 1596 wrote to memory of 2784 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 84 PID 1596 wrote to memory of 2784 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 84 PID 2784 wrote to memory of 3900 2784 vSg6705mn.exe 85 PID 2784 wrote to memory of 3900 2784 vSg6705mn.exe 85 PID 2784 wrote to memory of 3992 2784 vSg6705mn.exe 90 PID 2784 wrote to memory of 3992 2784 vSg6705mn.exe 90 PID 2784 wrote to memory of 3992 2784 vSg6705mn.exe 90 PID 1596 wrote to memory of 4000 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 93 PID 1596 wrote to memory of 4000 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 93 PID 1596 wrote to memory of 4000 1596 7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe"C:\Users\Admin\AppData\Local\Temp\7f1ac9f2294fc9813e584fd30023938a79fdb6edc3b7fd1210033c2291cd8334.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSg6705mn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSg6705mn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11gE19VH87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw11gE19VH87.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\teN05wI51.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\teN05wI51.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urZ50SE04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urZ50SE04.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56ee553b0c79b6351a21ed8fb41ca02cf
SHA119924bf3facde5eb2bf0c9b4b930a27a4b2767f9
SHA25649251cc83c865b9b6f4cdbe8b7e913780ee04aa8135941ab83a03e2a09fb2acb
SHA5126936724b90e5e24dd0bc3fca1d0dc0d1c290eb5ae7680b7aaf38b0d05cd1c5911714dd9e97cb9445bc55c6c8a27233580e81f985a83a229303731615c789a280
-
Filesize
175KB
MD56ee553b0c79b6351a21ed8fb41ca02cf
SHA119924bf3facde5eb2bf0c9b4b930a27a4b2767f9
SHA25649251cc83c865b9b6f4cdbe8b7e913780ee04aa8135941ab83a03e2a09fb2acb
SHA5126936724b90e5e24dd0bc3fca1d0dc0d1c290eb5ae7680b7aaf38b0d05cd1c5911714dd9e97cb9445bc55c6c8a27233580e81f985a83a229303731615c789a280
-
Filesize
391KB
MD530ace2968d3075b2ca6f1ba146ce0f62
SHA15125a09ccdd1c0d7e21011388e9f04a8799c42fc
SHA25600419880055ef06dd9e12e747d834a5863f7e3545dd1e5d4c0e0a09a26c6fe92
SHA512034ec739cddb37e7e5a82407da8c4b65ad570519986f6d978f22594c79541d379304717754fac53e5cfcda719807d8b0c5f2ce54185df2733fb58f7712d63970
-
Filesize
391KB
MD530ace2968d3075b2ca6f1ba146ce0f62
SHA15125a09ccdd1c0d7e21011388e9f04a8799c42fc
SHA25600419880055ef06dd9e12e747d834a5863f7e3545dd1e5d4c0e0a09a26c6fe92
SHA512034ec739cddb37e7e5a82407da8c4b65ad570519986f6d978f22594c79541d379304717754fac53e5cfcda719807d8b0c5f2ce54185df2733fb58f7712d63970
-
Filesize
12KB
MD5ca741b6166fc749f650a840ce47d0508
SHA1f8eb79b1c1e17f42fc6c5e94a4c2566a9c896260
SHA256ae0a3764f02092fdf14c29d4be07556411af9281f8dc80f7c782a540941f588f
SHA5122116aa3b640e5c22e6736dc5b94ec31c0873eee5f4569d5aa5e0fffd53f2b93a031c516fc48b5368665f977aea39ec2f9c1a6037b3e7bdce6ad111b46335b3da
-
Filesize
12KB
MD5ca741b6166fc749f650a840ce47d0508
SHA1f8eb79b1c1e17f42fc6c5e94a4c2566a9c896260
SHA256ae0a3764f02092fdf14c29d4be07556411af9281f8dc80f7c782a540941f588f
SHA5122116aa3b640e5c22e6736dc5b94ec31c0873eee5f4569d5aa5e0fffd53f2b93a031c516fc48b5368665f977aea39ec2f9c1a6037b3e7bdce6ad111b46335b3da
-
Filesize
304KB
MD56940451e769c094029427d1531775121
SHA103c763ca8ebc6896fb35c9f8d4d3fc64d03fe850
SHA256ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca
SHA51253578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06
-
Filesize
304KB
MD56940451e769c094029427d1531775121
SHA103c763ca8ebc6896fb35c9f8d4d3fc64d03fe850
SHA256ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca
SHA51253578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06