Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2023, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe
Resource
win10v2004-20230220-en
General
-
Target
4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe
-
Size
550KB
-
MD5
ae040c62715a5c3085a38efc1fd02896
-
SHA1
7cc14b20a768d56f53724d4e7f030e96246e4001
-
SHA256
4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698
-
SHA512
8df31c65864338c6b98555519812cf56e95de27b7f532c8b0f825efec022fb63f0e34ef2268dd436dfa1c45f44b4f891c9050144bf9b260e561016c5994187e5
-
SSDEEP
12288:KMryy907uazDQXKMonatNDsUspkBz+MOS+xVI:IyCuanA2ssUajMOBM
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Extracted
redline
fomich
melevv.eu:4162
-
auth_value
b018e52ac946001794d8b8c23e901859
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw91lC54vI56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw91lC54vI56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw91lC54vI56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw91lC54vI56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw91lC54vI56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw91lC54vI56.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4444-158-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-159-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-161-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-163-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-165-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-167-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-169-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-171-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-173-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-175-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-177-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-179-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-181-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-183-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-185-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-187-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-189-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-191-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-193-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-195-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-197-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-199-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-201-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-203-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-205-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-207-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-211-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-209-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-213-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-215-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-217-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-219-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4444-221-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3680 vGA9397HS.exe 464 sw91lC54vI56.exe 4444 tdZ17ai06.exe 2360 uGm10Bh13.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw91lC54vI56.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vGA9397HS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vGA9397HS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3132 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 760 4444 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 464 sw91lC54vI56.exe 464 sw91lC54vI56.exe 4444 tdZ17ai06.exe 4444 tdZ17ai06.exe 2360 uGm10Bh13.exe 2360 uGm10Bh13.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 464 sw91lC54vI56.exe Token: SeDebugPrivilege 4444 tdZ17ai06.exe Token: SeDebugPrivilege 2360 uGm10Bh13.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4056 wrote to memory of 3680 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 87 PID 4056 wrote to memory of 3680 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 87 PID 4056 wrote to memory of 3680 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 87 PID 3680 wrote to memory of 464 3680 vGA9397HS.exe 88 PID 3680 wrote to memory of 464 3680 vGA9397HS.exe 88 PID 3680 wrote to memory of 4444 3680 vGA9397HS.exe 97 PID 3680 wrote to memory of 4444 3680 vGA9397HS.exe 97 PID 3680 wrote to memory of 4444 3680 vGA9397HS.exe 97 PID 4056 wrote to memory of 2360 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 101 PID 4056 wrote to memory of 2360 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 101 PID 4056 wrote to memory of 2360 4056 4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe"C:\Users\Admin\AppData\Local\Temp\4dad9843e780e46eae518f0d8cfc4f8ec6b8455959f93ecef77bc3c769bc9698.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGA9397HS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGA9397HS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91lC54vI56.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw91lC54vI56.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tdZ17ai06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tdZ17ai06.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 14084⤵
- Program crash
PID:760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uGm10Bh13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uGm10Bh13.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4444 -ip 44441⤵PID:4924
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5b70a0b4de51207e9441c71fc9d49025f
SHA187eaa29ed5f5f846b04b716d28c9aa9fde1f7264
SHA256b78595bfbbcc9ba42634d512700b68ab3887adc11ce9b790d27b9c11af4a4882
SHA5126019d377056f84571009f47f8922f7945f8a6906643e50be06dea661ac3a443cccb5872d794fb0d3312a1feeb43261a3016f7b18e20294d6bd6c19d75787a410
-
Filesize
175KB
MD5b70a0b4de51207e9441c71fc9d49025f
SHA187eaa29ed5f5f846b04b716d28c9aa9fde1f7264
SHA256b78595bfbbcc9ba42634d512700b68ab3887adc11ce9b790d27b9c11af4a4882
SHA5126019d377056f84571009f47f8922f7945f8a6906643e50be06dea661ac3a443cccb5872d794fb0d3312a1feeb43261a3016f7b18e20294d6bd6c19d75787a410
-
Filesize
405KB
MD540bb3a00cadc7be7602f61139614a214
SHA12a46e04a49ca36319a9f307be3f10994a30984ac
SHA256f5ca7b108877138d19f36029fdb806941cc7238cd78cb842b36500a9448dc675
SHA51233edfc2ac4d1ed8702d4c8b7c4fbfc6d6159b59f814f1bc501a65d9ce5676d892a9d5fc15bc58a477c65f4afd5a7bdccadfb55edc548b055b4010b29f22755fd
-
Filesize
405KB
MD540bb3a00cadc7be7602f61139614a214
SHA12a46e04a49ca36319a9f307be3f10994a30984ac
SHA256f5ca7b108877138d19f36029fdb806941cc7238cd78cb842b36500a9448dc675
SHA51233edfc2ac4d1ed8702d4c8b7c4fbfc6d6159b59f814f1bc501a65d9ce5676d892a9d5fc15bc58a477c65f4afd5a7bdccadfb55edc548b055b4010b29f22755fd
-
Filesize
17KB
MD5c6307f2b9593977dd852cab6bec1d549
SHA16a74543f09f76c7dcacbdecf53ac0efea5e6edf6
SHA2562281613e348b8b63544c36cc84ce0dbad5eedc83f3a668f42fd67d02eb38297b
SHA51225fe6fc1a910804d15fef96cc494597a2bf1798805ea21ca4be756e4883d014c1d9b949ffef13b973e9fbc1b1136d60d4826a942a151c43e79831fac75de98d0
-
Filesize
17KB
MD5c6307f2b9593977dd852cab6bec1d549
SHA16a74543f09f76c7dcacbdecf53ac0efea5e6edf6
SHA2562281613e348b8b63544c36cc84ce0dbad5eedc83f3a668f42fd67d02eb38297b
SHA51225fe6fc1a910804d15fef96cc494597a2bf1798805ea21ca4be756e4883d014c1d9b949ffef13b973e9fbc1b1136d60d4826a942a151c43e79831fac75de98d0
-
Filesize
387KB
MD5114729e73998f8b36384a7c4cadcf3b0
SHA1aca4ea52bbd204fa016311eb5e1f6ef9770f2362
SHA256dbeeca1aaeaa247cb4a672c8741e578a235817831a080ce894a08d71a1bbb7fa
SHA5124044a648270d77f84c822346d483fa32a39c24b3088a874a4d9e53584ed228e1a67c4c10654eb20209dc48339308d65c5c8bde33f26eb6e5d0741f354f24cc44
-
Filesize
387KB
MD5114729e73998f8b36384a7c4cadcf3b0
SHA1aca4ea52bbd204fa016311eb5e1f6ef9770f2362
SHA256dbeeca1aaeaa247cb4a672c8741e578a235817831a080ce894a08d71a1bbb7fa
SHA5124044a648270d77f84c822346d483fa32a39c24b3088a874a4d9e53584ed228e1a67c4c10654eb20209dc48339308d65c5c8bde33f26eb6e5d0741f354f24cc44