Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2023, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe
Resource
win10v2004-20230220-en
General
-
Target
cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe
-
Size
659KB
-
MD5
09ee40cdf9bb0ac0f8d08893a4308016
-
SHA1
d099b1f19f300691f8621928eb33fd5c5f011cfd
-
SHA256
cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040
-
SHA512
93984354f963acd12a35aebcd4032cfeba2df057ab761ff8c0576e0e5429e0c1215c7c5fcbc06eb63e8bd60962d12e128c150b7372f4e50620e8626f203eee8a
-
SSDEEP
12288:TMrgy90evpJcRtH7lUJW6TEvmeiLjhklnwfoio1AwAQEiXTG9g:Hy2tH5sxEOjjhInMcHXTX
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Extracted
redline
foksa
hueref.eu:4162
-
auth_value
6a9b2601a21672b285de3ed41b5402e4
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urMk27oF71.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1116-191-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-192-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-194-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-196-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-198-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-200-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-202-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-204-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-206-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-208-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-210-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-212-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-214-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-216-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-218-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-220-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-222-0x0000000005100000-0x000000000513E000-memory.dmp family_redline behavioral1/memory/1116-224-0x0000000005100000-0x000000000513E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2132 ycSR33bg56.exe 1504 urMk27oF71.exe 1116 wrci56Uk47.exe 1960 xumG71iJ61.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urMk27oF71.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urMk27oF71.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ycSR33bg56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycSR33bg56.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4612 1504 WerFault.exe 86 2924 1116 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1504 urMk27oF71.exe 1504 urMk27oF71.exe 1116 wrci56Uk47.exe 1116 wrci56Uk47.exe 1960 xumG71iJ61.exe 1960 xumG71iJ61.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1504 urMk27oF71.exe Token: SeDebugPrivilege 1116 wrci56Uk47.exe Token: SeDebugPrivilege 1960 xumG71iJ61.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2132 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 85 PID 4244 wrote to memory of 2132 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 85 PID 4244 wrote to memory of 2132 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 85 PID 2132 wrote to memory of 1504 2132 ycSR33bg56.exe 86 PID 2132 wrote to memory of 1504 2132 ycSR33bg56.exe 86 PID 2132 wrote to memory of 1504 2132 ycSR33bg56.exe 86 PID 2132 wrote to memory of 1116 2132 ycSR33bg56.exe 93 PID 2132 wrote to memory of 1116 2132 ycSR33bg56.exe 93 PID 2132 wrote to memory of 1116 2132 ycSR33bg56.exe 93 PID 4244 wrote to memory of 1960 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 97 PID 4244 wrote to memory of 1960 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 97 PID 4244 wrote to memory of 1960 4244 cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe"C:\Users\Admin\AppData\Local\Temp\cce03db758554e7162259948e471d558d97ffb02ed5284debfcc9c2ad4dd1040.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycSR33bg56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycSR33bg56.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urMk27oF71.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urMk27oF71.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 10804⤵
- Program crash
PID:4612
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrci56Uk47.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrci56Uk47.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 17644⤵
- Program crash
PID:2924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xumG71iJ61.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xumG71iJ61.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 15041⤵PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1116 -ip 11161⤵PID:3840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD575ced8ad0d8cd237ebc9cb7b00852651
SHA1adab63df3e0a40fd9f170ab57da66f01f226141c
SHA256a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819
SHA512f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431
-
Filesize
175KB
MD575ced8ad0d8cd237ebc9cb7b00852651
SHA1adab63df3e0a40fd9f170ab57da66f01f226141c
SHA256a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819
SHA512f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431
-
Filesize
515KB
MD5599f3583e2a6ecc4c506526355bab406
SHA15885604e0abc91dc6e44045ed58f98824d58da51
SHA256750980bb6cd241c01c9a91ff6907bed1efaf1c7b1ccddda1d64d4bb67c5fcea4
SHA5126f74b824e54c3368fcf433ca802cdc3f4c8167ea650d31c70ffafd4db563e8c6092150acaf1db380189bf0b91eeec792c238d397348f8aa94cc81448746aeb54
-
Filesize
515KB
MD5599f3583e2a6ecc4c506526355bab406
SHA15885604e0abc91dc6e44045ed58f98824d58da51
SHA256750980bb6cd241c01c9a91ff6907bed1efaf1c7b1ccddda1d64d4bb67c5fcea4
SHA5126f74b824e54c3368fcf433ca802cdc3f4c8167ea650d31c70ffafd4db563e8c6092150acaf1db380189bf0b91eeec792c238d397348f8aa94cc81448746aeb54
-
Filesize
232KB
MD5be1c9ba8d385566aa2c1c0fe1001af3e
SHA1bf40ca7120746478f12d9c7d430ae7945568a502
SHA2568b7d7f82899b5d6718e90bea99fc1d9aabc09d961bada4eb29790661fa8260b4
SHA5125c4edda4e7eb88164a82de739a373a388c1a7cf3e296aafffd95c2a4385ec63ca214455f53c33d1c86e7a268524d0d726e5f5775ab1c9c41d378c5c754215ae6
-
Filesize
232KB
MD5be1c9ba8d385566aa2c1c0fe1001af3e
SHA1bf40ca7120746478f12d9c7d430ae7945568a502
SHA2568b7d7f82899b5d6718e90bea99fc1d9aabc09d961bada4eb29790661fa8260b4
SHA5125c4edda4e7eb88164a82de739a373a388c1a7cf3e296aafffd95c2a4385ec63ca214455f53c33d1c86e7a268524d0d726e5f5775ab1c9c41d378c5c754215ae6
-
Filesize
290KB
MD58fee42f989bab807a7e66858ba5fe89d
SHA12f0c74aba0b54d351ac033248a718fa08edbfd91
SHA2560b8c7c56907917d4b837cb95e0f7f47223d4457ddddd5986922cd7e3d61d70e5
SHA512d4e1289b7bd0255a74eb8b85b552326ef288d45a9c69188a70215ecba62c984ecdb2ebb8ded103a699d109bf6d82ade212ed7c3dda8e04e780a79593cc3f6926
-
Filesize
290KB
MD58fee42f989bab807a7e66858ba5fe89d
SHA12f0c74aba0b54d351ac033248a718fa08edbfd91
SHA2560b8c7c56907917d4b837cb95e0f7f47223d4457ddddd5986922cd7e3d61d70e5
SHA512d4e1289b7bd0255a74eb8b85b552326ef288d45a9c69188a70215ecba62c984ecdb2ebb8ded103a699d109bf6d82ade212ed7c3dda8e04e780a79593cc3f6926