Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe
Resource
win10v2004-20230220-en
General
-
Target
e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe
-
Size
526KB
-
MD5
148c782f7fa1b16a09bd9cc8d23509d3
-
SHA1
127c219ac2f7d6f8c7cdf3d3e18db43da3f22303
-
SHA256
e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd
-
SHA512
ba15f92d832af9c7121ac35f786c5374965701755879c3fadf36bac524eb6e821ff70c1a76a28cbadccd90da60322e57b45353392c5909a6a3335049f3cd7fbf
-
SSDEEP
12288:vMrGy90/9Tgjy7c1SPVtBMeRu6/omr+6b6o/:ZyuMyQqhnom646o/
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf22Bs65HT85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf22Bs65HT85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf22Bs65HT85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf22Bs65HT85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf22Bs65HT85.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf22Bs65HT85.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 32 IoCs
resource yara_rule behavioral1/memory/928-158-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-161-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-159-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-163-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-165-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-167-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-171-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-173-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-175-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-177-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-179-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-181-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-183-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-185-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-187-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-189-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-191-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-193-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-195-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-197-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-199-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-201-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-203-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-205-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-207-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-209-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-211-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-213-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-217-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-215-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-219-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/928-221-0x0000000005130000-0x000000000516E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4760 vhoJ3719MF.exe 2196 sf22Bs65HT85.exe 928 tf48zT17fX20.exe 752 uhVO55HF57CQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf22Bs65HT85.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vhoJ3719MF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhoJ3719MF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4216 928 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2196 sf22Bs65HT85.exe 2196 sf22Bs65HT85.exe 928 tf48zT17fX20.exe 928 tf48zT17fX20.exe 752 uhVO55HF57CQ.exe 752 uhVO55HF57CQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2196 sf22Bs65HT85.exe Token: SeDebugPrivilege 928 tf48zT17fX20.exe Token: SeDebugPrivilege 752 uhVO55HF57CQ.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2300 wrote to memory of 4760 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 86 PID 2300 wrote to memory of 4760 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 86 PID 2300 wrote to memory of 4760 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 86 PID 4760 wrote to memory of 2196 4760 vhoJ3719MF.exe 87 PID 4760 wrote to memory of 2196 4760 vhoJ3719MF.exe 87 PID 4760 wrote to memory of 928 4760 vhoJ3719MF.exe 88 PID 4760 wrote to memory of 928 4760 vhoJ3719MF.exe 88 PID 4760 wrote to memory of 928 4760 vhoJ3719MF.exe 88 PID 2300 wrote to memory of 752 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 93 PID 2300 wrote to memory of 752 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 93 PID 2300 wrote to memory of 752 2300 e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe"C:\Users\Admin\AppData\Local\Temp\e3e5ca7a29b2ed91d6dc9c2223e7dc08eb1ad25fa495368b12cbb20c8043afcd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhoJ3719MF.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhoJ3719MF.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf22Bs65HT85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf22Bs65HT85.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48zT17fX20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48zT17fX20.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 13484⤵
- Program crash
PID:4216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhVO55HF57CQ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhVO55HF57CQ.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 928 -ip 9281⤵PID:3740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD52f9ec278f78fa40153cfd29cd81d0318
SHA1b1fe5aed536621283e5b7414dfd78884d1dee116
SHA2569e693e47069a6377fba18580ff54708f0daf04d1208b66b0469c97deee11e950
SHA512c5ef2d152890ac58172947090ad9ce97bf5b7b26af7f66fc097477f93f3099bb9752ac840a27ef7819a274cefd6a2992996ee17a25ddcd07fb6b4a7eb2f0af1f
-
Filesize
175KB
MD52f9ec278f78fa40153cfd29cd81d0318
SHA1b1fe5aed536621283e5b7414dfd78884d1dee116
SHA2569e693e47069a6377fba18580ff54708f0daf04d1208b66b0469c97deee11e950
SHA512c5ef2d152890ac58172947090ad9ce97bf5b7b26af7f66fc097477f93f3099bb9752ac840a27ef7819a274cefd6a2992996ee17a25ddcd07fb6b4a7eb2f0af1f
-
Filesize
381KB
MD5d68979a33edf242be1cfb91fae8d2520
SHA1d6027011c4426cf7212b4e64db890f00cdf641e0
SHA2564a6a48c7041815fe04d045ac40550708ce7e71405922e88e55ad034eb8eddd3f
SHA51276e776f7a8676438cdae2b85ffb11fd3536b1a1419b2973932023054f1885bf7719ce67d3d3c1e92ab6b2c239ed5cc3509346f12e6c12acc607415aba830dde3
-
Filesize
381KB
MD5d68979a33edf242be1cfb91fae8d2520
SHA1d6027011c4426cf7212b4e64db890f00cdf641e0
SHA2564a6a48c7041815fe04d045ac40550708ce7e71405922e88e55ad034eb8eddd3f
SHA51276e776f7a8676438cdae2b85ffb11fd3536b1a1419b2973932023054f1885bf7719ce67d3d3c1e92ab6b2c239ed5cc3509346f12e6c12acc607415aba830dde3
-
Filesize
11KB
MD5f972a7ac085e6c32b6c52bd0cd379c57
SHA1acc5aa28ded5e648f4693b0ce1ebcf7795fd21ec
SHA256410bed8f20fedc3e27a5e6b6364d33a45a5d39792c5893af1087afdf9a975a87
SHA5127fabfaf45072558fb6fab2630c78b05c9bc893a1962c4ddc1822cc65e2550336d7732acc97735399b61e2a783d8fdc451690c90a4c2186e914b155f88ba4b2cf
-
Filesize
11KB
MD5f972a7ac085e6c32b6c52bd0cd379c57
SHA1acc5aa28ded5e648f4693b0ce1ebcf7795fd21ec
SHA256410bed8f20fedc3e27a5e6b6364d33a45a5d39792c5893af1087afdf9a975a87
SHA5127fabfaf45072558fb6fab2630c78b05c9bc893a1962c4ddc1822cc65e2550336d7732acc97735399b61e2a783d8fdc451690c90a4c2186e914b155f88ba4b2cf
-
Filesize
364KB
MD50fb36e6dfd2286b0bb7e48c476a3f73b
SHA138801c7ea1faf291cb471397c38630a305518828
SHA256edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e
SHA51295c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d
-
Filesize
364KB
MD50fb36e6dfd2286b0bb7e48c476a3f73b
SHA138801c7ea1faf291cb471397c38630a305518828
SHA256edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e
SHA51295c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d