Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 09:05
Static task
static1
Behavioral task
behavioral1
Sample
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe
Resource
win10v2004-20230220-en
General
-
Target
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe
-
Size
560KB
-
MD5
291421df6f7af2898e2ddeed7f67168d
-
SHA1
96d55b36bd7bd9501cf515039dae0d94bc843b73
-
SHA256
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226
-
SHA512
7c7b40be2348defe6abf89bbbb6c39c823f2f4791471f26d313d7e655773475a7d0c34a95beddaf1921af4c011dc18d4324b3a501d1ad84d484a0ec19b6a0d7c
-
SSDEEP
12288:lMrjy90TSDQKCL6Xo0UTWTwW3EdFTVGKT/+ujT8HN05VE5YKr:uyOIQKCHxTEwW3MFTAuv8XX
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf43iD52aO12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf43iD52aO12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf43iD52aO12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf43iD52aO12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf43iD52aO12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf43iD52aO12.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4976-158-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-159-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-161-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-163-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-165-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-167-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-169-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-171-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-173-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-175-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-177-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-179-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-181-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-185-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-187-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-189-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-193-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-195-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-197-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-199-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-201-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-203-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-205-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-209-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-211-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-213-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-215-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-217-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-219-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/4976-221-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4948 vhSo1836RG.exe 4012 sf43iD52aO12.exe 4976 tf63Fr94ad10.exe 4596 uhHC80LW80SJ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf43iD52aO12.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vhSo1836RG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhSo1836RG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2424 4976 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4012 sf43iD52aO12.exe 4012 sf43iD52aO12.exe 4976 tf63Fr94ad10.exe 4976 tf63Fr94ad10.exe 4596 uhHC80LW80SJ.exe 4596 uhHC80LW80SJ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4012 sf43iD52aO12.exe Token: SeDebugPrivilege 4976 tf63Fr94ad10.exe Token: SeDebugPrivilege 4596 uhHC80LW80SJ.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1688 wrote to memory of 4948 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 85 PID 1688 wrote to memory of 4948 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 85 PID 1688 wrote to memory of 4948 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 85 PID 4948 wrote to memory of 4012 4948 vhSo1836RG.exe 86 PID 4948 wrote to memory of 4012 4948 vhSo1836RG.exe 86 PID 4948 wrote to memory of 4976 4948 vhSo1836RG.exe 92 PID 4948 wrote to memory of 4976 4948 vhSo1836RG.exe 92 PID 4948 wrote to memory of 4976 4948 vhSo1836RG.exe 92 PID 1688 wrote to memory of 4596 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 95 PID 1688 wrote to memory of 4596 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 95 PID 1688 wrote to memory of 4596 1688 086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe"C:\Users\Admin\AppData\Local\Temp\086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 17124⤵
- Program crash
PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4976 -ip 49761⤵PID:3472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5074f4204e6267a64ef26c723326d5ceb
SHA1116e697dc862d8299264659bb57960513ad4fdc2
SHA2566b765d5dd106f8dc11f38644991f1c22e2d6c3299817a5138bb3009accdd8c01
SHA512f17e9cec446cd3ec2fd1d269f32b915d0ba5a330339214213424aa04c3fb8c3ecb5f70fc3ba60725da55956cc801bca0dfaf0b03a6ea5e6bb4ae2c08121e34e9
-
Filesize
175KB
MD5074f4204e6267a64ef26c723326d5ceb
SHA1116e697dc862d8299264659bb57960513ad4fdc2
SHA2566b765d5dd106f8dc11f38644991f1c22e2d6c3299817a5138bb3009accdd8c01
SHA512f17e9cec446cd3ec2fd1d269f32b915d0ba5a330339214213424aa04c3fb8c3ecb5f70fc3ba60725da55956cc801bca0dfaf0b03a6ea5e6bb4ae2c08121e34e9
-
Filesize
415KB
MD5f55b1789dca5686179ffe9d8137b4e9e
SHA1c210dd8a69a442c9fdc77c629a9a1556c969a0f8
SHA256cd9c2b4e15e513cef5bfe400369433d1d74a5bcf9681ed14b44117779320a87b
SHA512d179392008142a16599d5405d774d7e875f575cf5ab88347442dc83829c35015cf7aa56433121970db7d09f4a06a0d8b9ea0c422eee86cff289d19e6a5a87ddf
-
Filesize
415KB
MD5f55b1789dca5686179ffe9d8137b4e9e
SHA1c210dd8a69a442c9fdc77c629a9a1556c969a0f8
SHA256cd9c2b4e15e513cef5bfe400369433d1d74a5bcf9681ed14b44117779320a87b
SHA512d179392008142a16599d5405d774d7e875f575cf5ab88347442dc83829c35015cf7aa56433121970db7d09f4a06a0d8b9ea0c422eee86cff289d19e6a5a87ddf
-
Filesize
11KB
MD57f6b0d19eb465e3d5c9b7d7cc7ecfcdb
SHA19926bd748b6b11db1ad78962cf284267d5559b73
SHA25636fe72b3737a3096cd932712efcf73ba1051202bb15e63cfd75d93a65524e606
SHA5123b7c2cfd0a1093d70edd8d833720db82f8b0032a94b3a4be8ee0ad7559ca8f1308f8d5b2bfbcd47f92d10d2e12405143a085c2cc8ee44a7f9d1250c9dfe5c084
-
Filesize
11KB
MD57f6b0d19eb465e3d5c9b7d7cc7ecfcdb
SHA19926bd748b6b11db1ad78962cf284267d5559b73
SHA25636fe72b3737a3096cd932712efcf73ba1051202bb15e63cfd75d93a65524e606
SHA5123b7c2cfd0a1093d70edd8d833720db82f8b0032a94b3a4be8ee0ad7559ca8f1308f8d5b2bfbcd47f92d10d2e12405143a085c2cc8ee44a7f9d1250c9dfe5c084
-
Filesize
416KB
MD59ce8c74a533c9909e622ad2c5700ca63
SHA1bcce3e38eaf3c3b741bad36507671231d94ef844
SHA256a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d
SHA51298491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73
-
Filesize
416KB
MD59ce8c74a533c9909e622ad2c5700ca63
SHA1bcce3e38eaf3c3b741bad36507671231d94ef844
SHA256a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d
SHA51298491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73