Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe
Resource
win10v2004-20230220-en
General
-
Target
fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe
-
Size
561KB
-
MD5
58c9ca78b279871d0ff1cf16506a167f
-
SHA1
92d1d776e34e53bee72bd68b304b7d305b476a33
-
SHA256
fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c
-
SHA512
640d99da3bc1ac97a87246f78818dddcd84223e5267d4fdf7a40c13f151e74ba513b6216073ac84bdabc8859cadf746895abd695f8b8686a4f7634a2589702aa
-
SSDEEP
12288:XMrey90BoAm0CXayg1+zvgv72HD4y9bKqiLba2SihJH:JyCCqygYzIv72HDL9bYJ/JH
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf48EG04zG22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf48EG04zG22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf48EG04zG22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf48EG04zG22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf48EG04zG22.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf48EG04zG22.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3288-156-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-157-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-159-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-161-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-163-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-165-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-167-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-169-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-171-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-173-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-175-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-177-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-179-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-181-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-189-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-187-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-201-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-203-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-199-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-205-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-197-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-195-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-207-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-209-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-193-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-191-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-185-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-183-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-213-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-215-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-211-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-217-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3288-220-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1192 vhKy8243Rf.exe 2804 sf48EG04zG22.exe 3288 tf12bv42VO09.exe 1308 uhmI91uw91Eh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf48EG04zG22.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vhKy8243Rf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhKy8243Rf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3988 3288 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2804 sf48EG04zG22.exe 2804 sf48EG04zG22.exe 3288 tf12bv42VO09.exe 3288 tf12bv42VO09.exe 1308 uhmI91uw91Eh.exe 1308 uhmI91uw91Eh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2804 sf48EG04zG22.exe Token: SeDebugPrivilege 3288 tf12bv42VO09.exe Token: SeDebugPrivilege 1308 uhmI91uw91Eh.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1192 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 85 PID 2252 wrote to memory of 1192 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 85 PID 2252 wrote to memory of 1192 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 85 PID 1192 wrote to memory of 2804 1192 vhKy8243Rf.exe 86 PID 1192 wrote to memory of 2804 1192 vhKy8243Rf.exe 86 PID 1192 wrote to memory of 3288 1192 vhKy8243Rf.exe 95 PID 1192 wrote to memory of 3288 1192 vhKy8243Rf.exe 95 PID 1192 wrote to memory of 3288 1192 vhKy8243Rf.exe 95 PID 2252 wrote to memory of 1308 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 98 PID 2252 wrote to memory of 1308 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 98 PID 2252 wrote to memory of 1308 2252 fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe"C:\Users\Admin\AppData\Local\Temp\fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 9964⤵
- Program crash
PID:3988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3288 -ip 32881⤵PID:4388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5189ea510d09a705a27202959556e80a7
SHA12395ef998728c9c18d146da39f9a4d7ac6f1599d
SHA2569c899c73ed5019e5003cf258c4c2eff0ee4035369873c0d4d5ac3d8dc06b819f
SHA512a5abe067aeb0ea9a48fbeb1c02feb95be850fb892c391055a11adf88d69adbf868c2edaa775a831e7e1d28f102a93773c65fd5663b0ef45ee4fc4b30dd00ea67
-
Filesize
176KB
MD5189ea510d09a705a27202959556e80a7
SHA12395ef998728c9c18d146da39f9a4d7ac6f1599d
SHA2569c899c73ed5019e5003cf258c4c2eff0ee4035369873c0d4d5ac3d8dc06b819f
SHA512a5abe067aeb0ea9a48fbeb1c02feb95be850fb892c391055a11adf88d69adbf868c2edaa775a831e7e1d28f102a93773c65fd5663b0ef45ee4fc4b30dd00ea67
-
Filesize
417KB
MD5e517b7428cdc7cbbcab1dd56be0d1d6b
SHA1f4412f79d04dd0865c18fffab353510cefc28cd2
SHA256c9d227fe88d9e1340972bf80e1db86c2c35ebb929786ce9babf9ed0daae687e1
SHA5121413645151a7ae09ebba266ce9b271444258cf3eea1dc505f16860c32e7b380a987a4689da8378adee54fed5e55e42d6f4e96c8594dc925314dd808301e5be62
-
Filesize
417KB
MD5e517b7428cdc7cbbcab1dd56be0d1d6b
SHA1f4412f79d04dd0865c18fffab353510cefc28cd2
SHA256c9d227fe88d9e1340972bf80e1db86c2c35ebb929786ce9babf9ed0daae687e1
SHA5121413645151a7ae09ebba266ce9b271444258cf3eea1dc505f16860c32e7b380a987a4689da8378adee54fed5e55e42d6f4e96c8594dc925314dd808301e5be62
-
Filesize
11KB
MD58881bb2e0748c0ea4141ca241ccda005
SHA19f80fd8d747f1703bd782fd150c33f9f55ef51a8
SHA256e39aa1b024cd6d15a7e18433a457faa4c532abe1db806cfd6430d09984570072
SHA5126f9f638589a9ff44fdaba644720596be34bd08e01ff2d353ce5bfe3e63bfb5de0778ad8b8e0f6867e8eb32e64320fa0d932885e1dff27aedca71920977476dc5
-
Filesize
11KB
MD58881bb2e0748c0ea4141ca241ccda005
SHA19f80fd8d747f1703bd782fd150c33f9f55ef51a8
SHA256e39aa1b024cd6d15a7e18433a457faa4c532abe1db806cfd6430d09984570072
SHA5126f9f638589a9ff44fdaba644720596be34bd08e01ff2d353ce5bfe3e63bfb5de0778ad8b8e0f6867e8eb32e64320fa0d932885e1dff27aedca71920977476dc5
-
Filesize
416KB
MD53298bce398b0b8db15538825fc22ec70
SHA197382a7c1ec70bd6549554c69ae3a8b18daddc9c
SHA256c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd
SHA5124bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737
-
Filesize
416KB
MD53298bce398b0b8db15538825fc22ec70
SHA197382a7c1ec70bd6549554c69ae3a8b18daddc9c
SHA256c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd
SHA5124bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737