Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2023, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe
Resource
win10v2004-20230220-en
General
-
Target
79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe
-
Size
717KB
-
MD5
b6f69d073ca957a77fa9fd5c2b48f840
-
SHA1
6e9e3dcc63bf6d7ccc286c4c001e5c63c70a7b4f
-
SHA256
79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18
-
SHA512
f0fc6875d3b1c1f83f6285e502dd7eb3ee71a3a53e775692fa70c836fa04ff05572de3d055a511ba6c2c9295139d59b9e2460410a538105ff71b86d4b1dd333d
-
SSDEEP
12288:PMrBy90J/Ax/XQFupIA/aagZM//hou1/2uD5QnG4fLUQl9Z:yyIAJuuh3mIezDZ
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
misha
193.56.146.11:4173
-
auth_value
e17e441c954db214b94a603a7b0b1aea
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection r4331li.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" r4331li.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" r4331li.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" r4331li.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" r4331li.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" r4331li.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2400-193-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-195-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-198-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-200-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-202-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-204-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-206-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-208-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-210-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-212-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-214-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-216-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-218-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-220-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-224-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-222-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-226-0x0000000002640000-0x000000000267E000-memory.dmp family_redline behavioral1/memory/2400-228-0x0000000002640000-0x000000000267E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3164 ycMM8321fs.exe 2488 r4331li.exe 2400 w06MO52.exe 3188 xzhGF00.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" r4331li.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features r4331li.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ycMM8321fs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycMM8321fs.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4376 2488 WerFault.exe 88 940 2400 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2488 r4331li.exe 2488 r4331li.exe 2400 w06MO52.exe 2400 w06MO52.exe 3188 xzhGF00.exe 3188 xzhGF00.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2488 r4331li.exe Token: SeDebugPrivilege 2400 w06MO52.exe Token: SeDebugPrivilege 3188 xzhGF00.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3804 wrote to memory of 3164 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 87 PID 3804 wrote to memory of 3164 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 87 PID 3804 wrote to memory of 3164 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 87 PID 3164 wrote to memory of 2488 3164 ycMM8321fs.exe 88 PID 3164 wrote to memory of 2488 3164 ycMM8321fs.exe 88 PID 3164 wrote to memory of 2488 3164 ycMM8321fs.exe 88 PID 3164 wrote to memory of 2400 3164 ycMM8321fs.exe 94 PID 3164 wrote to memory of 2400 3164 ycMM8321fs.exe 94 PID 3164 wrote to memory of 2400 3164 ycMM8321fs.exe 94 PID 3804 wrote to memory of 3188 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 98 PID 3804 wrote to memory of 3188 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 98 PID 3804 wrote to memory of 3188 3804 79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe"C:\Users\Admin\AppData\Local\Temp\79cbdcbc3657f42e3e23e0347cc380db70648317cc497f9f92c4341dafae3b18.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycMM8321fs.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycMM8321fs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4331li.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4331li.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 9924⤵
- Program crash
PID:4376
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\w06MO52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\w06MO52.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 13684⤵
- Program crash
PID:940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xzhGF00.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xzhGF00.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2488 -ip 24881⤵PID:2556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2400 -ip 24001⤵PID:3972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
175KB
MD5fb6b1dfc1d31819df66b4eba004f4f1e
SHA18fb4085acc6bdac0c653130d20ccf87dc0a4bc16
SHA2564a8cf958110e605398244c588878680f5f367bf064573a69fded3f4ca70c7549
SHA512270f0208fac6330d413709de2f1aa348f20e434bb70b886a96e7db87f74607c9dcbee92b458ea375ca9d22a89af46b31655b84d6f26fac3d12e63f8242d41f3a
-
Filesize
572KB
MD5f94453b051b307cd4c8779f692cf1e60
SHA11c445031e84c2122bd88f3bcfe6172f4806f11d6
SHA256f022ca56d6ee3d75482b975350d94dc593fd4f70dbcaf5de88ade42ea6aca3d7
SHA5121bb9fefde7421d20241237d94cdc50261ef1edb0764f589c935c407294fbe28cf64b6a6f65d9be9ab1d454e5b9f6be1730c8c738754002cdf66232d7070599cd
-
Filesize
572KB
MD5f94453b051b307cd4c8779f692cf1e60
SHA11c445031e84c2122bd88f3bcfe6172f4806f11d6
SHA256f022ca56d6ee3d75482b975350d94dc593fd4f70dbcaf5de88ade42ea6aca3d7
SHA5121bb9fefde7421d20241237d94cdc50261ef1edb0764f589c935c407294fbe28cf64b6a6f65d9be9ab1d454e5b9f6be1730c8c738754002cdf66232d7070599cd
-
Filesize
363KB
MD55f9106c1a4ae0150887ac3eadc521f31
SHA1b7c59f033e09829e70ebf380ef9c33aff98d2bf4
SHA256ddda2d12c18f4944b44af8c6bb030ae608060d087483c423acf217c4c4ed5411
SHA51280ab71ecb332f2316abf7cb73c4811bf2162c2e95fc0670fcd8d26370158e2b2f342328ece12e9edeed90a7568d24d0048bdb9ee3ea928fd80d1499851c5caf3
-
Filesize
363KB
MD55f9106c1a4ae0150887ac3eadc521f31
SHA1b7c59f033e09829e70ebf380ef9c33aff98d2bf4
SHA256ddda2d12c18f4944b44af8c6bb030ae608060d087483c423acf217c4c4ed5411
SHA51280ab71ecb332f2316abf7cb73c4811bf2162c2e95fc0670fcd8d26370158e2b2f342328ece12e9edeed90a7568d24d0048bdb9ee3ea928fd80d1499851c5caf3
-
Filesize
365KB
MD5845708fe8e574bb4ae832556c0598a40
SHA19c85ea1653e0a6cd465356bba04ea0b5b106a7e3
SHA25603d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
SHA512edf2fd1ec51e3d3cb9d3e00b20a644ee2f375b52156c445fea3e1b565d387bf8f217824bfeddf043119343947a91a2e5470fb3ac572f0160cbf0f1894ba20a89
-
Filesize
365KB
MD5845708fe8e574bb4ae832556c0598a40
SHA19c85ea1653e0a6cd465356bba04ea0b5b106a7e3
SHA25603d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
SHA512edf2fd1ec51e3d3cb9d3e00b20a644ee2f375b52156c445fea3e1b565d387bf8f217824bfeddf043119343947a91a2e5470fb3ac572f0160cbf0f1894ba20a89