Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2023, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
Resource
win10v2004-20230220-en
General
-
Target
00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
-
Size
543KB
-
MD5
66541493e865ecb4987cd03ace809213
-
SHA1
72db71fda9f0ce821c17e4039b76a32a94224e22
-
SHA256
00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce
-
SHA512
87ba635fbf3a538e2db296f90c266972c1dc63e6f9e1e8577bcffa6ea3fe78a389b666140bc9cf75c7dfa54ed6a62fa9aab65850f8b2b19d32ce6aebd2d81b2b
-
SSDEEP
12288:xMrey9025UmNm/TsBWwoxHUL8n7rfllLAekOWr0C7f4T9KM:LyP5UgB5oOYnllLA8WolR
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw02au24Pm95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw02au24Pm95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw02au24Pm95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw02au24Pm95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw02au24Pm95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw02au24Pm95.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral2/memory/928-155-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-156-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-158-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-160-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-162-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-164-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-166-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-168-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-170-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-172-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-174-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-176-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-180-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-178-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-182-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-184-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-186-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-189-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-188-0x0000000007180000-0x0000000007190000-memory.dmp family_redline behavioral2/memory/928-193-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-195-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-197-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-199-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-201-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-203-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-205-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-209-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-207-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-211-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-213-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-215-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-217-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-219-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-221-0x0000000007740000-0x000000000777E000-memory.dmp family_redline behavioral2/memory/928-1071-0x0000000007180000-0x0000000007190000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 3748 vXU3653uW.exe 3424 sw02au24Pm95.exe 928 tAa98gm10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw02au24Pm95.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vXU3653uW.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vXU3653uW.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3424 sw02au24Pm95.exe 3424 sw02au24Pm95.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3424 sw02au24Pm95.exe Token: SeDebugPrivilege 928 tAa98gm10.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3964 wrote to memory of 3748 3964 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe 86 PID 3964 wrote to memory of 3748 3964 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe 86 PID 3964 wrote to memory of 3748 3964 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe 86 PID 3748 wrote to memory of 3424 3748 vXU3653uW.exe 87 PID 3748 wrote to memory of 3424 3748 vXU3653uW.exe 87 PID 3748 wrote to memory of 928 3748 vXU3653uW.exe 88 PID 3748 wrote to memory of 928 3748 vXU3653uW.exe 88 PID 3748 wrote to memory of 928 3748 vXU3653uW.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe"C:\Users\Admin\AppData\Local\Temp\00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD550bc7efd4a38f37c52900a65cfce76c7
SHA10c2fc47376b5ce8c44eddbcf19ccacfc809ca213
SHA256e639ce2395316cd29730de3e41d3ee0b71c37ed4ea51b15c9b3fa07defc1b457
SHA512a1d526fa58bcd0d2248b8d1aee6b064f988d1fa96295fc294daadbcaece7dac18aee77db764289034a669827c602378b6b48e6554c398de6f5d708445c186faa
-
Filesize
399KB
MD550bc7efd4a38f37c52900a65cfce76c7
SHA10c2fc47376b5ce8c44eddbcf19ccacfc809ca213
SHA256e639ce2395316cd29730de3e41d3ee0b71c37ed4ea51b15c9b3fa07defc1b457
SHA512a1d526fa58bcd0d2248b8d1aee6b064f988d1fa96295fc294daadbcaece7dac18aee77db764289034a669827c602378b6b48e6554c398de6f5d708445c186faa
-
Filesize
13KB
MD5686416842f14ee97e8415b3567bc3ab3
SHA1220e60b932739148814a1c76d9ca59de3d7a4c81
SHA256dbade68c39972522578365edf7ab175aabca2c057beb78057b8b63226b61af71
SHA5122539532e5bebee1bd80d38ebe5271c443a2cd5d39598572d1dcd3de0f2b1b269bfcf6a88d089cf7aa4f57422cc621cb77903d17213d38169975a23fca3c12a5e
-
Filesize
13KB
MD5686416842f14ee97e8415b3567bc3ab3
SHA1220e60b932739148814a1c76d9ca59de3d7a4c81
SHA256dbade68c39972522578365edf7ab175aabca2c057beb78057b8b63226b61af71
SHA5122539532e5bebee1bd80d38ebe5271c443a2cd5d39598572d1dcd3de0f2b1b269bfcf6a88d089cf7aa4f57422cc621cb77903d17213d38169975a23fca3c12a5e
-
Filesize
374KB
MD5049b7e9c3b3777fd130ad01127cd8268
SHA17f56ea5b4e7029a2da226d899ddfce99ff960e0f
SHA256aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68
SHA512d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1
-
Filesize
374KB
MD5049b7e9c3b3777fd130ad01127cd8268
SHA17f56ea5b4e7029a2da226d899ddfce99ff960e0f
SHA256aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68
SHA512d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1