Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2023, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe
Resource
win10v2004-20230221-en
General
-
Target
cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe
-
Size
837KB
-
MD5
1b660e47773d0641eae4039f163130c2
-
SHA1
dddd18e6258a4d25462638663517f483993fb9a1
-
SHA256
cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f
-
SHA512
75342833c7e7147e7c5928a26e908610dc9ec6b6e22fa08b34fec4561e17f36ba8c99ae53be8081e1cb7310ebd966350cabaca7274c2cfb24c493a0604b28804
-
SSDEEP
12288:GMrdy90j6w0g0VzpfUQ/igyGn4WfCy0y+WVawMuFhqTk608V97xjscoCxDuNfOGo:TyVTbUQqSn4mt0JWEIqTkPKRxoCoNlI
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f4852pe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h37En44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h37En44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h37En44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h37En44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f4852pe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f4852pe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f4852pe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f4852pe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f4852pe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h37En44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h37En44.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/5064-205-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-206-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-208-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-212-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-210-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-214-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-216-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-218-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-220-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-222-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-224-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-226-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-228-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-233-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-230-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-235-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-237-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/5064-239-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 396 niba5653.exe 1832 niba8101.exe 1656 f4852pe.exe 3960 h37En44.exe 5064 iTnCO77.exe 4436 l86Wk20.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f4852pe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h37En44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h37En44.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba5653.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba8101.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba8101.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba5653.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 5 IoCs
pid pid_target Process procid_target 4080 3960 WerFault.exe 92 3096 3960 WerFault.exe 92 4180 5064 WerFault.exe 100 1212 5064 WerFault.exe 100 828 5064 WerFault.exe 100 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1656 f4852pe.exe 1656 f4852pe.exe 3960 h37En44.exe 3960 h37En44.exe 5064 iTnCO77.exe 5064 iTnCO77.exe 4436 l86Wk20.exe 4436 l86Wk20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1656 f4852pe.exe Token: SeDebugPrivilege 3960 h37En44.exe Token: SeDebugPrivilege 5064 iTnCO77.exe Token: SeDebugPrivilege 4436 l86Wk20.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2640 wrote to memory of 396 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 85 PID 2640 wrote to memory of 396 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 85 PID 2640 wrote to memory of 396 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 85 PID 396 wrote to memory of 1832 396 niba5653.exe 86 PID 396 wrote to memory of 1832 396 niba5653.exe 86 PID 396 wrote to memory of 1832 396 niba5653.exe 86 PID 1832 wrote to memory of 1656 1832 niba8101.exe 87 PID 1832 wrote to memory of 1656 1832 niba8101.exe 87 PID 1832 wrote to memory of 3960 1832 niba8101.exe 92 PID 1832 wrote to memory of 3960 1832 niba8101.exe 92 PID 1832 wrote to memory of 3960 1832 niba8101.exe 92 PID 396 wrote to memory of 5064 396 niba5653.exe 100 PID 396 wrote to memory of 5064 396 niba5653.exe 100 PID 396 wrote to memory of 5064 396 niba5653.exe 100 PID 2640 wrote to memory of 4436 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 111 PID 2640 wrote to memory of 4436 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 111 PID 2640 wrote to memory of 4436 2640 cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe"C:\Users\Admin\AppData\Local\Temp\cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5653.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8101.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4852pe.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4852pe.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h37En44.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h37En44.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 10805⤵
- Program crash
PID:4080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 10885⤵
- Program crash
PID:3096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iTnCO77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iTnCO77.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 18604⤵
- Program crash
PID:4180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 13244⤵
- Program crash
PID:1212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 15764⤵
- Program crash
PID:828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l86Wk20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l86Wk20.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3960 -ip 39601⤵PID:1084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3960 -ip 39601⤵PID:1276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 50641⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 50641⤵PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 50641⤵PID:2236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
695KB
MD5d2aafb536cf19d9f2ed09953c99874a1
SHA172d23687729d08b4f977575f8086838f711eb992
SHA256f11a728f77270e9d6ff37d8274832212cda3dfe02e18aca3fa3b4afd2e13b072
SHA512c5dd8e1ef7764d91741c6d2279e2e396f97341602adff1b5c62afcbeb4bc20f507f38daf85490c71d2b45ccb17327ee804e58cee443932855d2ef66d6e649063
-
Filesize
695KB
MD5d2aafb536cf19d9f2ed09953c99874a1
SHA172d23687729d08b4f977575f8086838f711eb992
SHA256f11a728f77270e9d6ff37d8274832212cda3dfe02e18aca3fa3b4afd2e13b072
SHA512c5dd8e1ef7764d91741c6d2279e2e396f97341602adff1b5c62afcbeb4bc20f507f38daf85490c71d2b45ccb17327ee804e58cee443932855d2ef66d6e649063
-
Filesize
391KB
MD5006db4e8295906ae0fd6c762784737ac
SHA165cf601c32b4768dcd14647e93c959ba916319de
SHA2561448f003ceff3bb6c5c20e2065ab14dcba08ab5c1d58335f0ab5aee1572040cb
SHA512c45ff066112b5f275e6e92f83a1239d44b3e93e7cbaa54589d47b77da7d5aa327d42c115513b35091c516a6cdba562cb7ab5775a22219a008f240e3be53ba637
-
Filesize
391KB
MD5006db4e8295906ae0fd6c762784737ac
SHA165cf601c32b4768dcd14647e93c959ba916319de
SHA2561448f003ceff3bb6c5c20e2065ab14dcba08ab5c1d58335f0ab5aee1572040cb
SHA512c45ff066112b5f275e6e92f83a1239d44b3e93e7cbaa54589d47b77da7d5aa327d42c115513b35091c516a6cdba562cb7ab5775a22219a008f240e3be53ba637
-
Filesize
344KB
MD5835fe0fb5a896ac7c12bb18de4b43269
SHA113e7d6c5d04f324c2cb1279cf52bd937ddf087c2
SHA256c9c92e22902d9760be2e67795d671655ebe492c95aa7b6b708e79cc05375516b
SHA512d50d321fdb3e65c91ccbe754d5fcb1a4e45d08808322cb08f0750a3336f308c53f0e6622b4284643c00ce51c984369e8fcf01122d40b98410027dbfe454de654
-
Filesize
344KB
MD5835fe0fb5a896ac7c12bb18de4b43269
SHA113e7d6c5d04f324c2cb1279cf52bd937ddf087c2
SHA256c9c92e22902d9760be2e67795d671655ebe492c95aa7b6b708e79cc05375516b
SHA512d50d321fdb3e65c91ccbe754d5fcb1a4e45d08808322cb08f0750a3336f308c53f0e6622b4284643c00ce51c984369e8fcf01122d40b98410027dbfe454de654
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5c050f21e7aa339df55930b9d76a3cdb4
SHA122dd083bdfb4b33a864be0047515127e5464d374
SHA256bffe99f0f072c9c5fff55b62ce88c0fa5d8302c5a4ac2ef6d836f86e56e3bdeb
SHA51204fd072d7adf3f891e0c8a988c0d195ff6fc37766f7345228dc76c040465622a08baa26792baa10c9872fb92ff143d612aafb462a8badc12dcd31fa2029f81ed
-
Filesize
333KB
MD5c050f21e7aa339df55930b9d76a3cdb4
SHA122dd083bdfb4b33a864be0047515127e5464d374
SHA256bffe99f0f072c9c5fff55b62ce88c0fa5d8302c5a4ac2ef6d836f86e56e3bdeb
SHA51204fd072d7adf3f891e0c8a988c0d195ff6fc37766f7345228dc76c040465622a08baa26792baa10c9872fb92ff143d612aafb462a8badc12dcd31fa2029f81ed