Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2023, 00:25
Static task
static1
Behavioral task
behavioral1
Sample
bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe
Resource
win10v2004-20230220-en
General
-
Target
bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe
-
Size
836KB
-
MD5
27f0af162cb081454ca0fa9806c10ddd
-
SHA1
6830bef48891c6b8f449833b5904c5aec8bc7d40
-
SHA256
bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04
-
SHA512
44d6e543822e55d4910ba09551a88cbddfc7af1fe0e414bfe60be6fdc14caf5d834374ce397b427ce45cd069f577f2aaaee7e1923f162e51caa820c0c469e8ca
-
SSDEEP
12288:UMrRy90+Nt1EBuweqmFsOesHd3Iaw+Tjlx7h37wc2+k1PM7qJdCXeU:Fy/EBk9FUsHhIz+TjJ37N27M7q76
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h27Lx07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h27Lx07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h27Lx07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f7503oq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f7503oq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f7503oq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h27Lx07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h27Lx07.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f7503oq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f7503oq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f7503oq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h27Lx07.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2160-203-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-204-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-206-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-208-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-210-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-212-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-216-0x0000000004870000-0x0000000004880000-memory.dmp family_redline behavioral1/memory/2160-217-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-219-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-221-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-223-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-225-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-227-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-229-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-231-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-233-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-235-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-237-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline behavioral1/memory/2160-239-0x00000000076C0000-0x00000000076FE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4740 niba7236.exe 816 niba3685.exe 4280 f7503oq.exe 2476 h27Lx07.exe 2160 isqdA50.exe 1272 l61EB01.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f7503oq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h27Lx07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h27Lx07.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba3685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba3685.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba7236.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba7236.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4828 2476 WerFault.exe 92 3936 2160 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4280 f7503oq.exe 4280 f7503oq.exe 2476 h27Lx07.exe 2476 h27Lx07.exe 2160 isqdA50.exe 2160 isqdA50.exe 1272 l61EB01.exe 1272 l61EB01.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4280 f7503oq.exe Token: SeDebugPrivilege 2476 h27Lx07.exe Token: SeDebugPrivilege 2160 isqdA50.exe Token: SeDebugPrivilege 1272 l61EB01.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1868 wrote to memory of 4740 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 86 PID 1868 wrote to memory of 4740 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 86 PID 1868 wrote to memory of 4740 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 86 PID 4740 wrote to memory of 816 4740 niba7236.exe 87 PID 4740 wrote to memory of 816 4740 niba7236.exe 87 PID 4740 wrote to memory of 816 4740 niba7236.exe 87 PID 816 wrote to memory of 4280 816 niba3685.exe 88 PID 816 wrote to memory of 4280 816 niba3685.exe 88 PID 816 wrote to memory of 2476 816 niba3685.exe 92 PID 816 wrote to memory of 2476 816 niba3685.exe 92 PID 816 wrote to memory of 2476 816 niba3685.exe 92 PID 4740 wrote to memory of 2160 4740 niba7236.exe 95 PID 4740 wrote to memory of 2160 4740 niba7236.exe 95 PID 4740 wrote to memory of 2160 4740 niba7236.exe 95 PID 1868 wrote to memory of 1272 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 110 PID 1868 wrote to memory of 1272 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 110 PID 1868 wrote to memory of 1272 1868 bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe"C:\Users\Admin\AppData\Local\Temp\bf04f2c81eef98d29dc3d406da837886fd3e2213a2a65ec769618ea2d01b0b04.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7236.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7236.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3685.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3685.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7503oq.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7503oq.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h27Lx07.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h27Lx07.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 10805⤵
- Program crash
PID:4828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\isqdA50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\isqdA50.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 13284⤵
- Program crash
PID:3936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l61EB01.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l61EB01.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2476 -ip 24761⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2160 -ip 21601⤵PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
694KB
MD582d59812aff4bfe42ec9c38747e8b2b7
SHA1a1e99ab1b0bfcfa372df8e1d9a4697b870e0086a
SHA256673a7acb27a722673de102a6ca352bb5817a5883ad4846d98fba4b1c3c9e6eda
SHA512aa19b56d88df5e1edec579b96dc869862892494778fd81f235734a6330235cc0866cbf9f7031cf8b20819953617142b32b2bb2d7e810c9d962844e305a49d7b1
-
Filesize
694KB
MD582d59812aff4bfe42ec9c38747e8b2b7
SHA1a1e99ab1b0bfcfa372df8e1d9a4697b870e0086a
SHA256673a7acb27a722673de102a6ca352bb5817a5883ad4846d98fba4b1c3c9e6eda
SHA512aa19b56d88df5e1edec579b96dc869862892494778fd81f235734a6330235cc0866cbf9f7031cf8b20819953617142b32b2bb2d7e810c9d962844e305a49d7b1
-
Filesize
391KB
MD59a96f3a5e35482cf2cf007f724b4e808
SHA1cc1165a4c4e82dc73257741721ded1f781f67330
SHA256a50f49922ad149517205799d8e0a1c0c6caa109910b710510d7900027aebfb6c
SHA51299ac6388a4ec7a9c48f1443c04d9c5fe0fc401869653534da5503a8c1b5b3974fbd0635855557a0be40d7fd3b2c42a7cad1f8112c4977299ad6143453d2ece48
-
Filesize
391KB
MD59a96f3a5e35482cf2cf007f724b4e808
SHA1cc1165a4c4e82dc73257741721ded1f781f67330
SHA256a50f49922ad149517205799d8e0a1c0c6caa109910b710510d7900027aebfb6c
SHA51299ac6388a4ec7a9c48f1443c04d9c5fe0fc401869653534da5503a8c1b5b3974fbd0635855557a0be40d7fd3b2c42a7cad1f8112c4977299ad6143453d2ece48
-
Filesize
344KB
MD51ccb0a4390b73228e0b644a98b38f581
SHA186e7ac367f32b26759708bdafdc6f1ae61493fe6
SHA25622e4b681b7cd1345e20b81b05c8b6752ba986369b118cedcd7c31c7ceaa4a4bc
SHA51264951b254cfa203f4be5e791db676328238b4ccca9e97e817a2ff64f81813945ce021924330e00f07528929fcc057a94e706a4275ae5724e1f10ad546bc57764
-
Filesize
344KB
MD51ccb0a4390b73228e0b644a98b38f581
SHA186e7ac367f32b26759708bdafdc6f1ae61493fe6
SHA25622e4b681b7cd1345e20b81b05c8b6752ba986369b118cedcd7c31c7ceaa4a4bc
SHA51264951b254cfa203f4be5e791db676328238b4ccca9e97e817a2ff64f81813945ce021924330e00f07528929fcc057a94e706a4275ae5724e1f10ad546bc57764
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD594de84ca6568d518cda4ede2da04fab6
SHA12fce7a9d15ba7d6592f62eca5a1c5e6dce08b76d
SHA256de3020bfbacef9093491d81dbef175bf3c8835fe5f452dfd998b3a290f5b00f3
SHA5129da40dcc0c76d26c45667cea3367bfcfa6703285806e62014e6bcd12b9aa660e57c447324841605bb3336e731a8d1617135d43ec69ed32ce25c6eee1b783f879
-
Filesize
333KB
MD594de84ca6568d518cda4ede2da04fab6
SHA12fce7a9d15ba7d6592f62eca5a1c5e6dce08b76d
SHA256de3020bfbacef9093491d81dbef175bf3c8835fe5f452dfd998b3a290f5b00f3
SHA5129da40dcc0c76d26c45667cea3367bfcfa6703285806e62014e6bcd12b9aa660e57c447324841605bb3336e731a8d1617135d43ec69ed32ce25c6eee1b783f879