Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2023, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe
Resource
win10v2004-20230220-en
General
-
Target
a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe
-
Size
777KB
-
MD5
2812e6ab289fc98370f1bebd5a047b1f
-
SHA1
86c19a31ac8a0c4570fba955b58eb57f6d29e0f3
-
SHA256
a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678
-
SHA512
6fa02b02ceb1237a0e03852ab8b58f73faf39f27f47644771ac6e7c6e1a048dda6b49bcb54ec9a07c27e9fec560d5c284d90f384f64de2963c9c31b830cb3202
-
SSDEEP
12288:sMrfy90vms583lPg4FJZ/4t4lMoGtaUAxAa6j9yjuEDNFQPwL7W:LyK181PgiPgUMF5EF6j4ju6N+PwLy
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f1988rF.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h06Lp86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f1988rF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f1988rF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f1988rF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f1988rF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f1988rF.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1168-202-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-203-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-205-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-207-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-209-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-211-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-213-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-215-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-217-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-219-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-221-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-223-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-225-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-227-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-229-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-231-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-233-0x0000000002550000-0x000000000258E000-memory.dmp family_redline behavioral1/memory/1168-235-0x0000000002550000-0x000000000258E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1496 niba2953.exe 4532 niba2422.exe 2528 f1988rF.exe 404 h06Lp86.exe 1168 ixDXV54.exe 4152 l65Na79.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f1988rF.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h06Lp86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h06Lp86.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba2953.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba2953.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba2422.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba2422.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4452 404 WerFault.exe 88 4012 1168 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2528 f1988rF.exe 2528 f1988rF.exe 404 h06Lp86.exe 404 h06Lp86.exe 1168 ixDXV54.exe 1168 ixDXV54.exe 4152 l65Na79.exe 4152 l65Na79.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2528 f1988rF.exe Token: SeDebugPrivilege 404 h06Lp86.exe Token: SeDebugPrivilege 1168 ixDXV54.exe Token: SeDebugPrivilege 4152 l65Na79.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1008 wrote to memory of 1496 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 85 PID 1008 wrote to memory of 1496 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 85 PID 1008 wrote to memory of 1496 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 85 PID 1496 wrote to memory of 4532 1496 niba2953.exe 86 PID 1496 wrote to memory of 4532 1496 niba2953.exe 86 PID 1496 wrote to memory of 4532 1496 niba2953.exe 86 PID 4532 wrote to memory of 2528 4532 niba2422.exe 87 PID 4532 wrote to memory of 2528 4532 niba2422.exe 87 PID 4532 wrote to memory of 404 4532 niba2422.exe 88 PID 4532 wrote to memory of 404 4532 niba2422.exe 88 PID 4532 wrote to memory of 404 4532 niba2422.exe 88 PID 1496 wrote to memory of 1168 1496 niba2953.exe 91 PID 1496 wrote to memory of 1168 1496 niba2953.exe 91 PID 1496 wrote to memory of 1168 1496 niba2953.exe 91 PID 1008 wrote to memory of 4152 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 101 PID 1008 wrote to memory of 4152 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 101 PID 1008 wrote to memory of 4152 1008 a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe"C:\Users\Admin\AppData\Local\Temp\a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba2422.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba2422.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1988rF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1988rF.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h06Lp86.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h06Lp86.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 10805⤵
- Program crash
PID:4452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixDXV54.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixDXV54.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 13324⤵
- Program crash
PID:4012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l65Na79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l65Na79.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 404 -ip 4041⤵PID:1528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1168 -ip 11681⤵PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
635KB
MD59c6fd96ba8b9c691959b9d26b1350e89
SHA16b96274c982e79b064b6186114205d1b8982325e
SHA256835f275d4dafe9098042b8e04b1e33304b570e7e40ff7c6ef81caf358e89726d
SHA512afc06e6167c6fe581645b5c7235da66e2dea5a27fc558a47ae0e56a127335785397babe2f00635fa55057d682000a032f6092190f86d1fded2c4859d982b23f4
-
Filesize
635KB
MD59c6fd96ba8b9c691959b9d26b1350e89
SHA16b96274c982e79b064b6186114205d1b8982325e
SHA256835f275d4dafe9098042b8e04b1e33304b570e7e40ff7c6ef81caf358e89726d
SHA512afc06e6167c6fe581645b5c7235da66e2dea5a27fc558a47ae0e56a127335785397babe2f00635fa55057d682000a032f6092190f86d1fded2c4859d982b23f4
-
Filesize
287KB
MD5a5ff3d90880b26602631fcd20ca34f8f
SHA146f99ae04547f1e8972aebf0c38be4f04d61df56
SHA256056ac0553ad39fe48aeb2f6398c0586a4a938593dce003ebfbdf6ee77f1d47b0
SHA5124dfd0ba16ee0b3647b320a28efe0780f24293ed0fda46f540e971555b64576f5e964c78fb077e6d8c18ef2a06db2580c6d07842dd04884939895e8b3a6c92f76
-
Filesize
287KB
MD5a5ff3d90880b26602631fcd20ca34f8f
SHA146f99ae04547f1e8972aebf0c38be4f04d61df56
SHA256056ac0553ad39fe48aeb2f6398c0586a4a938593dce003ebfbdf6ee77f1d47b0
SHA5124dfd0ba16ee0b3647b320a28efe0780f24293ed0fda46f540e971555b64576f5e964c78fb077e6d8c18ef2a06db2580c6d07842dd04884939895e8b3a6c92f76
-
Filesize
314KB
MD539894d2681f47c4c61793a72bb4337f3
SHA1725d8a41b4dbda841a8c8e2df86714b1ed4fe954
SHA25637ca2b8185a8e44251cfade4fbc763e53cba8a71248e2436ebda28c27d7b3545
SHA51297205efc377b71e9de75ff864cc8d15a5e550d919be5772148a7e554f401a9e52100f0217f6f9b4f27f05733734f82002164985d7450bc104b0a8f7faa92015b
-
Filesize
314KB
MD539894d2681f47c4c61793a72bb4337f3
SHA1725d8a41b4dbda841a8c8e2df86714b1ed4fe954
SHA25637ca2b8185a8e44251cfade4fbc763e53cba8a71248e2436ebda28c27d7b3545
SHA51297205efc377b71e9de75ff864cc8d15a5e550d919be5772148a7e554f401a9e52100f0217f6f9b4f27f05733734f82002164985d7450bc104b0a8f7faa92015b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
229KB
MD56d2ff1f0dce33590fe3b35fab58c6011
SHA1921341827661af5bfcfdc83d8dbbdb6d0c0b248d
SHA256c68e0b6db0c8a85197bb58715f3db3e226c0b712ee9adbe9f3285be22c2e8439
SHA512035c61a8928373d9591d0b24585161450cb4f4ac917f72204f21421bdbe70622b0f5c5c7e84c371a61d52dd7a1c500c32bc7054cd62e39de19c693890ec16feb
-
Filesize
229KB
MD56d2ff1f0dce33590fe3b35fab58c6011
SHA1921341827661af5bfcfdc83d8dbbdb6d0c0b248d
SHA256c68e0b6db0c8a85197bb58715f3db3e226c0b712ee9adbe9f3285be22c2e8439
SHA512035c61a8928373d9591d0b24585161450cb4f4ac917f72204f21421bdbe70622b0f5c5c7e84c371a61d52dd7a1c500c32bc7054cd62e39de19c693890ec16feb