Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe
Resource
win10v2004-20230221-en
General
-
Target
64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe
-
Size
835KB
-
MD5
0295b2e207a0a0c604a8367f9e8dbad4
-
SHA1
e3dc94860e7f15e1847836705e3c44ec38573fd0
-
SHA256
64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947
-
SHA512
50c336435f2da23c5887150019546ef53204d4995b7e76e6cc738b8c3d79f2edd4a8e6526c011efd0120e5a5a32d39a58ce99983f066aee68e317ec65a1cc345
-
SSDEEP
12288:pMrry90jDudG71dAlve24r6sMIPTmYww2AJyscYTqD7WGjM0a7pJsAnnN/K:+yaHAlWbrvMomYvJysDTs7WGg7Xn1K
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
relon
193.233.20.30:4125
-
auth_value
17da69809725577b595e217ba006b869
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu5747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8969.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu5747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu5747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu5747.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro8969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu5747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu5747.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4116-204-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-203-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-206-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-208-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-210-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-212-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-214-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-216-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-218-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-220-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-222-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-224-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-226-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-228-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-230-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-232-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-234-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-236-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/4116-374-0x0000000002600000-0x0000000002610000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4680 unio2832.exe 3732 unio2114.exe 4688 pro8969.exe 968 qu5747.exe 4116 rMh83s20.exe 3056 si299873.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8969.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu5747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu5747.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio2832.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio2832.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio2114.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio2114.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4464 968 WerFault.exe 89 4948 4116 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4688 pro8969.exe 4688 pro8969.exe 968 qu5747.exe 968 qu5747.exe 4116 rMh83s20.exe 4116 rMh83s20.exe 3056 si299873.exe 3056 si299873.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4688 pro8969.exe Token: SeDebugPrivilege 968 qu5747.exe Token: SeDebugPrivilege 4116 rMh83s20.exe Token: SeDebugPrivilege 3056 si299873.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3240 wrote to memory of 4680 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 84 PID 3240 wrote to memory of 4680 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 84 PID 3240 wrote to memory of 4680 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 84 PID 4680 wrote to memory of 3732 4680 unio2832.exe 85 PID 4680 wrote to memory of 3732 4680 unio2832.exe 85 PID 4680 wrote to memory of 3732 4680 unio2832.exe 85 PID 3732 wrote to memory of 4688 3732 unio2114.exe 86 PID 3732 wrote to memory of 4688 3732 unio2114.exe 86 PID 3732 wrote to memory of 968 3732 unio2114.exe 89 PID 3732 wrote to memory of 968 3732 unio2114.exe 89 PID 3732 wrote to memory of 968 3732 unio2114.exe 89 PID 4680 wrote to memory of 4116 4680 unio2832.exe 92 PID 4680 wrote to memory of 4116 4680 unio2832.exe 92 PID 4680 wrote to memory of 4116 4680 unio2832.exe 92 PID 3240 wrote to memory of 3056 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 97 PID 3240 wrote to memory of 3056 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 97 PID 3240 wrote to memory of 3056 3240 64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe"C:\Users\Admin\AppData\Local\Temp\64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 10805⤵
- Program crash
PID:4464
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 13444⤵
- Program crash
PID:4948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 968 -ip 9681⤵PID:540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4116 -ip 41161⤵PID:4600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
693KB
MD5fbad86a7595d8260a8c0ae189ddbe3ce
SHA1b96d6e31e8f1e599decf87885e6a16ea03aaae04
SHA2567a16065ba86c3b59126e034660b97698f5cc1e5a83c2ee9eb465f44165dfa12f
SHA512b1bbf07fa6acf239e5b8ace6ad36f9dd954c6b28ae4c1769726fb256518b43487f121313649710b86c2cb10a1f4df9e042f7ccfe61735058b3c93e43f7bdd29a
-
Filesize
693KB
MD5fbad86a7595d8260a8c0ae189ddbe3ce
SHA1b96d6e31e8f1e599decf87885e6a16ea03aaae04
SHA2567a16065ba86c3b59126e034660b97698f5cc1e5a83c2ee9eb465f44165dfa12f
SHA512b1bbf07fa6acf239e5b8ace6ad36f9dd954c6b28ae4c1769726fb256518b43487f121313649710b86c2cb10a1f4df9e042f7ccfe61735058b3c93e43f7bdd29a
-
Filesize
362KB
MD56c03c4f4cab5a2c43a80fc39250ea402
SHA14352dccdcb0867ebe26b0e13ba4937c392ecd878
SHA2562f69eedd164859533b4b3bca48da459abbe0d07f20d8a056d291ac0be67de2fa
SHA512e94d52d5c4932ba660afe9c1e9ba6e97154a29c63ec4e665ffc0a663fffeda2bc61397d75b87829c31744e7e467e69551e1d6216d4365d1d069d1f5b8c00ce28
-
Filesize
362KB
MD56c03c4f4cab5a2c43a80fc39250ea402
SHA14352dccdcb0867ebe26b0e13ba4937c392ecd878
SHA2562f69eedd164859533b4b3bca48da459abbe0d07f20d8a056d291ac0be67de2fa
SHA512e94d52d5c4932ba660afe9c1e9ba6e97154a29c63ec4e665ffc0a663fffeda2bc61397d75b87829c31744e7e467e69551e1d6216d4365d1d069d1f5b8c00ce28
-
Filesize
343KB
MD532473e68e1a9761867aa652721efd149
SHA16f2288624d7d0dab31c29bb0e25e9700876b6678
SHA256a2f1c109375457de2f7a6f00e9426eae36d1ba1ec0cf52343932e069b5cd5e9c
SHA512fa7afd2701f496fca44942e304cd324523efd5f0723781fff9489cfbb62165823fb452009efce8ff0876e5e5a35d4fa0bf6234c9cc29e90d0938c8b05aa06ce0
-
Filesize
343KB
MD532473e68e1a9761867aa652721efd149
SHA16f2288624d7d0dab31c29bb0e25e9700876b6678
SHA256a2f1c109375457de2f7a6f00e9426eae36d1ba1ec0cf52343932e069b5cd5e9c
SHA512fa7afd2701f496fca44942e304cd324523efd5f0723781fff9489cfbb62165823fb452009efce8ff0876e5e5a35d4fa0bf6234c9cc29e90d0938c8b05aa06ce0
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
303KB
MD563f98196817dc2c0732ded0f7e33e8ee
SHA1121c5e745bc33197c29a205d27b9434790cafcc2
SHA256304d2b9aa75d247aae300392efbd90b22ba07fb098d347a76623d9d860994487
SHA51203fe033aae21f793ac9f93197c7305368062dcf15395acfbdd0a7a82b42257a34cb4b2323825ead324328e57771e474ade429c44817a1b4e627d9133021b004d
-
Filesize
303KB
MD563f98196817dc2c0732ded0f7e33e8ee
SHA1121c5e745bc33197c29a205d27b9434790cafcc2
SHA256304d2b9aa75d247aae300392efbd90b22ba07fb098d347a76623d9d860994487
SHA51203fe033aae21f793ac9f93197c7305368062dcf15395acfbdd0a7a82b42257a34cb4b2323825ead324328e57771e474ade429c44817a1b4e627d9133021b004d