Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2023, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe
Resource
win10v2004-20230220-en
General
-
Target
8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe
-
Size
537KB
-
MD5
5208eb66d5b1a28fcf680425540150ad
-
SHA1
d0763918406911e4aae08102a362068892a36eab
-
SHA256
8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6
-
SHA512
42abc8af7c52b29f05c70b2190642e74b9ded4364abbda24e3d2a20f363a1430930cf403e3c42e00a608a6302bfb3239f3da9bbfa5659663d2096a60073729ff
-
SSDEEP
12288:7Mrqy90FMOgsYkOtElhjDxhi4xY6GmW57ZrcIFB7e:lylOlldxY6WRZrcqBS
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
sint
193.233.20.31:4125
-
auth_value
9d9b763b4dcfbff1c06ef4743cc0399e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h47sL13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h47sL13.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection h47sL13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h47sL13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h47sL13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h47sL13.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4412-156-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-157-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-159-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-161-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-167-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-165-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-169-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-171-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-173-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-175-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-177-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-179-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-181-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-183-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-185-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-187-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-189-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-191-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-193-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-195-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-197-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-199-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-201-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-203-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-205-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-207-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-209-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-211-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-213-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-215-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-217-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-219-0x0000000002460000-0x000000000249E000-memory.dmp family_redline behavioral1/memory/4412-221-0x0000000002460000-0x000000000249E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2812 niba8547.exe 1384 h47sL13.exe 4412 iuHsl28.exe 548 l88iw97.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h47sL13.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba8547.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba8547.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4132 4412 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1384 h47sL13.exe 1384 h47sL13.exe 4412 iuHsl28.exe 4412 iuHsl28.exe 548 l88iw97.exe 548 l88iw97.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1384 h47sL13.exe Token: SeDebugPrivilege 4412 iuHsl28.exe Token: SeDebugPrivilege 548 l88iw97.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5104 wrote to memory of 2812 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 84 PID 5104 wrote to memory of 2812 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 84 PID 5104 wrote to memory of 2812 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 84 PID 2812 wrote to memory of 1384 2812 niba8547.exe 85 PID 2812 wrote to memory of 1384 2812 niba8547.exe 85 PID 2812 wrote to memory of 4412 2812 niba8547.exe 91 PID 2812 wrote to memory of 4412 2812 niba8547.exe 91 PID 2812 wrote to memory of 4412 2812 niba8547.exe 91 PID 5104 wrote to memory of 548 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 97 PID 5104 wrote to memory of 548 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 97 PID 5104 wrote to memory of 548 5104 8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe"C:\Users\Admin\AppData\Local\Temp\8e0f0a08f319549b6aee62bf303cac0b35884e8ba84ff4d9ffc87b478c601be6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8547.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8547.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h47sL13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h47sL13.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuHsl28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iuHsl28.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 17924⤵
- Program crash
PID:4132
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88iw97.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88iw97.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4412 -ip 44121⤵PID:3984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD587d8308e8cda648f980eaded98c6dd64
SHA18e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA51204add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200
-
Filesize
175KB
MD587d8308e8cda648f980eaded98c6dd64
SHA18e1213fea55c704c3d133c4b8675b99a66c08fc1
SHA256dfb2378d9e691c98c02a4ebd3196a313185549e72cd0d770972ea47888889246
SHA51204add36bd3e21f02b1fa836caddfbc0a0adfa480f18a369a5974bf98e093f17f36ab68251d5acdda4d8a94458451953b1fcf6ab7706b5e7125fc852c5dc71200
-
Filesize
395KB
MD537ebd84c3d1258e03ca442e85a69a63d
SHA16819ed1ab876e354af9ad1fb787b900894ac0d6a
SHA256513bdc798ba441aa33c829f9596b1c2119ed66c20c407a7a95e565475f765d8e
SHA5126949dddc1b87070ddd441fe72f1d03b67bb985ef425a5f943ea20713d59c3de60f16facc684cf9bbd917cbd953a0a42b943a827baca545cf76aff44a22259e13
-
Filesize
395KB
MD537ebd84c3d1258e03ca442e85a69a63d
SHA16819ed1ab876e354af9ad1fb787b900894ac0d6a
SHA256513bdc798ba441aa33c829f9596b1c2119ed66c20c407a7a95e565475f765d8e
SHA5126949dddc1b87070ddd441fe72f1d03b67bb985ef425a5f943ea20713d59c3de60f16facc684cf9bbd917cbd953a0a42b943a827baca545cf76aff44a22259e13
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
470KB
MD52fb82eaae35c6c7f24ba17756aef9ea9
SHA14b7b1247dccf8028366d61cb691164920893ab4a
SHA256bc7cc6023de312441b2e0bb37e2c646d6de00ce07b68115e586f9f17c7134f9d
SHA5126f215a44ff5c6dcaf4f3db83787b95bb705115d62217e754e73f564f32eb69b8f5b037b3d56fcdda028b5c94df5938632b84e39ac5500d63a96ffb6791cc552f
-
Filesize
470KB
MD52fb82eaae35c6c7f24ba17756aef9ea9
SHA14b7b1247dccf8028366d61cb691164920893ab4a
SHA256bc7cc6023de312441b2e0bb37e2c646d6de00ce07b68115e586f9f17c7134f9d
SHA5126f215a44ff5c6dcaf4f3db83787b95bb705115d62217e754e73f564f32eb69b8f5b037b3d56fcdda028b5c94df5938632b84e39ac5500d63a96ffb6791cc552f