Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2023, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
Resource
win10v2004-20230221-en
General
-
Target
b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe
-
Size
688KB
-
MD5
55f8f5af46c32287f95222faf9a31521
-
SHA1
37f33271fe8734a16b7ac883937d5d7ffc2e02bf
-
SHA256
b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277
-
SHA512
c8d9b8eede45a38b60e4d4d63beda9e2e02fc7de1c2286e2ae2e988a497de2180d6973584fc536252e53cfb419cce4aab170558eb5f3bc513df0406c9801e258
-
SSDEEP
12288:eMroy90LdgxsZadxQOLllhFOCeHkjIdx6Nag+dBWeMZ1Pp2Rh:qyMgxBqO2YIdYa9dYbjh+
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
lenka
193.233.20.32:4125
-
auth_value
8a60e8b2ec79d6a7e92f9feac39b8830
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6606.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6606.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6606.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6606.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6606.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6606.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/564-191-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-190-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-193-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-195-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-197-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-199-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-201-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-203-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-205-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-207-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-209-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-213-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-211-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-215-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-220-0x00000000071B0000-0x00000000071C0000-memory.dmp family_redline behavioral1/memory/564-223-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-225-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-218-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-227-0x0000000007130000-0x000000000716F000-memory.dmp family_redline behavioral1/memory/564-1110-0x00000000071B0000-0x00000000071C0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1340 unio0693.exe 1784 pro6606.exe 564 qu1501.exe 4892 si677554.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6606.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6606.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio0693.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio0693.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4508 1784 WerFault.exe 85 4348 564 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1784 pro6606.exe 1784 pro6606.exe 564 qu1501.exe 564 qu1501.exe 4892 si677554.exe 4892 si677554.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1784 pro6606.exe Token: SeDebugPrivilege 564 qu1501.exe Token: SeDebugPrivilege 4892 si677554.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1340 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 84 PID 2156 wrote to memory of 1340 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 84 PID 2156 wrote to memory of 1340 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 84 PID 1340 wrote to memory of 1784 1340 unio0693.exe 85 PID 1340 wrote to memory of 1784 1340 unio0693.exe 85 PID 1340 wrote to memory of 1784 1340 unio0693.exe 85 PID 1340 wrote to memory of 564 1340 unio0693.exe 96 PID 1340 wrote to memory of 564 1340 unio0693.exe 96 PID 1340 wrote to memory of 564 1340 unio0693.exe 96 PID 2156 wrote to memory of 4892 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 103 PID 2156 wrote to memory of 4892 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 103 PID 2156 wrote to memory of 4892 2156 b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe"C:\Users\Admin\AppData\Local\Temp\b6506c7b8503c8700079ec82b275f6953cc9d71a2590540e5c21c161cd8c6277.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0693.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6606.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 10844⤵
- Program crash
PID:4508
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1501.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 13524⤵
- Program crash
PID:4348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si677554.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1784 -ip 17841⤵PID:1404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 564 -ip 5641⤵PID:4792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5d8cb00a7413040c5ee062137deac5809
SHA19fb09584bbb1502edbca55c4e1f8e36ae47466b0
SHA256e5ff58141efbc15dcbb4075821787863b9465a872d95ad75b34f2301a2970a76
SHA512faa350ed1548c3f9305d35f5bc8c147545757ce3f10e43767dd4f3e4855af64dfc5bbb4fc0690198a5d9211354c912425fee1b382c6d19d69bb616df2ace3827
-
Filesize
175KB
MD5d8cb00a7413040c5ee062137deac5809
SHA19fb09584bbb1502edbca55c4e1f8e36ae47466b0
SHA256e5ff58141efbc15dcbb4075821787863b9465a872d95ad75b34f2301a2970a76
SHA512faa350ed1548c3f9305d35f5bc8c147545757ce3f10e43767dd4f3e4855af64dfc5bbb4fc0690198a5d9211354c912425fee1b382c6d19d69bb616df2ace3827
-
Filesize
547KB
MD50f85e493b3ce4e7617dc6b223770c6ed
SHA1b5d611c3c8ceb654676c47ed3f9aa2235e16db14
SHA256aa6c6e30cc3db333e2b3031bd69ae62335ee1f1958bdca2e8b7605444b55c40b
SHA512cc5914ac19f88d05f81c42894413ad73a7f020ca2df7183e8ce98ed9c628d324b38c1c227e29a185a8e8e1c4c6e04c01aa7861827096360a869245feea5c5935
-
Filesize
547KB
MD50f85e493b3ce4e7617dc6b223770c6ed
SHA1b5d611c3c8ceb654676c47ed3f9aa2235e16db14
SHA256aa6c6e30cc3db333e2b3031bd69ae62335ee1f1958bdca2e8b7605444b55c40b
SHA512cc5914ac19f88d05f81c42894413ad73a7f020ca2df7183e8ce98ed9c628d324b38c1c227e29a185a8e8e1c4c6e04c01aa7861827096360a869245feea5c5935
-
Filesize
329KB
MD5ca7bb1b8982d3a2b836893de2e74b3ed
SHA14954325e6b2f197e4f35b6b8ee451e03d6c930b1
SHA256259b22256fb3cf62d1364dccfeb56e55c18ed306cb36972e672c8b05957bd384
SHA512ea1c94dc338b9512634bfae188d553c9950e19783164552f8b7e6f6502209fb23a95f88ea4c0f9c237074821fbada3c9296562da896581cc540883b693912d78
-
Filesize
329KB
MD5ca7bb1b8982d3a2b836893de2e74b3ed
SHA14954325e6b2f197e4f35b6b8ee451e03d6c930b1
SHA256259b22256fb3cf62d1364dccfeb56e55c18ed306cb36972e672c8b05957bd384
SHA512ea1c94dc338b9512634bfae188d553c9950e19783164552f8b7e6f6502209fb23a95f88ea4c0f9c237074821fbada3c9296562da896581cc540883b693912d78
-
Filesize
387KB
MD571eb2d0b5a34ebca3cbcbd99d2df28a0
SHA1d72964624b8557466dd55ace800efa21f2058871
SHA256626ff3c3bd5211bdeedb3f9199101c5bb735db56b4fe9f8202809e392c599477
SHA512980afa88966031bce26dbe37931940f6b15b4324cc6057c6a8061417fc2c35db8ac456aacfb47b1210678e4c319e079e5acd9a2575c5bd2d74d4e1e31d87571a
-
Filesize
387KB
MD571eb2d0b5a34ebca3cbcbd99d2df28a0
SHA1d72964624b8557466dd55ace800efa21f2058871
SHA256626ff3c3bd5211bdeedb3f9199101c5bb735db56b4fe9f8202809e392c599477
SHA512980afa88966031bce26dbe37931940f6b15b4324cc6057c6a8061417fc2c35db8ac456aacfb47b1210678e4c319e079e5acd9a2575c5bd2d74d4e1e31d87571a