Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2023, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe
Resource
win10v2004-20230220-en
General
-
Target
d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe
-
Size
541KB
-
MD5
a4ffa35b51349a35bb6ce62f8c112162
-
SHA1
86172e6a57dfaa28c7f569d14a18fdedbb2f12e2
-
SHA256
d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21
-
SHA512
118ceec1d01638d88acee7edca3f5482e8cb0db35d201ed32f0477bbc8d38f7d212cef7ca57834d68de2b638a67d2d7c0bc2fe6e2297ba7b3fec76dbb2724626
-
SSDEEP
12288:8Mrny90kbJrtU8vrkCLDq2uFjY8hghhWQT:TylRrxnuJYVhEQT
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Extracted
redline
gena
193.233.20.32:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4222.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro4222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4222.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/408-159-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-160-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-162-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-164-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-166-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-168-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-170-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-172-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-174-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-176-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-178-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-180-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-182-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-184-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-186-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-188-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-190-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-192-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-196-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-194-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-198-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-200-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-202-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-208-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-210-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-206-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-214-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-212-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-216-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-220-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-218-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-222-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-224-0x0000000007150000-0x000000000718F000-memory.dmp family_redline behavioral1/memory/408-1076-0x0000000007200000-0x0000000007210000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3108 unio8732.exe 2608 pro4222.exe 408 qu7962.exe 2260 si405595.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4222.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio8732.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio8732.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2244 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2740 408 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2608 pro4222.exe 2608 pro4222.exe 408 qu7962.exe 408 qu7962.exe 2260 si405595.exe 2260 si405595.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2608 pro4222.exe Token: SeDebugPrivilege 408 qu7962.exe Token: SeDebugPrivilege 2260 si405595.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4224 wrote to memory of 3108 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 84 PID 4224 wrote to memory of 3108 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 84 PID 4224 wrote to memory of 3108 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 84 PID 3108 wrote to memory of 2608 3108 unio8732.exe 85 PID 3108 wrote to memory of 2608 3108 unio8732.exe 85 PID 3108 wrote to memory of 408 3108 unio8732.exe 94 PID 3108 wrote to memory of 408 3108 unio8732.exe 94 PID 3108 wrote to memory of 408 3108 unio8732.exe 94 PID 4224 wrote to memory of 2260 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 99 PID 4224 wrote to memory of 2260 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 99 PID 4224 wrote to memory of 2260 4224 d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe"C:\Users\Admin\AppData\Local\Temp\d080a31aa98b5aef742ca410db976eec010c2c3d363622cd35b5450a05e6ef21.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8732.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8732.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4222.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4222.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7962.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7962.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 13484⤵
- Program crash
PID:2740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si405595.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si405595.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 4081⤵PID:4412
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5f50023c2c4bad1bbf51efde95c575b28
SHA19e02fe5ecc82f471d8c078a0d4b9ce02fdf69ce1
SHA256a491d4a9a89a7103f18f402d20df34f1ae56d18bc779ff8a4681f52a3e65cbdb
SHA512d869c3c475811fdce251a700556018d98c639c28ec838f31e0fb3a9f91743843393d77735f14b992a7407356d109b680e2b9687385bae2ed7ffaef88b7c9fa57
-
Filesize
175KB
MD5f50023c2c4bad1bbf51efde95c575b28
SHA19e02fe5ecc82f471d8c078a0d4b9ce02fdf69ce1
SHA256a491d4a9a89a7103f18f402d20df34f1ae56d18bc779ff8a4681f52a3e65cbdb
SHA512d869c3c475811fdce251a700556018d98c639c28ec838f31e0fb3a9f91743843393d77735f14b992a7407356d109b680e2b9687385bae2ed7ffaef88b7c9fa57
-
Filesize
398KB
MD5a73de24aa55867e9f76fa27c36d40db9
SHA192f3550d6114afd1e79be26b9c4a371ece6b6ad2
SHA256b0609e32f155c5384914ae5c85a6c7e9de55529299484dc03526f6abf5b384c2
SHA512aa0d57d12d57bd48ccaaa37914c26c6b2c91b85b7e1414017db4fa7a8e439dd2acd0c6a5bd9ff05411c257d26b792edfe64d3749b2dfa28cd4b299fa136837ca
-
Filesize
398KB
MD5a73de24aa55867e9f76fa27c36d40db9
SHA192f3550d6114afd1e79be26b9c4a371ece6b6ad2
SHA256b0609e32f155c5384914ae5c85a6c7e9de55529299484dc03526f6abf5b384c2
SHA512aa0d57d12d57bd48ccaaa37914c26c6b2c91b85b7e1414017db4fa7a8e439dd2acd0c6a5bd9ff05411c257d26b792edfe64d3749b2dfa28cd4b299fa136837ca
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
357KB
MD57e1ddb46def693e0574af4df501bbd36
SHA1de45db0125031d9b27f45754be08e2af69486984
SHA2560d29835bdde40fe959f3e02567fcb17ee3def4a38fbf9bddfeff9e01eede6c91
SHA512c4f355a4193d794377084b5de8551a3655141576b1802f78eda95b21145e8f6a92271a73093133c552c96f4a5f58e00e7b05d328a143f8954e0ed1807844af24
-
Filesize
357KB
MD57e1ddb46def693e0574af4df501bbd36
SHA1de45db0125031d9b27f45754be08e2af69486984
SHA2560d29835bdde40fe959f3e02567fcb17ee3def4a38fbf9bddfeff9e01eede6c91
SHA512c4f355a4193d794377084b5de8551a3655141576b1802f78eda95b21145e8f6a92271a73093133c552c96f4a5f58e00e7b05d328a143f8954e0ed1807844af24