Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe
Resource
win10v2004-20230220-en
General
-
Target
c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe
-
Size
688KB
-
MD5
bc4192ca2cfbe32cb2bf2eb8504b4fba
-
SHA1
80c20f89f492624e0840bef1d8c6f67197fa76b2
-
SHA256
c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601
-
SHA512
2a403aad19129f8df1041d5f18370baeb2098aae9badd26cd062de7c00c519a3dce3b830593fa443e05124bf0aad7d4e1b2ac619bb37c72d41a56f0649f510b1
-
SSDEEP
12288:AMr8y909DJSBHtkd95kmnIOBIaSfTCooZIefzWfHvCAZEQ5utGBZ3ZhP:syfxtonIOBIaSbCU0zWfPR3MGBFZt
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9085.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9085.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4408-191-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-192-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-194-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-196-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-198-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-200-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-202-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-204-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-206-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-208-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-214-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-210-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-215-0x0000000004DC0000-0x0000000004DD0000-memory.dmp family_redline behavioral1/memory/4408-218-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-220-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-222-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-224-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-226-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4408-228-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1576 un841335.exe 1704 pro9085.exe 4408 qu3468.exe 3280 si124069.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9085.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un841335.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un841335.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 224 1704 WerFault.exe 84 4524 4408 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1704 pro9085.exe 1704 pro9085.exe 4408 qu3468.exe 4408 qu3468.exe 3280 si124069.exe 3280 si124069.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1704 pro9085.exe Token: SeDebugPrivilege 4408 qu3468.exe Token: SeDebugPrivilege 3280 si124069.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1576 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 83 PID 4940 wrote to memory of 1576 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 83 PID 4940 wrote to memory of 1576 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 83 PID 1576 wrote to memory of 1704 1576 un841335.exe 84 PID 1576 wrote to memory of 1704 1576 un841335.exe 84 PID 1576 wrote to memory of 1704 1576 un841335.exe 84 PID 1576 wrote to memory of 4408 1576 un841335.exe 91 PID 1576 wrote to memory of 4408 1576 un841335.exe 91 PID 1576 wrote to memory of 4408 1576 un841335.exe 91 PID 4940 wrote to memory of 3280 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 95 PID 4940 wrote to memory of 3280 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 95 PID 4940 wrote to memory of 3280 4940 c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe"C:\Users\Admin\AppData\Local\Temp\c8fd59d93d965d4752d3f4948df648361b772f774f8971fce09b9eabc99a6601.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841335.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un841335.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9085.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9085.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 10844⤵
- Program crash
PID:224
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3468.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3468.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 20084⤵
- Program crash
PID:4524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si124069.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si124069.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1704 -ip 17041⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4408 -ip 44081⤵PID:2400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD52d6377df6e950c0b8cdf4dca99b3a749
SHA16e095a84254b87bac38e8d69ced93569ca79177a
SHA256bbb2d6c3c16177f01312769218413fe60f2132e74e6579ae48889031e9cb34a7
SHA51294ab91e41d0593875771acc10d310784fc557ce28bd3e8aa1a6f3657a98eee5c7a79d56b5d7e5795aea80f7765afc3561cea9d1c6f0f9eaddbd58e0576d81786
-
Filesize
175KB
MD52d6377df6e950c0b8cdf4dca99b3a749
SHA16e095a84254b87bac38e8d69ced93569ca79177a
SHA256bbb2d6c3c16177f01312769218413fe60f2132e74e6579ae48889031e9cb34a7
SHA51294ab91e41d0593875771acc10d310784fc557ce28bd3e8aa1a6f3657a98eee5c7a79d56b5d7e5795aea80f7765afc3561cea9d1c6f0f9eaddbd58e0576d81786
-
Filesize
546KB
MD51396a68ab19bf8e3b49881b9a740729d
SHA110d5a132a299d6de99e2c6f339248773bc30a842
SHA25628a5718f0d192b64c78d2e9a08528ae840516d694465bc5cd4fdd6aa9205e45e
SHA51200d8f4e9b30ac0bf3e5f1d066b48d3d8ba6a9d3f8d213d3777768cbab1e825b13468eda67d12ff8417b0212320be3db321cccda9ac5411248ccc2a359f180e5c
-
Filesize
546KB
MD51396a68ab19bf8e3b49881b9a740729d
SHA110d5a132a299d6de99e2c6f339248773bc30a842
SHA25628a5718f0d192b64c78d2e9a08528ae840516d694465bc5cd4fdd6aa9205e45e
SHA51200d8f4e9b30ac0bf3e5f1d066b48d3d8ba6a9d3f8d213d3777768cbab1e825b13468eda67d12ff8417b0212320be3db321cccda9ac5411248ccc2a359f180e5c
-
Filesize
300KB
MD54955fbbb2bbc15aedb852cfcc664d562
SHA14034c6b04e3bcff789148488a0679b41b96c0e54
SHA256576a69d469ff2d05341af7bf68dc1cdae057ea693e31c028e8ff9ec1a445bac2
SHA5121d426526681f62fdbb98808eda0778df99f968c14fba19b37754f4c2ecf3a532e2c99f7681d17d1fd3fe2fea927acb52f5657603524769a171b52e20ae913d97
-
Filesize
300KB
MD54955fbbb2bbc15aedb852cfcc664d562
SHA14034c6b04e3bcff789148488a0679b41b96c0e54
SHA256576a69d469ff2d05341af7bf68dc1cdae057ea693e31c028e8ff9ec1a445bac2
SHA5121d426526681f62fdbb98808eda0778df99f968c14fba19b37754f4c2ecf3a532e2c99f7681d17d1fd3fe2fea927acb52f5657603524769a171b52e20ae913d97
-
Filesize
359KB
MD509b5d7e0bda6c3e8e5d412535aae4253
SHA105f6ac9acfe7f2fa8be6bb9d23c5fc7b08598712
SHA256279d6a1f77f4cca26637766366093c1f81448f44b2f8c8f6744ec0c343749b17
SHA51206f1ad5924b94100d1f6097575dc5a50131f5d8abf60ff0caad5e07fc6a5db5c899f498843c59b70ebb5039b20471572617544dd3eb8c2f96f3979e31022a78a
-
Filesize
359KB
MD509b5d7e0bda6c3e8e5d412535aae4253
SHA105f6ac9acfe7f2fa8be6bb9d23c5fc7b08598712
SHA256279d6a1f77f4cca26637766366093c1f81448f44b2f8c8f6744ec0c343749b17
SHA51206f1ad5924b94100d1f6097575dc5a50131f5d8abf60ff0caad5e07fc6a5db5c899f498843c59b70ebb5039b20471572617544dd3eb8c2f96f3979e31022a78a