Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
87s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe
Resource
win10v2004-20230220-en
General
-
Target
5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe
-
Size
688KB
-
MD5
99e418ce87c996c8685a18a1a72da80d
-
SHA1
c94ba833e4f4c0e2a45f9dfad14b6b77d420fe5f
-
SHA256
5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e
-
SHA512
90f936150e0703f383b4ba1968ed978e344608189a24976d98035b00e07f78628f218e127949167f6f7f6c8c7abd0bea335f4a66bb09c678efd6a7020db2aded
-
SSDEEP
12288:0Mruy90u16Wwc9QRRHZyRXkPzgOUftibMcZN49NzyaIW8T9MZckjuosp+r:ayVk/5C0hUfCMcM8TKikjuof
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6281.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6281.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4572-192-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-191-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-194-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-196-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-198-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-200-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-202-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-204-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-206-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-208-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-210-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-212-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-214-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-216-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-218-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-220-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-222-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4572-224-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4624 un834933.exe 1872 pro6281.exe 4572 qu7529.exe 4920 si375827.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6281.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un834933.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un834933.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3876 1872 WerFault.exe 84 436 4572 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1872 pro6281.exe 1872 pro6281.exe 4572 qu7529.exe 4572 qu7529.exe 4920 si375827.exe 4920 si375827.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1872 pro6281.exe Token: SeDebugPrivilege 4572 qu7529.exe Token: SeDebugPrivilege 4920 si375827.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4112 wrote to memory of 4624 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 83 PID 4112 wrote to memory of 4624 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 83 PID 4112 wrote to memory of 4624 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 83 PID 4624 wrote to memory of 1872 4624 un834933.exe 84 PID 4624 wrote to memory of 1872 4624 un834933.exe 84 PID 4624 wrote to memory of 1872 4624 un834933.exe 84 PID 4624 wrote to memory of 4572 4624 un834933.exe 92 PID 4624 wrote to memory of 4572 4624 un834933.exe 92 PID 4624 wrote to memory of 4572 4624 un834933.exe 92 PID 4112 wrote to memory of 4920 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 96 PID 4112 wrote to memory of 4920 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 96 PID 4112 wrote to memory of 4920 4112 5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe"C:\Users\Admin\AppData\Local\Temp\5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 10804⤵
- Program crash
PID:3876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 19244⤵
- Program crash
PID:436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1872 -ip 18721⤵PID:1644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 45721⤵PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD50070bc16e790c6757d508dfb61a679d1
SHA111597801bdb0c36c764f0be9bc2dfeca268a609b
SHA2562d35b241496015bbd4fd2afa6cf4fa279be28d1ede29a1a4043ed8cc7f62e491
SHA51220b462074968ed07b747ff6631c7a12f2dd414dd89e4bc581cb37e6253127146536825c2837c77d654456a2f7b649a411f2e612a869e8d038c6f28e4d2922704
-
Filesize
175KB
MD50070bc16e790c6757d508dfb61a679d1
SHA111597801bdb0c36c764f0be9bc2dfeca268a609b
SHA2562d35b241496015bbd4fd2afa6cf4fa279be28d1ede29a1a4043ed8cc7f62e491
SHA51220b462074968ed07b747ff6631c7a12f2dd414dd89e4bc581cb37e6253127146536825c2837c77d654456a2f7b649a411f2e612a869e8d038c6f28e4d2922704
-
Filesize
545KB
MD5c25e01f90166339f356cd8457c2458da
SHA1992b2d6336489699e4385a15052d6a95bccb606e
SHA25609e7756cb5df3ac01053c927164c8ecebd0006a811052ee0db6f6a9727be6d7d
SHA5128736853a56ac92b762d8af30c4c7a9dc5511bed26ef1ce0cb910d6e5bbec4f2628d7aca8ebb7d1b80b1c9108e1c056d1407a5bd93afec9ae454872e9d0ad2ad2
-
Filesize
545KB
MD5c25e01f90166339f356cd8457c2458da
SHA1992b2d6336489699e4385a15052d6a95bccb606e
SHA25609e7756cb5df3ac01053c927164c8ecebd0006a811052ee0db6f6a9727be6d7d
SHA5128736853a56ac92b762d8af30c4c7a9dc5511bed26ef1ce0cb910d6e5bbec4f2628d7aca8ebb7d1b80b1c9108e1c056d1407a5bd93afec9ae454872e9d0ad2ad2
-
Filesize
300KB
MD53912e8dad537418748cb6e54f82b227e
SHA1bd5f5605b3f63825e0467a4978a15b5c96ce1553
SHA25605fddb056182acb7ae5b94e3afe451117534d34c4bb6d681cc18e93eb591daa4
SHA51276d2376fdcf6db3ec8e9ec4865c42f98ab20a9976b9966f1395260fde1d5450bd8634024370b4e875f61aac2574e2d0400c6f28e5dae7349c4798ac71e9cd2c5
-
Filesize
300KB
MD53912e8dad537418748cb6e54f82b227e
SHA1bd5f5605b3f63825e0467a4978a15b5c96ce1553
SHA25605fddb056182acb7ae5b94e3afe451117534d34c4bb6d681cc18e93eb591daa4
SHA51276d2376fdcf6db3ec8e9ec4865c42f98ab20a9976b9966f1395260fde1d5450bd8634024370b4e875f61aac2574e2d0400c6f28e5dae7349c4798ac71e9cd2c5
-
Filesize
359KB
MD58ce82a4e7530452d64d7027581065ffc
SHA17bcffe1aec2734c121bb8f0db658b15dede8bf3b
SHA25648b65cfc856785faca4a6db2d04e19146942170adfce3a720c48bf73b6d3b85c
SHA512401db4c97e711403458da0e2b0185f62a782e3ffdb74232c10b41fbab65f73db6babce0a69d3c546a0382521666cefd9ac14948ecd84e7b730353f3d6450ede7
-
Filesize
359KB
MD58ce82a4e7530452d64d7027581065ffc
SHA17bcffe1aec2734c121bb8f0db658b15dede8bf3b
SHA25648b65cfc856785faca4a6db2d04e19146942170adfce3a720c48bf73b6d3b85c
SHA512401db4c97e711403458da0e2b0185f62a782e3ffdb74232c10b41fbab65f73db6babce0a69d3c546a0382521666cefd9ac14948ecd84e7b730353f3d6450ede7