Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 13:25
Static task
static1
Behavioral task
behavioral1
Sample
b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe
Resource
win10v2004-20230220-en
General
-
Target
b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe
-
Size
685KB
-
MD5
a83323dcffde1d56b95d6f7ae8598685
-
SHA1
a2fc61339e52f82bf7d3e5d8be7abee2463eaada
-
SHA256
b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83
-
SHA512
f3e888aeb717bee56d66c5b9e213b943d1a27917def1290986bc99f061b02f16699bbbb49c82a72e0c2a9d1e5d5b6166865abb58bddfe89b616ff2a6cae52de1
-
SSDEEP
12288:7MrPy90iN2JGVPRUxS1YjvS4ksdTcINRc7BEtAEg2Wvp59:EyvN2JEKxS1YjvesTcsKetAEg2O
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9210.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9210.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3244-190-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-189-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-192-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-194-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-196-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-198-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-200-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-202-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-204-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-206-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-208-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-210-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-212-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-214-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-216-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-218-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-220-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-222-0x00000000028C0000-0x00000000028FE000-memory.dmp family_redline behavioral1/memory/3244-383-0x0000000002490000-0x00000000024A0000-memory.dmp family_redline behavioral1/memory/3244-1109-0x0000000002490000-0x00000000024A0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4624 un333296.exe 4996 pro9210.exe 3244 qu3867.exe 1296 si955585.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9210.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9210.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un333296.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un333296.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2888 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3080 4996 WerFault.exe 85 3352 3244 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4996 pro9210.exe 4996 pro9210.exe 3244 qu3867.exe 3244 qu3867.exe 1296 si955585.exe 1296 si955585.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4996 pro9210.exe Token: SeDebugPrivilege 3244 qu3867.exe Token: SeDebugPrivilege 1296 si955585.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3216 wrote to memory of 4624 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 84 PID 3216 wrote to memory of 4624 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 84 PID 3216 wrote to memory of 4624 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 84 PID 4624 wrote to memory of 4996 4624 un333296.exe 85 PID 4624 wrote to memory of 4996 4624 un333296.exe 85 PID 4624 wrote to memory of 4996 4624 un333296.exe 85 PID 4624 wrote to memory of 3244 4624 un333296.exe 91 PID 4624 wrote to memory of 3244 4624 un333296.exe 91 PID 4624 wrote to memory of 3244 4624 un333296.exe 91 PID 3216 wrote to memory of 1296 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 95 PID 3216 wrote to memory of 1296 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 95 PID 3216 wrote to memory of 1296 3216 b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe"C:\Users\Admin\AppData\Local\Temp\b302aaf478341447ae774d444f96894a67d07d93999bfd086cd997ee0fdefd83.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un333296.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un333296.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9210.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9210.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 10844⤵
- Program crash
PID:3080
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3867.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3867.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 18044⤵
- Program crash
PID:3352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si955585.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si955585.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 49961⤵PID:2176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3244 -ip 32441⤵PID:3796
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD545565194d336b17dc262b0cfda6e4985
SHA10028e442f809aa6311ae7693ae03f5abb29e2aae
SHA256eda394687bc91789688b8e0cca2b446456ca8e50faa0a7e7f220645cc54f5805
SHA512f62465a76a1f591d00818b87e15593dd3255bc9e8f7dc0cf9b6e63abeeae5b75a8adea33cfa0cac7801d4ae33f9dd8c8f5ddb23fd2ef3a30ecd8b292069fb210
-
Filesize
175KB
MD545565194d336b17dc262b0cfda6e4985
SHA10028e442f809aa6311ae7693ae03f5abb29e2aae
SHA256eda394687bc91789688b8e0cca2b446456ca8e50faa0a7e7f220645cc54f5805
SHA512f62465a76a1f591d00818b87e15593dd3255bc9e8f7dc0cf9b6e63abeeae5b75a8adea33cfa0cac7801d4ae33f9dd8c8f5ddb23fd2ef3a30ecd8b292069fb210
-
Filesize
543KB
MD594836e5b4baf72a9cddc88cd15a9e3ac
SHA1696ef5a4180e2cd9cad4aa518417db2870c1da07
SHA256f7415a8f12342ac022e7538c3dca125eaafd129c39ecdef5145e70ccbf0e9b32
SHA512419b5389bdcacce0e8020727f33e3d0c30eecbea09b2b217cde1050dadbff708d85c712ea78c2d94ada745fc437df4dc0660a85d9c00344846560d5052fbdbad
-
Filesize
543KB
MD594836e5b4baf72a9cddc88cd15a9e3ac
SHA1696ef5a4180e2cd9cad4aa518417db2870c1da07
SHA256f7415a8f12342ac022e7538c3dca125eaafd129c39ecdef5145e70ccbf0e9b32
SHA512419b5389bdcacce0e8020727f33e3d0c30eecbea09b2b217cde1050dadbff708d85c712ea78c2d94ada745fc437df4dc0660a85d9c00344846560d5052fbdbad
-
Filesize
292KB
MD540b315ac4f414af655d4f7fd3432ffab
SHA18fcb0450281f4c93ec5ce3bfb7a403e506b7e986
SHA256d4590da6b19170d5a9033062e371c0a7bfb93f86be453a868867f7baf355ad75
SHA5122ccace870d3f844d193f7c946606d08a637ff06d290490d7be06bb0a04dfd6076989bbd92d7fe35ed2192a58d8659eefd46f68ca3f4ac933b8f672d460950a31
-
Filesize
292KB
MD540b315ac4f414af655d4f7fd3432ffab
SHA18fcb0450281f4c93ec5ce3bfb7a403e506b7e986
SHA256d4590da6b19170d5a9033062e371c0a7bfb93f86be453a868867f7baf355ad75
SHA5122ccace870d3f844d193f7c946606d08a637ff06d290490d7be06bb0a04dfd6076989bbd92d7fe35ed2192a58d8659eefd46f68ca3f4ac933b8f672d460950a31
-
Filesize
350KB
MD56690d98f1fb3411cfdc7c2a6ed9a7965
SHA139def5b8db0337c51d9e7e0eb69a8f832ff5347d
SHA256302c81f255f1ec154624006fb41fec005ac22a0c70dcfe8cec6e69847330caa3
SHA5123210720070a5ac4bc578692e892e657f659b169793885acd92984f718c01cf74b92675c327938f7c637bced37fdb8fd134c3d3d433d1b62566f1fc634dd3d3f9
-
Filesize
350KB
MD56690d98f1fb3411cfdc7c2a6ed9a7965
SHA139def5b8db0337c51d9e7e0eb69a8f832ff5347d
SHA256302c81f255f1ec154624006fb41fec005ac22a0c70dcfe8cec6e69847330caa3
SHA5123210720070a5ac4bc578692e892e657f659b169793885acd92984f718c01cf74b92675c327938f7c637bced37fdb8fd134c3d3d433d1b62566f1fc634dd3d3f9