Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe
Resource
win10v2004-20230220-en
General
-
Target
15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe
-
Size
685KB
-
MD5
f564d5c2d547f2015808864667a9e944
-
SHA1
2a0b0621ccfe7fe86fa5e7ccf167403645063ccf
-
SHA256
15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b
-
SHA512
78cfbb09e19fe7dc3fe0abb3be55169e7633136fc67ae05c972ac1170125cbe0a68436db573173fa5a08850ebfc4ac8dc798832e61ad83ab8880a95149387c92
-
SSDEEP
12288:EMruy90tQZuTPLMM3kd+TZhJGkrB/I5zqDJrCVVrDSa1BAOqEb8hs3qTZJMTB:6y5Zu1mUZhdIzgGVrDLSOqEbB3kW
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4140.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1652-190-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-191-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-193-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-195-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-197-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-199-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-201-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-203-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-205-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-207-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-209-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-211-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-213-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-215-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-219-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-223-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-225-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/1652-227-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 972 un469637.exe 1980 pro4140.exe 1652 qu2566.exe 4856 si494869.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4140.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4140.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un469637.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un469637.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4412 1980 WerFault.exe 83 3976 1652 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1980 pro4140.exe 1980 pro4140.exe 1652 qu2566.exe 1652 qu2566.exe 4856 si494869.exe 4856 si494869.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1980 pro4140.exe Token: SeDebugPrivilege 1652 qu2566.exe Token: SeDebugPrivilege 4856 si494869.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3204 wrote to memory of 972 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 82 PID 3204 wrote to memory of 972 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 82 PID 3204 wrote to memory of 972 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 82 PID 972 wrote to memory of 1980 972 un469637.exe 83 PID 972 wrote to memory of 1980 972 un469637.exe 83 PID 972 wrote to memory of 1980 972 un469637.exe 83 PID 972 wrote to memory of 1652 972 un469637.exe 89 PID 972 wrote to memory of 1652 972 un469637.exe 89 PID 972 wrote to memory of 1652 972 un469637.exe 89 PID 3204 wrote to memory of 4856 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 93 PID 3204 wrote to memory of 4856 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 93 PID 3204 wrote to memory of 4856 3204 15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe"C:\Users\Admin\AppData\Local\Temp\15cc611075b96a7c872d794175706e2b042b9edff2cd72113a3d7dd51c64b78b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un469637.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un469637.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4140.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4140.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 10884⤵
- Program crash
PID:4412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2566.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2566.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 18604⤵
- Program crash
PID:3976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si494869.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si494869.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1980 -ip 19801⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1652 -ip 16521⤵PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD567edd4a36304bb2729d16c1cf1a45ec0
SHA1fbc570f6aac34ce9ffc8939f13d4ba73f0ce9ff4
SHA256adede8f29a9a8ed0ac2f671aa2cd45a5b498c3e8805fb62914f122d774239fa2
SHA5121fdccd969a44109d6cc281e9fb5dc8201aed7fa3cd24364451cbc11e3df25052d1b307b091f3a2c2c39f11ba78123253e5d80ff51a6c6aeccdcc94e96cbc0bb7
-
Filesize
175KB
MD567edd4a36304bb2729d16c1cf1a45ec0
SHA1fbc570f6aac34ce9ffc8939f13d4ba73f0ce9ff4
SHA256adede8f29a9a8ed0ac2f671aa2cd45a5b498c3e8805fb62914f122d774239fa2
SHA5121fdccd969a44109d6cc281e9fb5dc8201aed7fa3cd24364451cbc11e3df25052d1b307b091f3a2c2c39f11ba78123253e5d80ff51a6c6aeccdcc94e96cbc0bb7
-
Filesize
543KB
MD584203cc9db4bcd6b898ffdf8ec465ac3
SHA1b2fb19fb4c5f88b2db85e8bcbd522db60d779f2e
SHA256723a56330b1b0d6858b857e2399e8c522386aa72dfb9f5bc8f5c337373b19209
SHA5129352cfb93c6b4cb4318724d50f3493853603823fc37514a028134e5ae8b57801500385de982c37755d91289062ed50f17928e3d1628febcf9c01c1fa748a894c
-
Filesize
543KB
MD584203cc9db4bcd6b898ffdf8ec465ac3
SHA1b2fb19fb4c5f88b2db85e8bcbd522db60d779f2e
SHA256723a56330b1b0d6858b857e2399e8c522386aa72dfb9f5bc8f5c337373b19209
SHA5129352cfb93c6b4cb4318724d50f3493853603823fc37514a028134e5ae8b57801500385de982c37755d91289062ed50f17928e3d1628febcf9c01c1fa748a894c
-
Filesize
292KB
MD55478471a327724eecc7fe00929af738b
SHA18517abf796b81f4e1e8f976c5683cdd8a92d3a1f
SHA25676a2ef18ecf0aa8b1fe3fba630a2944787b7fbcacc54b1d5218afd801d81cefc
SHA512f454ad321f5d59a6a530af8486e9fd9aa54d908e22e92671feffb80080ed13898b25ac70b41973132e32b8843e1691b1d312a0ea8607d90a02f5513188d279dc
-
Filesize
292KB
MD55478471a327724eecc7fe00929af738b
SHA18517abf796b81f4e1e8f976c5683cdd8a92d3a1f
SHA25676a2ef18ecf0aa8b1fe3fba630a2944787b7fbcacc54b1d5218afd801d81cefc
SHA512f454ad321f5d59a6a530af8486e9fd9aa54d908e22e92671feffb80080ed13898b25ac70b41973132e32b8843e1691b1d312a0ea8607d90a02f5513188d279dc
-
Filesize
350KB
MD5045d7f50a4063a97be4c5bb92c1ede0e
SHA1b2632b46a974df4701132e72fd00c2e8bc238222
SHA256dffdcf4a631de8cbdb889bb987d47740f12d6aa55dfc8928298565392fdf94da
SHA512e81162018c3071c3c31f4be375b9f989a95075f359b59ffe2def62ca0de790880dace24c1d980ec09dd347f44deec2aefe8939b6272eb969deba629f18214239
-
Filesize
350KB
MD5045d7f50a4063a97be4c5bb92c1ede0e
SHA1b2632b46a974df4701132e72fd00c2e8bc238222
SHA256dffdcf4a631de8cbdb889bb987d47740f12d6aa55dfc8928298565392fdf94da
SHA512e81162018c3071c3c31f4be375b9f989a95075f359b59ffe2def62ca0de790880dace24c1d980ec09dd347f44deec2aefe8939b6272eb969deba629f18214239