Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 14:01
Static task
static1
Behavioral task
behavioral1
Sample
bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe
Resource
win10v2004-20230220-en
General
-
Target
bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe
-
Size
685KB
-
MD5
fb2cec08b9d6dfb1beda8c3eecd3b8ee
-
SHA1
efaac52239241dba579215a5887b2e73eae8c5cd
-
SHA256
bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc
-
SHA512
600ef887e8395805f364ec6c922c932d7dc933fcec1832b735ac27ca31d84a009b53669e89471875de88b0b27aef3baacab309f4ce158ec9904a13916247050e
-
SSDEEP
12288:iMray90o0aJDnB9VYnoWxGW2GN3FQPAPSWs8AITgoJv7BDMqEoJAvIPyWDW:ky5BEnoWI6QVWsZIMuNMqEo5PyWDW
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8765.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/3144-192-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-193-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-195-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-197-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-199-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-201-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-203-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-205-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-207-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-209-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-211-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-213-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-215-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-217-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-219-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-221-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-223-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline behavioral1/memory/3144-225-0x0000000002770000-0x00000000027AE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 544 un282958.exe 3488 pro8765.exe 3144 qu6039.exe 3232 si253004.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8765.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8765.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un282958.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un282958.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1324 3488 WerFault.exe 85 3744 3144 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3488 pro8765.exe 3488 pro8765.exe 3144 qu6039.exe 3144 qu6039.exe 3232 si253004.exe 3232 si253004.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3488 pro8765.exe Token: SeDebugPrivilege 3144 qu6039.exe Token: SeDebugPrivilege 3232 si253004.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 800 wrote to memory of 544 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 84 PID 800 wrote to memory of 544 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 84 PID 800 wrote to memory of 544 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 84 PID 544 wrote to memory of 3488 544 un282958.exe 85 PID 544 wrote to memory of 3488 544 un282958.exe 85 PID 544 wrote to memory of 3488 544 un282958.exe 85 PID 544 wrote to memory of 3144 544 un282958.exe 91 PID 544 wrote to memory of 3144 544 un282958.exe 91 PID 544 wrote to memory of 3144 544 un282958.exe 91 PID 800 wrote to memory of 3232 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 95 PID 800 wrote to memory of 3232 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 95 PID 800 wrote to memory of 3232 800 bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe"C:\Users\Admin\AppData\Local\Temp\bc08bc16079377cb680501f5eb0d1fb7975fa3b3b8a4bf89fc7cbfa630ea37bc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un282958.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un282958.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8765.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8765.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 10844⤵
- Program crash
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6039.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6039.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 18444⤵
- Program crash
PID:3744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si253004.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si253004.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3488 -ip 34881⤵PID:5012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3144 -ip 31441⤵PID:4396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ea9911a1e2f677364741da9033e090b0
SHA1f5a2e8c6fc003e26d42691b404afd424843dc545
SHA256c7a484564fadf263d6450184b60c252726373c20322e362a737e01f59ad4f2eb
SHA512207fa32a30ae65db9cba0e9bc49cb133af10a4b5df98a5bf37a603e3a7f60511e0964be4e7e98e627668010fb6f729d9365c5b9d8252662e1a9a5ab99490cb3f
-
Filesize
175KB
MD5ea9911a1e2f677364741da9033e090b0
SHA1f5a2e8c6fc003e26d42691b404afd424843dc545
SHA256c7a484564fadf263d6450184b60c252726373c20322e362a737e01f59ad4f2eb
SHA512207fa32a30ae65db9cba0e9bc49cb133af10a4b5df98a5bf37a603e3a7f60511e0964be4e7e98e627668010fb6f729d9365c5b9d8252662e1a9a5ab99490cb3f
-
Filesize
543KB
MD53324965a10a44d7621327fabeea5a703
SHA1049f8980eac2364da0bd4bb66464d19b6b6071ed
SHA25685dff5031a904655832362fa9f3f059c95c258eabe6b68578479332fe65b0f02
SHA51243d83250086ecd87dd2cf0559bcdc11bd2167a973ee140c72762e26a4dc632d35433f0eb7a2994a42332226cbb8f5e35edf2a4211d45196718a8e0b258f9d653
-
Filesize
543KB
MD53324965a10a44d7621327fabeea5a703
SHA1049f8980eac2364da0bd4bb66464d19b6b6071ed
SHA25685dff5031a904655832362fa9f3f059c95c258eabe6b68578479332fe65b0f02
SHA51243d83250086ecd87dd2cf0559bcdc11bd2167a973ee140c72762e26a4dc632d35433f0eb7a2994a42332226cbb8f5e35edf2a4211d45196718a8e0b258f9d653
-
Filesize
292KB
MD5c2164bcfe464d1ea2a99aa07fc08b4b0
SHA1961ebffdb232a4b3eadc68ba07c34b66c69da64a
SHA256237438762dab856b47742eec356ba58003b5df43a2cbe3adebaad2ddb93c7fe9
SHA51244ed2a8be088d4b524b031c4fdbbfaa50b21f9c35557ce1b2ef7658f89250345390dff28679371e28360cfc4daf4931f900ac858b48dc21fa74daef0a3f0a844
-
Filesize
292KB
MD5c2164bcfe464d1ea2a99aa07fc08b4b0
SHA1961ebffdb232a4b3eadc68ba07c34b66c69da64a
SHA256237438762dab856b47742eec356ba58003b5df43a2cbe3adebaad2ddb93c7fe9
SHA51244ed2a8be088d4b524b031c4fdbbfaa50b21f9c35557ce1b2ef7658f89250345390dff28679371e28360cfc4daf4931f900ac858b48dc21fa74daef0a3f0a844
-
Filesize
350KB
MD5ae1373fdc423c3c07e5ad6fdc63cfea7
SHA1b26f3847f086db4671eef2dfbad914d28c7e5bae
SHA2561621b3a6d43bf190bc38d8f73e9e4d5379b2152b686b8fd45f9352af0fc3cf24
SHA512f5c7587d1b3e3579807760ceb6add0cbe9893140041999ae8d37b7b002c7714d020260ff7ba95577ba0a1c211dd0262e91bd2f079838fe37fed8a4aa1b94c47b
-
Filesize
350KB
MD5ae1373fdc423c3c07e5ad6fdc63cfea7
SHA1b26f3847f086db4671eef2dfbad914d28c7e5bae
SHA2561621b3a6d43bf190bc38d8f73e9e4d5379b2152b686b8fd45f9352af0fc3cf24
SHA512f5c7587d1b3e3579807760ceb6add0cbe9893140041999ae8d37b7b002c7714d020260ff7ba95577ba0a1c211dd0262e91bd2f079838fe37fed8a4aa1b94c47b