Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe
Resource
win10v2004-20230220-en
General
-
Target
97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe
-
Size
685KB
-
MD5
f6dee6bc2648db6e9348ecdcdb6aedc5
-
SHA1
f8c5200fb393bd06c33ba1652da650a272698d6f
-
SHA256
97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8
-
SHA512
44edc9b14facab5a5d6699c3d10570b4ccd2e117150fc617df25d3af35e7b136211d035a6852c18974b396dd889543c43cff5f735f3f3c844f8cebb03d97f82c
-
SSDEEP
12288:cMryy90Y/MskXg/Wp/cX0N+MZD+BWO9L+POBi37BoqVEOLHhN1i/QTA2d:eyHn+DYWKpBm6qVEOnzTn
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6712.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2312-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-214-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-216-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-218-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-220-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-222-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-224-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/2312-1110-0x0000000004D60000-0x0000000004D70000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2672 un665842.exe 1436 pro6712.exe 2312 qu9009.exe 408 si233057.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6712.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un665842.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un665842.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3836 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2036 1436 WerFault.exe 85 2140 2312 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1436 pro6712.exe 1436 pro6712.exe 2312 qu9009.exe 2312 qu9009.exe 408 si233057.exe 408 si233057.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1436 pro6712.exe Token: SeDebugPrivilege 2312 qu9009.exe Token: SeDebugPrivilege 408 si233057.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 904 wrote to memory of 2672 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 84 PID 904 wrote to memory of 2672 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 84 PID 904 wrote to memory of 2672 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 84 PID 2672 wrote to memory of 1436 2672 un665842.exe 85 PID 2672 wrote to memory of 1436 2672 un665842.exe 85 PID 2672 wrote to memory of 1436 2672 un665842.exe 85 PID 2672 wrote to memory of 2312 2672 un665842.exe 91 PID 2672 wrote to memory of 2312 2672 un665842.exe 91 PID 2672 wrote to memory of 2312 2672 un665842.exe 91 PID 904 wrote to memory of 408 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 95 PID 904 wrote to memory of 408 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 95 PID 904 wrote to memory of 408 904 97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe"C:\Users\Admin\AppData\Local\Temp\97d05052725039dcb6c167a9bd7f01705560f94868d3a0af727350e79dcbd5d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665842.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6712.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6712.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 10884⤵
- Program crash
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9009.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9009.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 18644⤵
- Program crash
PID:2140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si233057.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si233057.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1436 -ip 14361⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2312 -ip 23121⤵PID:4016
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5c2e53da23592e8921d9efdf6c820eff5
SHA17f1863d063346821d04fba60b8daaf6fa9fb20ca
SHA2565a9a6f5b18c7d23ea4f6870c758d10f163b04095414085a274d724a1790b4d60
SHA5128d8b77a00feffd37f4dd49908b7706cdbe815a598fff987bdd71e5afb212fcdd957f0545f6db9a61da321cde9047a4127307aeb46560208abf4c3955bd557f4f
-
Filesize
175KB
MD5c2e53da23592e8921d9efdf6c820eff5
SHA17f1863d063346821d04fba60b8daaf6fa9fb20ca
SHA2565a9a6f5b18c7d23ea4f6870c758d10f163b04095414085a274d724a1790b4d60
SHA5128d8b77a00feffd37f4dd49908b7706cdbe815a598fff987bdd71e5afb212fcdd957f0545f6db9a61da321cde9047a4127307aeb46560208abf4c3955bd557f4f
-
Filesize
543KB
MD5e049d68cd142755b847c9a72c82ea362
SHA1d0ff38b4c83dbcb0507f09638bf199ab28e00c8d
SHA2566adec23b9a9c7cf085386ba94df37fc286905027056106f2cdca703f4ea73bdd
SHA512faff59752f800d55a8a25ef7235c64b0cff32a61a9a224df8d9bb001c3b1d125e540809b5d60e973d0e2f03356366d3aca607dd3cfaa4370c259362dee761143
-
Filesize
543KB
MD5e049d68cd142755b847c9a72c82ea362
SHA1d0ff38b4c83dbcb0507f09638bf199ab28e00c8d
SHA2566adec23b9a9c7cf085386ba94df37fc286905027056106f2cdca703f4ea73bdd
SHA512faff59752f800d55a8a25ef7235c64b0cff32a61a9a224df8d9bb001c3b1d125e540809b5d60e973d0e2f03356366d3aca607dd3cfaa4370c259362dee761143
-
Filesize
292KB
MD5af14c1d630af001e1ec69dc3cee17a89
SHA1c119e25ae39ccc06e405b08b9d7773d194037d2f
SHA25665426a31e20c4230cf7a45859a8b1ced442a8831e7e49f83d6c90adba569a91b
SHA5126afa259a20ceb44cf6f8f5f8f33ba1ca5a59235c1199e6262414af49a221403fd9d821f5fa28c833732a4d357510df970af1a56c8484feb52bb96885f47b5f74
-
Filesize
292KB
MD5af14c1d630af001e1ec69dc3cee17a89
SHA1c119e25ae39ccc06e405b08b9d7773d194037d2f
SHA25665426a31e20c4230cf7a45859a8b1ced442a8831e7e49f83d6c90adba569a91b
SHA5126afa259a20ceb44cf6f8f5f8f33ba1ca5a59235c1199e6262414af49a221403fd9d821f5fa28c833732a4d357510df970af1a56c8484feb52bb96885f47b5f74
-
Filesize
350KB
MD546a7b6ebd9497df800e44a7c09f1523e
SHA1a2d813476473d95d850cf604f4c96779f12a65ff
SHA25613d3c0cea99ddb98279ff1c2079ab7d5384c299d459b395d9c999f4a9cbe4711
SHA51254367e90d9eff1740731bbecfb4755eccefe2de70f8cd27b6222762cdc1ae603b5b1fbfe7d7a6cb207f7bc71eee26f4820fb574d3e16c17424e21f020f887566
-
Filesize
350KB
MD546a7b6ebd9497df800e44a7c09f1523e
SHA1a2d813476473d95d850cf604f4c96779f12a65ff
SHA25613d3c0cea99ddb98279ff1c2079ab7d5384c299d459b395d9c999f4a9cbe4711
SHA51254367e90d9eff1740731bbecfb4755eccefe2de70f8cd27b6222762cdc1ae603b5b1fbfe7d7a6cb207f7bc71eee26f4820fb574d3e16c17424e21f020f887566