Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe
Resource
win10v2004-20230221-en
General
-
Target
5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe
-
Size
695KB
-
MD5
ada20aa5ea32e2db4209c7426cd55f05
-
SHA1
75c6d287ea767c588a12e52f27de90f8662fdebe
-
SHA256
5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2
-
SHA512
c9b95b8bbdf999d28e3cb577cd692bf480df354b4a06c448932ddd77f83fd603ec3ea9e8cb7cd039864b9edfe35494d7aed237f38766b89ab3196261a46bf0e0
-
SSDEEP
12288:pMrFy90snkTy+NmrcsLS9wHKs1uaG/o2dCJdnh7RjRMx0bIpgo:Yy4crcseDb/o2dCfh7T1In
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2089.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2089.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/3572-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-192-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-194-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-196-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-198-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-200-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-202-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-204-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-206-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-208-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-210-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-212-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-214-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-216-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-218-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-226-0x0000000004D50000-0x0000000004D60000-memory.dmp family_redline behavioral1/memory/3572-224-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline behavioral1/memory/3572-228-0x0000000004CC0000-0x0000000004CFF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4576 un080245.exe 3080 pro2089.exe 3572 qu4585.exe 2772 si472031.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2089.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un080245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un080245.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3752 3080 WerFault.exe 85 956 3572 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3080 pro2089.exe 3080 pro2089.exe 3572 qu4585.exe 3572 qu4585.exe 2772 si472031.exe 2772 si472031.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3080 pro2089.exe Token: SeDebugPrivilege 3572 qu4585.exe Token: SeDebugPrivilege 2772 si472031.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4220 wrote to memory of 4576 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 84 PID 4220 wrote to memory of 4576 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 84 PID 4220 wrote to memory of 4576 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 84 PID 4576 wrote to memory of 3080 4576 un080245.exe 85 PID 4576 wrote to memory of 3080 4576 un080245.exe 85 PID 4576 wrote to memory of 3080 4576 un080245.exe 85 PID 4576 wrote to memory of 3572 4576 un080245.exe 91 PID 4576 wrote to memory of 3572 4576 un080245.exe 91 PID 4576 wrote to memory of 3572 4576 un080245.exe 91 PID 4220 wrote to memory of 2772 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 94 PID 4220 wrote to memory of 2772 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 94 PID 4220 wrote to memory of 2772 4220 5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe"C:\Users\Admin\AppData\Local\Temp\5e6d6e65e881541775b035a7eddaa56ba84a961b52b7606b8c9e5461405c25d2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un080245.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un080245.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2089.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2089.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 10844⤵
- Program crash
PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4585.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4585.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 20324⤵
- Program crash
PID:956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si472031.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si472031.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3080 -ip 30801⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3572 -ip 35721⤵PID:2148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD549b06b38ca4faef4326314c7436386fa
SHA10906884ddaeb665c4b477b56954a8a15d6b75a3a
SHA256f3a4b5670f1bdbe13efc49ee5d9210e181ae454902ba29045485759991eb5566
SHA512af149285bb1cc6f4b57b0dedf31a9f2135cbd06f0f8c76972142d372653bff908dc03f025ecf8485e0e182e1e29887ba2c02eea62da3e297519d0a3af86f8bca
-
Filesize
175KB
MD549b06b38ca4faef4326314c7436386fa
SHA10906884ddaeb665c4b477b56954a8a15d6b75a3a
SHA256f3a4b5670f1bdbe13efc49ee5d9210e181ae454902ba29045485759991eb5566
SHA512af149285bb1cc6f4b57b0dedf31a9f2135cbd06f0f8c76972142d372653bff908dc03f025ecf8485e0e182e1e29887ba2c02eea62da3e297519d0a3af86f8bca
-
Filesize
554KB
MD533402db676ab1c9a71e55197d5be6674
SHA1e40ea9b4e1eabbc28056c4d177d46acf1e43906a
SHA2568ccf328b94194eb2ac548893e0b1db537c3fa29cce58f26b807010f6b9844d77
SHA512561db0c132bd8dcbbc70ff6868cb9e5a62ae944a7dc0d198dc03804296ac8c30d61e698c70dcd7fd7f9717e4854b6ab57200d5f86a5ccce43a087a83f9ce47fa
-
Filesize
554KB
MD533402db676ab1c9a71e55197d5be6674
SHA1e40ea9b4e1eabbc28056c4d177d46acf1e43906a
SHA2568ccf328b94194eb2ac548893e0b1db537c3fa29cce58f26b807010f6b9844d77
SHA512561db0c132bd8dcbbc70ff6868cb9e5a62ae944a7dc0d198dc03804296ac8c30d61e698c70dcd7fd7f9717e4854b6ab57200d5f86a5ccce43a087a83f9ce47fa
-
Filesize
308KB
MD59225d933e5f4cc46d10dc8aa786e8463
SHA12502c29b0981476e70a49e037e73e916936f0e61
SHA2567236d27c29b257f87093343d938dc133f617a8d2c3134cd18a0757dbcfa14684
SHA512f04fae2f277725244cd0f4caae8a2a07f8f29c0a87e5b4d98ef9c50afde86a85275b498b41d98837da4e29101028d8a1b821dec574b94e71ae8833b0e994b12f
-
Filesize
308KB
MD59225d933e5f4cc46d10dc8aa786e8463
SHA12502c29b0981476e70a49e037e73e916936f0e61
SHA2567236d27c29b257f87093343d938dc133f617a8d2c3134cd18a0757dbcfa14684
SHA512f04fae2f277725244cd0f4caae8a2a07f8f29c0a87e5b4d98ef9c50afde86a85275b498b41d98837da4e29101028d8a1b821dec574b94e71ae8833b0e994b12f
-
Filesize
366KB
MD5099863a4815f37441c14cf657b8f1d9f
SHA1775e317fbc3ab38400f5f0c4f97e410395fdbc2b
SHA256fd4f966b6429953bad6b7fd442b17cf2517f96569dfccf72a5c09727eadeb87b
SHA512729b85e3132ffd669d480806243caf2ef103412535b10679563c4928d0b1d6cc5f6c6408a16040e42118672be8ad225f854e111781bbba3c890cf9a5eff25858
-
Filesize
366KB
MD5099863a4815f37441c14cf657b8f1d9f
SHA1775e317fbc3ab38400f5f0c4f97e410395fdbc2b
SHA256fd4f966b6429953bad6b7fd442b17cf2517f96569dfccf72a5c09727eadeb87b
SHA512729b85e3132ffd669d480806243caf2ef103412535b10679563c4928d0b1d6cc5f6c6408a16040e42118672be8ad225f854e111781bbba3c890cf9a5eff25858