Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
60s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 17:55
Static task
static1
Behavioral task
behavioral1
Sample
aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe
Resource
win10v2004-20230220-en
General
-
Target
aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe
-
Size
695KB
-
MD5
b2bee9206b19cae583cfa482379e51ac
-
SHA1
88e8422227d3b85f8e186e480e128330de8dc44d
-
SHA256
aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836
-
SHA512
4f581cff0fe8bd7d468a35be2b57904c34f08f799bc8f5fa15b25caeb82e3874952de3ce0e8e544ab9f15a86ec0acfa06c33be8dcea9ea3ed9d04016a94d4f36
-
SSDEEP
12288:fMrVy90XwFjhXBM30TlphPcASqiVmpoW0KbupcMhLWgxwnhDBQs6kIw+5Y:ayqw5hXBM30TlrcD3VQo9K3MIQuhDBQO
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2020.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2020.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4760-192-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-193-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-195-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-197-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-199-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-201-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-205-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-207-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-211-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-213-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-215-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-217-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-219-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-221-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-223-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-225-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/4760-1109-0x0000000004E20000-0x0000000004E30000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3800 un914929.exe 2012 pro2020.exe 4760 qu1724.exe 4348 si243752.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2020.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un914929.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un914929.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4428 2012 WerFault.exe 86 1132 4760 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2012 pro2020.exe 2012 pro2020.exe 4760 qu1724.exe 4760 qu1724.exe 4348 si243752.exe 4348 si243752.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2012 pro2020.exe Token: SeDebugPrivilege 4760 qu1724.exe Token: SeDebugPrivilege 4348 si243752.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 384 wrote to memory of 3800 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 85 PID 384 wrote to memory of 3800 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 85 PID 384 wrote to memory of 3800 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 85 PID 3800 wrote to memory of 2012 3800 un914929.exe 86 PID 3800 wrote to memory of 2012 3800 un914929.exe 86 PID 3800 wrote to memory of 2012 3800 un914929.exe 86 PID 3800 wrote to memory of 4760 3800 un914929.exe 89 PID 3800 wrote to memory of 4760 3800 un914929.exe 89 PID 3800 wrote to memory of 4760 3800 un914929.exe 89 PID 384 wrote to memory of 4348 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 93 PID 384 wrote to memory of 4348 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 93 PID 384 wrote to memory of 4348 384 aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe"C:\Users\Admin\AppData\Local\Temp\aaafc5fde1a1cbc90b52d3fd47595e68447cee9bf11fbfa705557a1b6ec3b836.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un914929.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un914929.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2020.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2020.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 10844⤵
- Program crash
PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1724.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1724.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 18604⤵
- Program crash
PID:1132
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243752.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243752.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2012 -ip 20121⤵PID:232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4760 -ip 47601⤵PID:2780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5492b0e333bf6784664b6c8b7195acb13
SHA183a0ce071ffee9c5236baa7313310efba607c8d3
SHA256aeb3ed8801a10f2d18312c7b799b9731ab969625e6a439dd1487ec164611d761
SHA512b4fd5b1778db482969c674d719d245a1339cf1db4a1bd8daaeca48631aeae8c81030848c7f2a90e299636ac204817a1ef48f992ff0e931e9b571550089bdd30e
-
Filesize
175KB
MD5492b0e333bf6784664b6c8b7195acb13
SHA183a0ce071ffee9c5236baa7313310efba607c8d3
SHA256aeb3ed8801a10f2d18312c7b799b9731ab969625e6a439dd1487ec164611d761
SHA512b4fd5b1778db482969c674d719d245a1339cf1db4a1bd8daaeca48631aeae8c81030848c7f2a90e299636ac204817a1ef48f992ff0e931e9b571550089bdd30e
-
Filesize
553KB
MD5fb97bcc0e6505bd85d7fbd82b6515d2e
SHA15300589ae7ff15ef2b9d2503194978b2c8801dfd
SHA256a015b0d50f140c6cbc149fc88e2affc69df9b107cac3a6c741450bcb29d4207e
SHA512a8c212c962b4d1871e8e6a11be0475a5659b511afccc31191ccef431745e1462b7a939966358effa096bfe552054a1119527acaabc54a01a48d16697902e2543
-
Filesize
553KB
MD5fb97bcc0e6505bd85d7fbd82b6515d2e
SHA15300589ae7ff15ef2b9d2503194978b2c8801dfd
SHA256a015b0d50f140c6cbc149fc88e2affc69df9b107cac3a6c741450bcb29d4207e
SHA512a8c212c962b4d1871e8e6a11be0475a5659b511afccc31191ccef431745e1462b7a939966358effa096bfe552054a1119527acaabc54a01a48d16697902e2543
-
Filesize
308KB
MD52300bbb506fa58388bfe69ace083b40b
SHA1fbd57d1fd05a45f86e7688eed53c0670adb7c912
SHA25674e7f6694cfdde9cc6fc1b8e4e83818841f679dd29f84c652bf7f93054f34796
SHA5121a1cf2694ed0475036bb118ee65c8b32cfce1f5ecc80eaa94d035bd62042a9f690a4c31d6b97a2054a5eb9de397e2db2c9d7cd428d5f81fd24a584e81e380237
-
Filesize
308KB
MD52300bbb506fa58388bfe69ace083b40b
SHA1fbd57d1fd05a45f86e7688eed53c0670adb7c912
SHA25674e7f6694cfdde9cc6fc1b8e4e83818841f679dd29f84c652bf7f93054f34796
SHA5121a1cf2694ed0475036bb118ee65c8b32cfce1f5ecc80eaa94d035bd62042a9f690a4c31d6b97a2054a5eb9de397e2db2c9d7cd428d5f81fd24a584e81e380237
-
Filesize
366KB
MD5354613eda5907047ba936e3094cbbbce
SHA1c9e8487193d7a4e7fd5c1853a583f0c9f7595c9d
SHA25654525284787e7ec4ac33d1ed58042627f49bd3fd00f06032c8d4dd7181b8df85
SHA512d473d5ecdd48f0dcb55b966d11ffeb48175f439574b11cb8b57770cb533d00ff68d93fd6de442ecf74235229d7d7149834acfa0389f29ec83d8625059c0fbccb
-
Filesize
366KB
MD5354613eda5907047ba936e3094cbbbce
SHA1c9e8487193d7a4e7fd5c1853a583f0c9f7595c9d
SHA25654525284787e7ec4ac33d1ed58042627f49bd3fd00f06032c8d4dd7181b8df85
SHA512d473d5ecdd48f0dcb55b966d11ffeb48175f439574b11cb8b57770cb533d00ff68d93fd6de442ecf74235229d7d7149834acfa0389f29ec83d8625059c0fbccb