Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
87s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe
Resource
win10v2004-20230220-en
General
-
Target
79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe
-
Size
700KB
-
MD5
021b171a80a22c805479a07091ef4ef4
-
SHA1
aee7ac33575905a10e05855f4759b8086c92a5b4
-
SHA256
79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c
-
SHA512
e482f579984cbc589639167ffc481f9ac7f7c53d43a3b471cc05f123db343c91e0afcc150376006ed9c17ef1d38329bf527aa3d887e91a130cbcf4285ac27a2e
-
SSDEEP
12288:6Mrzy90Uzi1M3Aj4U1IhlMyQO25TBr1i3Fx1z3xYiKiE9NwPYNL/3M7YgTFTRDVt:ByvzPhqO25Td1if1rxFS9NAYl/M7YgBN
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0408.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2204-190-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-191-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-193-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-195-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-197-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-199-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-201-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-203-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-205-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-207-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-209-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-211-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-213-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-215-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-217-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-219-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-221-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-223-0x00000000026A0000-0x00000000026DF000-memory.dmp family_redline behavioral1/memory/2204-1110-0x0000000004E90000-0x0000000004EA0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 316 un280796.exe 5000 pro0408.exe 2204 qu6925.exe 4368 si995075.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0408.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0408.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un280796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un280796.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3532 5000 WerFault.exe 84 5100 2204 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5000 pro0408.exe 5000 pro0408.exe 2204 qu6925.exe 2204 qu6925.exe 4368 si995075.exe 4368 si995075.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5000 pro0408.exe Token: SeDebugPrivilege 2204 qu6925.exe Token: SeDebugPrivilege 4368 si995075.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 432 wrote to memory of 316 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 83 PID 432 wrote to memory of 316 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 83 PID 432 wrote to memory of 316 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 83 PID 316 wrote to memory of 5000 316 un280796.exe 84 PID 316 wrote to memory of 5000 316 un280796.exe 84 PID 316 wrote to memory of 5000 316 un280796.exe 84 PID 316 wrote to memory of 2204 316 un280796.exe 92 PID 316 wrote to memory of 2204 316 un280796.exe 92 PID 316 wrote to memory of 2204 316 un280796.exe 92 PID 432 wrote to memory of 4368 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 96 PID 432 wrote to memory of 4368 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 96 PID 432 wrote to memory of 4368 432 79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe"C:\Users\Admin\AppData\Local\Temp\79b5713ebf3914402fcfc60da319bfa42392faa5b1d5b6b37bd9ed55eeb7fb1c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un280796.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un280796.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0408.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0408.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 10844⤵
- Program crash
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6925.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6925.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 18604⤵
- Program crash
PID:5100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si995075.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si995075.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5000 -ip 50001⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2204 -ip 22041⤵PID:4292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD585525c0daa2135600ca040c22eb5953f
SHA1f72f32cec522bafc8c1f50103160c254c306d12a
SHA256995eeede23ed0411190bc3ee2e8454b918aa825ddcbacce187775b2a94dbdb2b
SHA512a48e7c845ced6226b275fe998b26c053ce21559f9d0b4dd9a55b3d4322374e1b3cef0859543972af8f93c059654c394e76e61ae6435e0a814b7590c1457a639f
-
Filesize
175KB
MD585525c0daa2135600ca040c22eb5953f
SHA1f72f32cec522bafc8c1f50103160c254c306d12a
SHA256995eeede23ed0411190bc3ee2e8454b918aa825ddcbacce187775b2a94dbdb2b
SHA512a48e7c845ced6226b275fe998b26c053ce21559f9d0b4dd9a55b3d4322374e1b3cef0859543972af8f93c059654c394e76e61ae6435e0a814b7590c1457a639f
-
Filesize
558KB
MD58979221dbf9e4241742b623d914a17d8
SHA1bafada3666b43bdb6e32994e4190e51ca678b352
SHA256f228d54d37532ff62c5e2dd1e9a0a4584672f4c8120cd6f3dffb3d29aa1c4145
SHA51211821433ebf5d116eb4719a034b50b0f5693a066c76913024145c5910a1e2b6dcb885bc9704d1beeae7d52ed05a27051c35ec47db9be5f2a7d136b4b8eb673cf
-
Filesize
558KB
MD58979221dbf9e4241742b623d914a17d8
SHA1bafada3666b43bdb6e32994e4190e51ca678b352
SHA256f228d54d37532ff62c5e2dd1e9a0a4584672f4c8120cd6f3dffb3d29aa1c4145
SHA51211821433ebf5d116eb4719a034b50b0f5693a066c76913024145c5910a1e2b6dcb885bc9704d1beeae7d52ed05a27051c35ec47db9be5f2a7d136b4b8eb673cf
-
Filesize
307KB
MD5ef3bd235dc7bf6ebecf53fde55b9bdfe
SHA1e28f1de8f210c906e1b753b709332567faf4d4dd
SHA256bf3d83a26b3084f1af14a4fcca42f1d3f207d648773aaff9e6e9b936f9adadae
SHA5125ac64f4f025f65f7aa572d6cb8b5cecff64001a99add418687a1d29d8fc1830ef04c5328a8884c6192e58e15918914e12404a48f5322daaef6b5f1ee6283547e
-
Filesize
307KB
MD5ef3bd235dc7bf6ebecf53fde55b9bdfe
SHA1e28f1de8f210c906e1b753b709332567faf4d4dd
SHA256bf3d83a26b3084f1af14a4fcca42f1d3f207d648773aaff9e6e9b936f9adadae
SHA5125ac64f4f025f65f7aa572d6cb8b5cecff64001a99add418687a1d29d8fc1830ef04c5328a8884c6192e58e15918914e12404a48f5322daaef6b5f1ee6283547e
-
Filesize
366KB
MD54a3f4b3e802a00b8f2a8c2da04ca1a42
SHA13db2831c3a55b06378a432a228d438b831466c7e
SHA25615f97daf7733eebd7eea0524c0a99a45557613ec6544fcb1e70836335012e36a
SHA512872fbd7a04675ae2e65b2c5b87dd2a454fea324eb425b254fe4b901eda7368f77e10060f809ed8f2001ebfc4d8cf3a34347728348fd5ec052a40e061bb22ab7a
-
Filesize
366KB
MD54a3f4b3e802a00b8f2a8c2da04ca1a42
SHA13db2831c3a55b06378a432a228d438b831466c7e
SHA25615f97daf7733eebd7eea0524c0a99a45557613ec6544fcb1e70836335012e36a
SHA512872fbd7a04675ae2e65b2c5b87dd2a454fea324eb425b254fe4b901eda7368f77e10060f809ed8f2001ebfc4d8cf3a34347728348fd5ec052a40e061bb22ab7a