Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe
Resource
win10v2004-20230221-en
General
-
Target
cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe
-
Size
690KB
-
MD5
a890236695a8fdd4ac84b99c4b7ec8bc
-
SHA1
2d1b161ac5ce9bb891a4286ccfbf98e902d13cc4
-
SHA256
cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467
-
SHA512
c073379f74252681e4dfc9d210e5f62629426799209ad9007be275fa0dd3801c404a574f1858a076f1d7da30d050a42b31aeb6666c8ee1056edafc45026012eb
-
SSDEEP
12288:JMrey90BZtLMKiw8dYik6GSyi65hLuYTRXN+3vr2tv5vFFJ4fig+K44E/sHo7:Xy6tLbiw8dfknfxfaoR9+D2B5HJ4agNc
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0335.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0335.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0335.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0335.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0335.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0335.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/880-193-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-194-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-196-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-198-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-200-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-202-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-204-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-206-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-208-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-210-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-212-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-214-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-216-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-218-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-220-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-222-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-224-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline behavioral1/memory/880-226-0x00000000066E0000-0x000000000671F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4700 un987548.exe 1472 pro0335.exe 880 qu6543.exe 1548 si471762.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0335.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0335.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un987548.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un987548.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 5036 1472 WerFault.exe 83 2012 880 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1472 pro0335.exe 1472 pro0335.exe 880 qu6543.exe 880 qu6543.exe 1548 si471762.exe 1548 si471762.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1472 pro0335.exe Token: SeDebugPrivilege 880 qu6543.exe Token: SeDebugPrivilege 1548 si471762.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2456 wrote to memory of 4700 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 82 PID 2456 wrote to memory of 4700 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 82 PID 2456 wrote to memory of 4700 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 82 PID 4700 wrote to memory of 1472 4700 un987548.exe 83 PID 4700 wrote to memory of 1472 4700 un987548.exe 83 PID 4700 wrote to memory of 1472 4700 un987548.exe 83 PID 4700 wrote to memory of 880 4700 un987548.exe 92 PID 4700 wrote to memory of 880 4700 un987548.exe 92 PID 4700 wrote to memory of 880 4700 un987548.exe 92 PID 2456 wrote to memory of 1548 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 97 PID 2456 wrote to memory of 1548 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 97 PID 2456 wrote to memory of 1548 2456 cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe"C:\Users\Admin\AppData\Local\Temp\cbc72b0dc106c43127976fd82c91258084126feec416bd003242921faa737467.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un987548.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un987548.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0335.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0335.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 10844⤵
- Program crash
PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6543.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6543.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 16484⤵
- Program crash
PID:2012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si471762.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si471762.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1472 -ip 14721⤵PID:1828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 880 -ip 8801⤵PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a066de2e4e1d5397faf32cf7bae07568
SHA1495b0cde56b4ec47e6efe00b6297fd6004edcd19
SHA256c80b38ceb00f9f35099fbbd4db0ccc0bd75531a363727e0fd435f984e93f7b9a
SHA5122a929343bf1d6a842e649f29f410337bf276d5e8edc65fc49903ac2166ef27c9d259685eb81b94d3ebae6cf67a45fc4283e661a7a6e287458b42e4a814cf0902
-
Filesize
175KB
MD5a066de2e4e1d5397faf32cf7bae07568
SHA1495b0cde56b4ec47e6efe00b6297fd6004edcd19
SHA256c80b38ceb00f9f35099fbbd4db0ccc0bd75531a363727e0fd435f984e93f7b9a
SHA5122a929343bf1d6a842e649f29f410337bf276d5e8edc65fc49903ac2166ef27c9d259685eb81b94d3ebae6cf67a45fc4283e661a7a6e287458b42e4a814cf0902
-
Filesize
548KB
MD5f0772aac6c5e536b33fec0f3420dface
SHA187e37c9f02b5e8d9c7bcb4ad5dcf1d56efe3514c
SHA2563a1a9bd1ec953dbdc8ba3dcad9d65a29d847a1b278ddf2b78b5e38e5f311dc48
SHA512fc3bef94001e3a2c133434a476ee2e721b9d2ad12027f0c984c0599ed69a9549dadfe1d5e2024ab518e21edaea0a65cdb74e0ad55cbb4e038442c786e63f8b8e
-
Filesize
548KB
MD5f0772aac6c5e536b33fec0f3420dface
SHA187e37c9f02b5e8d9c7bcb4ad5dcf1d56efe3514c
SHA2563a1a9bd1ec953dbdc8ba3dcad9d65a29d847a1b278ddf2b78b5e38e5f311dc48
SHA512fc3bef94001e3a2c133434a476ee2e721b9d2ad12027f0c984c0599ed69a9549dadfe1d5e2024ab518e21edaea0a65cdb74e0ad55cbb4e038442c786e63f8b8e
-
Filesize
291KB
MD5f88b6c79e6fcd40a39dcb21800e44be5
SHA13a9fa921e136d4bed673e575ee3bcad80300aaec
SHA2567d8fc961315e97acea724fafe7be0895306ba7e09f6cbda04902eb3fed789168
SHA51278b2b4a31315539e6a59f6db946412100ca7e6b237cf1d1724982e6c8b2bfb7b9c6042ea2a88980b8cd5248650ec402afc399d062c931dd10a2dbd5613b9ad65
-
Filesize
291KB
MD5f88b6c79e6fcd40a39dcb21800e44be5
SHA13a9fa921e136d4bed673e575ee3bcad80300aaec
SHA2567d8fc961315e97acea724fafe7be0895306ba7e09f6cbda04902eb3fed789168
SHA51278b2b4a31315539e6a59f6db946412100ca7e6b237cf1d1724982e6c8b2bfb7b9c6042ea2a88980b8cd5248650ec402afc399d062c931dd10a2dbd5613b9ad65
-
Filesize
345KB
MD5b8d898fe703585694b5cc7706599c548
SHA1b5e87f4fb50c0140bc3ec25ce66cf4c53c51f33d
SHA256f137149a7e817d89e6b994fe3b7dcc2deac86d442d5f905ccf491ad715697b6d
SHA512f349b1adcce2a38c0cc8879c78fdddc8859b85f4a295eccfcc133308a4c2319cc58ce9175ce90dd3e2b6c0c2ca1b66ec9004f77d9a33d7f4a1bf90e2fa7f30b6
-
Filesize
345KB
MD5b8d898fe703585694b5cc7706599c548
SHA1b5e87f4fb50c0140bc3ec25ce66cf4c53c51f33d
SHA256f137149a7e817d89e6b994fe3b7dcc2deac86d442d5f905ccf491ad715697b6d
SHA512f349b1adcce2a38c0cc8879c78fdddc8859b85f4a295eccfcc133308a4c2319cc58ce9175ce90dd3e2b6c0c2ca1b66ec9004f77d9a33d7f4a1bf90e2fa7f30b6