Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 10:05
Static task
static1
Behavioral task
behavioral1
Sample
02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe
Resource
win10v2004-20230221-en
General
-
Target
02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe
-
Size
684KB
-
MD5
a819bafc5390a88982cc79b2dbe64d50
-
SHA1
9a547483c3000c110202348e30b1f16457ffce02
-
SHA256
02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751
-
SHA512
77697b288a24f0b42b4bd768bf12fba8d96a66c028572a7f21b9b2bf9062b07f833ce417b385f825149563e47adc00deba386a3588bafa3b89423eedf227823a
-
SSDEEP
12288:NMroy90zKAuMrT+UYu5vO88FbPFw2XY6ZV8wJhMl2kC6BllAFJKBuCVK:tyVMraUYu5GR3wAOwJhOConAUTK
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4201.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4788-197-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-196-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-199-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-201-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-203-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-205-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-207-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-209-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-211-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-213-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-215-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-217-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-219-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-221-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-223-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-225-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-227-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/4788-229-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1576 un366041.exe 4592 pro4201.exe 4788 qu4181.exe 2116 si489285.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4201.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un366041.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un366041.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 920 4592 WerFault.exe 83 4068 4788 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4592 pro4201.exe 4592 pro4201.exe 4788 qu4181.exe 4788 qu4181.exe 2116 si489285.exe 2116 si489285.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4592 pro4201.exe Token: SeDebugPrivilege 4788 qu4181.exe Token: SeDebugPrivilege 2116 si489285.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2488 wrote to memory of 1576 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 82 PID 2488 wrote to memory of 1576 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 82 PID 2488 wrote to memory of 1576 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 82 PID 1576 wrote to memory of 4592 1576 un366041.exe 83 PID 1576 wrote to memory of 4592 1576 un366041.exe 83 PID 1576 wrote to memory of 4592 1576 un366041.exe 83 PID 1576 wrote to memory of 4788 1576 un366041.exe 86 PID 1576 wrote to memory of 4788 1576 un366041.exe 86 PID 1576 wrote to memory of 4788 1576 un366041.exe 86 PID 2488 wrote to memory of 2116 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 90 PID 2488 wrote to memory of 2116 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 90 PID 2488 wrote to memory of 2116 2488 02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe"C:\Users\Admin\AppData\Local\Temp\02655d17dcbd045b41f82f47d2a4adb5af1dc15702339d2ee9c4ed46506d7751.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un366041.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un366041.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4201.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4201.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 10884⤵
- Program crash
PID:920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4181.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4181.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 16284⤵
- Program crash
PID:4068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489285.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489285.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 45921⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4788 -ip 47881⤵PID:3232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD52ae7f2181c0ef014a310ebc416c6a534
SHA12d8976f2b3303f880b01f3400d987a3962948da2
SHA2562ce6ab43cbdf79272a707fceca56a189ff8ff3f5c66fcba5adf6ea33ed210143
SHA5122e3690ed849729af4901c7a08cfe3e1fde7078dc26f2ba72407fbf84bb6cc9198132efb293e7249a65307d602e019c83cad1a26e6e1dbb55771506331d3b6994
-
Filesize
175KB
MD52ae7f2181c0ef014a310ebc416c6a534
SHA12d8976f2b3303f880b01f3400d987a3962948da2
SHA2562ce6ab43cbdf79272a707fceca56a189ff8ff3f5c66fcba5adf6ea33ed210143
SHA5122e3690ed849729af4901c7a08cfe3e1fde7078dc26f2ba72407fbf84bb6cc9198132efb293e7249a65307d602e019c83cad1a26e6e1dbb55771506331d3b6994
-
Filesize
542KB
MD59e1c86576efaf209f669106e1cc7963c
SHA12e7c2ed12b4e07288fa9b006c0169faadc49e3d7
SHA256432c76f9a34507cec4562ccc770ba202c257db6d7ce43206eddd9a7e745e11b8
SHA512e7e2e3d581a2572cac748c941f027466c244adf17a263ee14947756919d7c2da1850c3bd0d0b7af66c251559b8e54efae16b83036dd589ee12952a3328a84db6
-
Filesize
542KB
MD59e1c86576efaf209f669106e1cc7963c
SHA12e7c2ed12b4e07288fa9b006c0169faadc49e3d7
SHA256432c76f9a34507cec4562ccc770ba202c257db6d7ce43206eddd9a7e745e11b8
SHA512e7e2e3d581a2572cac748c941f027466c244adf17a263ee14947756919d7c2da1850c3bd0d0b7af66c251559b8e54efae16b83036dd589ee12952a3328a84db6
-
Filesize
322KB
MD50909487eb1f712239276f5256df2162e
SHA1f3b253cb1e9c84d2749c93f8efb8934ff8d8c4e4
SHA2567ec93ca1c652d4e09c8080400f8c6537ad8af4b7dc1dc5b828211783cb1e17bd
SHA512e6bfe324f72e62142c830f3142b0ae0138c9b397d92935bb865d2467d051c3c4434fd030ce622189cbaee824e671f38efaabdffba9c25c40ebc9b329a0374171
-
Filesize
322KB
MD50909487eb1f712239276f5256df2162e
SHA1f3b253cb1e9c84d2749c93f8efb8934ff8d8c4e4
SHA2567ec93ca1c652d4e09c8080400f8c6537ad8af4b7dc1dc5b828211783cb1e17bd
SHA512e6bfe324f72e62142c830f3142b0ae0138c9b397d92935bb865d2467d051c3c4434fd030ce622189cbaee824e671f38efaabdffba9c25c40ebc9b329a0374171
-
Filesize
380KB
MD52559862404418fd57172630c8569dc65
SHA1b3fd81a89d8fcfb98575509eb2381a3b413cbc42
SHA256378b85e52544afafaf9fda774cbbd4cf1be148e493325b8fd25a161634d17c14
SHA512369850c848371517513c7a36e0a2715c74110af8c856afae33a1a1e4411aefd40fd347b4ca14c7d72217f5d92fd5fbb3121e951c8f58f6b772d3fe0458cac6b8
-
Filesize
380KB
MD52559862404418fd57172630c8569dc65
SHA1b3fd81a89d8fcfb98575509eb2381a3b413cbc42
SHA256378b85e52544afafaf9fda774cbbd4cf1be148e493325b8fd25a161634d17c14
SHA512369850c848371517513c7a36e0a2715c74110af8c856afae33a1a1e4411aefd40fd347b4ca14c7d72217f5d92fd5fbb3121e951c8f58f6b772d3fe0458cac6b8