Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe
Resource
win10v2004-20230221-en
General
-
Target
8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe
-
Size
751KB
-
MD5
26ca997be18db22953f0f02a6f738702
-
SHA1
0d5e7d3efe0da31ef203a60b064bf491db041719
-
SHA256
8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c
-
SHA512
56fd12b83d5d3b3d0822e3245834ba14ea73b49442586b2b582ece430563c551c3a726a76a9a0a1299f77257f53af4ad9397707816d6b502df46d7393c3c355c
-
SSDEEP
12288:h+qtdEg9+2Ok5dnoMk8vVJgJPjq8DAOyuBiTpD8nJjDQZ2bVhvrnsV+fP8RUKzFw:fIg9+oCM9VSPj36aJ/PbV9YV+f0RUEC
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr730788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr730788.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr730788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr730788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr730788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr730788.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 32 IoCs
resource yara_rule behavioral1/memory/3748-157-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-158-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-160-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-162-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-164-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-168-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-172-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-174-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-176-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-178-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-180-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-182-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-184-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-186-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-188-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-190-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-192-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-194-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-196-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-198-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-200-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-202-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-204-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-206-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-208-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-210-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-212-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-214-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-216-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-218-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-220-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/3748-222-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4348 ziHc7759.exe 4660 jr730788.exe 3748 ku364252.exe 2216 lr921454.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr730788.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziHc7759.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziHc7759.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 180 3748 WerFault.exe 84 4588 1608 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4660 jr730788.exe 4660 jr730788.exe 3748 ku364252.exe 3748 ku364252.exe 2216 lr921454.exe 2216 lr921454.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4660 jr730788.exe Token: SeDebugPrivilege 3748 ku364252.exe Token: SeDebugPrivilege 2216 lr921454.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4348 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 82 PID 1608 wrote to memory of 4348 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 82 PID 1608 wrote to memory of 4348 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 82 PID 4348 wrote to memory of 4660 4348 ziHc7759.exe 83 PID 4348 wrote to memory of 4660 4348 ziHc7759.exe 83 PID 4348 wrote to memory of 3748 4348 ziHc7759.exe 84 PID 4348 wrote to memory of 3748 4348 ziHc7759.exe 84 PID 4348 wrote to memory of 3748 4348 ziHc7759.exe 84 PID 1608 wrote to memory of 2216 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 88 PID 1608 wrote to memory of 2216 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 88 PID 1608 wrote to memory of 2216 1608 8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe"C:\Users\Admin\AppData\Local\Temp\8b186acdf4ed92e9985fd01e906b1209b4bb8f2bc266c037ea0e7fb8f3ec154c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 13284⤵
- Program crash
PID:180
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 4842⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3748 -ip 37481⤵PID:3772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1608 -ip 16081⤵PID:4624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5591efc87ce3974863f97b3fb96d353c9
SHA1d71e0c0d137c7e7395b470c8110b389927d06537
SHA256e3223af8ae969b1135c01c0fe5860c2484054c755e91c04b1d6da4438e4ae5a5
SHA512eeee0be70e2eb30e8345e72ed0d352bcc218ebb709904056ada22e9595f74b6a154c9cc5fe6044e7ac46da7d18ea13b31ae036fa5fa962607fd972d7492b3b56
-
Filesize
175KB
MD5591efc87ce3974863f97b3fb96d353c9
SHA1d71e0c0d137c7e7395b470c8110b389927d06537
SHA256e3223af8ae969b1135c01c0fe5860c2484054c755e91c04b1d6da4438e4ae5a5
SHA512eeee0be70e2eb30e8345e72ed0d352bcc218ebb709904056ada22e9595f74b6a154c9cc5fe6044e7ac46da7d18ea13b31ae036fa5fa962607fd972d7492b3b56
-
Filesize
420KB
MD56ca16a861ab5e7dac5b02e979ce6f81f
SHA192088493e05ed321cc9e800a72e33080aa85595f
SHA256cb363a673adb11c0bab2fc6df4b0beadfef43093c67d15573ba2baa4bc833d95
SHA512c4a5249b6044c51edcb9e87505defbe4fce7cca336a146a66e30c2c3f05a15108c4b808669666efebbd652b5e3366d7f86f490ef45ddbcc0a1fa162e7e237155
-
Filesize
420KB
MD56ca16a861ab5e7dac5b02e979ce6f81f
SHA192088493e05ed321cc9e800a72e33080aa85595f
SHA256cb363a673adb11c0bab2fc6df4b0beadfef43093c67d15573ba2baa4bc833d95
SHA512c4a5249b6044c51edcb9e87505defbe4fce7cca336a146a66e30c2c3f05a15108c4b808669666efebbd652b5e3366d7f86f490ef45ddbcc0a1fa162e7e237155
-
Filesize
11KB
MD5a5569b37458871722ce0ff1f5e954903
SHA1a5675df2a5c6056b17247679d2521f0a3304a46c
SHA256e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f
SHA512ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431
-
Filesize
11KB
MD5a5569b37458871722ce0ff1f5e954903
SHA1a5675df2a5c6056b17247679d2521f0a3304a46c
SHA256e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f
SHA512ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431
-
Filesize
406KB
MD5fd216b10901e4f0bfa6e51ca58e836f8
SHA10ca6da6af5eddfb944bcee13016e5f9d82254e5e
SHA25630694b600bc9b749d6200231c012ce8543402b907ec24871fc40ca094f0caad5
SHA512aea8beb778e5f11a5f69c3d8303bf76a7899e83c2acb7e8efa76324562363a3c423c74c274e3908023ccab3e7ddd20f4a2767617327f39321290a2113c1e1c83
-
Filesize
406KB
MD5fd216b10901e4f0bfa6e51ca58e836f8
SHA10ca6da6af5eddfb944bcee13016e5f9d82254e5e
SHA25630694b600bc9b749d6200231c012ce8543402b907ec24871fc40ca094f0caad5
SHA512aea8beb778e5f11a5f69c3d8303bf76a7899e83c2acb7e8efa76324562363a3c423c74c274e3908023ccab3e7ddd20f4a2767617327f39321290a2113c1e1c83