Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe
Resource
win10v2004-20230220-en
General
-
Target
8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe
-
Size
696KB
-
MD5
4082d95eeaff939a6efbc2e31323d666
-
SHA1
dfb0d5aeebdd09a25e51f8a2749df35ab433ff62
-
SHA256
8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457
-
SHA512
d742f8a8f1a2c20d9fc3f17c851170028bf95c8b2427539728d8d72fcc38ea44a107578155c6209bab084321f7435888c47a0398d4f80bd6048d0af458026e1a
-
SSDEEP
12288:aMrJy90Q/JCjcn2H3pLl/MqGd4aDz2WhlQobiwFVj5eZ6Le2fk:DyMjb3pLFMqGd4OyWhZbiwFje4S
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9529.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1068-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-195-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-197-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-199-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-201-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-205-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-207-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-211-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-213-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-215-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-217-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-219-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-221-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-223-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-225-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/1068-227-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 820 un643181.exe 4676 pro9529.exe 1068 qu3765.exe 4652 si631607.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9529.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un643181.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un643181.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3856 4676 WerFault.exe 79 4572 1068 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4676 pro9529.exe 4676 pro9529.exe 1068 qu3765.exe 1068 qu3765.exe 4652 si631607.exe 4652 si631607.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4676 pro9529.exe Token: SeDebugPrivilege 1068 qu3765.exe Token: SeDebugPrivilege 4652 si631607.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3328 wrote to memory of 820 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 78 PID 3328 wrote to memory of 820 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 78 PID 3328 wrote to memory of 820 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 78 PID 820 wrote to memory of 4676 820 un643181.exe 79 PID 820 wrote to memory of 4676 820 un643181.exe 79 PID 820 wrote to memory of 4676 820 un643181.exe 79 PID 820 wrote to memory of 1068 820 un643181.exe 88 PID 820 wrote to memory of 1068 820 un643181.exe 88 PID 820 wrote to memory of 1068 820 un643181.exe 88 PID 3328 wrote to memory of 4652 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 92 PID 3328 wrote to memory of 4652 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 92 PID 3328 wrote to memory of 4652 3328 8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe"C:\Users\Admin\AppData\Local\Temp\8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 10644⤵
- Program crash
PID:3856
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 16204⤵
- Program crash
PID:4572
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4676 -ip 46761⤵PID:3756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1068 -ip 10681⤵PID:4372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD587073b64d6d90d223a7f8edcf815dfc3
SHA1324550dfc8213b8b0fdb7f798ec30238a2a2098f
SHA256c978089ded55e962391bfd6c2b275945d523b18a191a904dd340af1eebff9d84
SHA5121e121f43335ae1c453382dec6b637a031b367c77c085a0027d7526ce17693be614a3f57936fdd9a128586cdb11d892d7ce508e58ab0c3b584df3a221f2588402
-
Filesize
175KB
MD587073b64d6d90d223a7f8edcf815dfc3
SHA1324550dfc8213b8b0fdb7f798ec30238a2a2098f
SHA256c978089ded55e962391bfd6c2b275945d523b18a191a904dd340af1eebff9d84
SHA5121e121f43335ae1c453382dec6b637a031b367c77c085a0027d7526ce17693be614a3f57936fdd9a128586cdb11d892d7ce508e58ab0c3b584df3a221f2588402
-
Filesize
554KB
MD5509fa936b31c8576cba54dae9172adff
SHA1a3b85f7a0bceb9137f474a1b87f3a03384814d41
SHA256bf06ca91d0aaf073698bbcbdaf21a6d1025a5a505fca9ac780d33ce1249c46af
SHA5125467e978286c6b31e11d273e22771ffc0e4f132dc2ce4f104f779bb5b7c03ab3b49f49237c19c1752981b60e63443a3c7712db0e944a3efcddd9cd2a11de84f4
-
Filesize
554KB
MD5509fa936b31c8576cba54dae9172adff
SHA1a3b85f7a0bceb9137f474a1b87f3a03384814d41
SHA256bf06ca91d0aaf073698bbcbdaf21a6d1025a5a505fca9ac780d33ce1249c46af
SHA5125467e978286c6b31e11d273e22771ffc0e4f132dc2ce4f104f779bb5b7c03ab3b49f49237c19c1752981b60e63443a3c7712db0e944a3efcddd9cd2a11de84f4
-
Filesize
347KB
MD5c975c9c123d30919393c7e8f25715a53
SHA121df7c1769cce2c3bf092dc109f4f0624eb2667e
SHA2569392e1c2cbb31cca7818ca90421417dfd8643949a104f84323b670d2f6e24db0
SHA51239da8a2739ef7df83c9f686100d496731c5d021dd8a688d3569aae71b9f8fd905f1a060dca6e2b98da87d8dee7c1ad980c10ef6a3aebe08e5aad739121cf29f5
-
Filesize
347KB
MD5c975c9c123d30919393c7e8f25715a53
SHA121df7c1769cce2c3bf092dc109f4f0624eb2667e
SHA2569392e1c2cbb31cca7818ca90421417dfd8643949a104f84323b670d2f6e24db0
SHA51239da8a2739ef7df83c9f686100d496731c5d021dd8a688d3569aae71b9f8fd905f1a060dca6e2b98da87d8dee7c1ad980c10ef6a3aebe08e5aad739121cf29f5
-
Filesize
405KB
MD521c362c02f899ff1e3b94581f36578f9
SHA1099b405180e057765615148ac7c26f096281c70a
SHA256789f7b8d4a8b2e15044f1275f25cd41ebea5588b87765a39d28da89f9332d315
SHA512d35363b92bba72377f01052fe636636285c7aa171459bdffeb7889994ee20a9d7e85d180f5fb40275055c2dcfe6f1ef8ab8bc4184521e96bf94cbd41cceb3ea7
-
Filesize
405KB
MD521c362c02f899ff1e3b94581f36578f9
SHA1099b405180e057765615148ac7c26f096281c70a
SHA256789f7b8d4a8b2e15044f1275f25cd41ebea5588b87765a39d28da89f9332d315
SHA512d35363b92bba72377f01052fe636636285c7aa171459bdffeb7889994ee20a9d7e85d180f5fb40275055c2dcfe6f1ef8ab8bc4184521e96bf94cbd41cceb3ea7