Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe
Resource
win10v2004-20230220-en
General
-
Target
b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe
-
Size
695KB
-
MD5
c5857ed4b98fe7ecc7a5e363a23f0779
-
SHA1
96221d810e2d26b35c0ebb3548d1b00a9978e1fa
-
SHA256
b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8
-
SHA512
11b5c57a865b1beb54298f94d006e76d0bc30b07d9c7296b6d0ae3508c2a0ce12fef826e610aaf3d186a1b68d755d7f444cbe99bdc06652d137294689603e3d2
-
SSDEEP
12288:XMr8y90C5SieimwJjZMmKD6aDzanzpcqdt9izYVj4QZlICiH1LS:/yd5j/MmKD6OOnNc0y0SQFx
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0935.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0935.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/3112-195-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-196-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-198-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-200-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-202-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-204-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-206-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-208-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-210-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-212-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-214-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-216-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-218-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-220-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-222-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-224-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-226-0x0000000007700000-0x000000000773F000-memory.dmp family_redline behavioral1/memory/3112-228-0x0000000007700000-0x000000000773F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4140 un836402.exe 4736 pro0935.exe 3112 qu9480.exe 1096 si328782.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0935.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0935.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un836402.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un836402.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 180 4736 WerFault.exe 83 5096 3112 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4736 pro0935.exe 4736 pro0935.exe 3112 qu9480.exe 3112 qu9480.exe 1096 si328782.exe 1096 si328782.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4736 pro0935.exe Token: SeDebugPrivilege 3112 qu9480.exe Token: SeDebugPrivilege 1096 si328782.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4140 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 82 PID 4964 wrote to memory of 4140 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 82 PID 4964 wrote to memory of 4140 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 82 PID 4140 wrote to memory of 4736 4140 un836402.exe 83 PID 4140 wrote to memory of 4736 4140 un836402.exe 83 PID 4140 wrote to memory of 4736 4140 un836402.exe 83 PID 4140 wrote to memory of 3112 4140 un836402.exe 88 PID 4140 wrote to memory of 3112 4140 un836402.exe 88 PID 4140 wrote to memory of 3112 4140 un836402.exe 88 PID 4964 wrote to memory of 1096 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 91 PID 4964 wrote to memory of 1096 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 91 PID 4964 wrote to memory of 1096 4964 b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe"C:\Users\Admin\AppData\Local\Temp\b913a70734dfebc863df8642e6614ad14e8d23b92b6489fa28c3cef017b986f8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836402.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836402.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0935.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0935.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 10804⤵
- Program crash
PID:180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9480.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9480.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 13484⤵
- Program crash
PID:5096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si328782.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si328782.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4736 -ip 47361⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3112 -ip 31121⤵PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5f41a3224ad6fde83c83a30b541489b92
SHA117bfce2734911b375445e4ba874c2e46e4b5a162
SHA25665bf0e8ab802a900e56979da730ba1bee0db1485b6a4a9c230fb8407ef499911
SHA512cadaa338903f8be7cd782cbcbe707caccb13bc2173e44cb60dc9b4de628662fa0442aa84fed4e58fdce4f7d9428f05e6cca995968c2a576309623be33cbea7fd
-
Filesize
175KB
MD5f41a3224ad6fde83c83a30b541489b92
SHA117bfce2734911b375445e4ba874c2e46e4b5a162
SHA25665bf0e8ab802a900e56979da730ba1bee0db1485b6a4a9c230fb8407ef499911
SHA512cadaa338903f8be7cd782cbcbe707caccb13bc2173e44cb60dc9b4de628662fa0442aa84fed4e58fdce4f7d9428f05e6cca995968c2a576309623be33cbea7fd
-
Filesize
553KB
MD53f36a71cdca74c1c0bd28e38411707fc
SHA159d4e99395d610718b5433631aa03a5edfd2051d
SHA2564c86e58ab46b4b061a6072cbf0f39cf160853c08af2989bc3183fa3e899d2d54
SHA51286d8a34129736092cdfdc563ee2bb3cb05f22a2c27d1ae23e87b0339f574fecc7d679bed503732c66e419127d47afd1027cba571f8ec961523f4cf6b9efed45c
-
Filesize
553KB
MD53f36a71cdca74c1c0bd28e38411707fc
SHA159d4e99395d610718b5433631aa03a5edfd2051d
SHA2564c86e58ab46b4b061a6072cbf0f39cf160853c08af2989bc3183fa3e899d2d54
SHA51286d8a34129736092cdfdc563ee2bb3cb05f22a2c27d1ae23e87b0339f574fecc7d679bed503732c66e419127d47afd1027cba571f8ec961523f4cf6b9efed45c
-
Filesize
347KB
MD54d1ab97f495621539aa5d549ddfecd61
SHA1c2318418fe90511da1d66ce5845ad14685279322
SHA256d5ade8d1a22db0e2728f0f1e467107048a134c5cfeae92878db095af129a63ca
SHA5122f43b0d2be4eaf015879b553926035c1b71782bd2069c9e627f2525f23e00644cc6073991c848e4e89103d983edec5009ae57b647231b54908df1f1759d573f4
-
Filesize
347KB
MD54d1ab97f495621539aa5d549ddfecd61
SHA1c2318418fe90511da1d66ce5845ad14685279322
SHA256d5ade8d1a22db0e2728f0f1e467107048a134c5cfeae92878db095af129a63ca
SHA5122f43b0d2be4eaf015879b553926035c1b71782bd2069c9e627f2525f23e00644cc6073991c848e4e89103d983edec5009ae57b647231b54908df1f1759d573f4
-
Filesize
405KB
MD5ccbdf6d63f115198566ee3061c6d295f
SHA1790cd32f91e6e215bce065b3860e8186914892fe
SHA256348874ef9e7dd30be1542bacddb168e8b46c9192530fe6969a0fb7e569f9c591
SHA512ab01c64135a3bcc162635faf2a05837dfe0e9a894431a2b94bb3ebf32b52f241f5e6ed72ed8b684651b66431caf0db3974f1f06e192519ee7d84ac58f4d29cda
-
Filesize
405KB
MD5ccbdf6d63f115198566ee3061c6d295f
SHA1790cd32f91e6e215bce065b3860e8186914892fe
SHA256348874ef9e7dd30be1542bacddb168e8b46c9192530fe6969a0fb7e569f9c591
SHA512ab01c64135a3bcc162635faf2a05837dfe0e9a894431a2b94bb3ebf32b52f241f5e6ed72ed8b684651b66431caf0db3974f1f06e192519ee7d84ac58f4d29cda