Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe
Resource
win10v2004-20230220-en
General
-
Target
ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe
-
Size
1000KB
-
MD5
fa2bd73beba0a11196f24766f5a63538
-
SHA1
0dd2c16b4de3e14a261cbc6823e4085549cdcc78
-
SHA256
ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a
-
SHA512
22797aabea8b64f35e7f302148ff8c142b233037137351b05d12619d61b8c311047436db2382b1260758760d66bdc5983a2449e69bf39fcabaf3a08e1b6697fd
-
SSDEEP
12288:AMruy90676FOLrPQ4Sarc0yumbQZXADnlVm3rXU4MgzKrImWVxvtWhSXrw1449tr:eyNmUQMZwDu3DU4vGh81wb4vuU+aLG
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" v8319vt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection tz8683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" tz8683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" tz8683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" tz8683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" tz8683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" tz8683.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 16 IoCs
resource yara_rule behavioral1/memory/1616-217-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-218-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-220-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-222-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-224-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-226-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-228-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-230-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-232-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-236-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-238-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-234-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-240-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-242-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-244-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/1616-246-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2836 zap7510.exe 2260 zap0684.exe 4876 zap3176.exe 2592 tz8683.exe 4552 v8319vt.exe 1616 w26jh33.exe 4760 xpHEu19.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tz8683.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features v8319vt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" v8319vt.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zap3176.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap7510.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zap7510.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap0684.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zap0684.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap3176.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4116 4552 WerFault.exe 88 4876 1616 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2592 tz8683.exe 2592 tz8683.exe 4552 v8319vt.exe 4552 v8319vt.exe 1616 w26jh33.exe 1616 w26jh33.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2592 tz8683.exe Token: SeDebugPrivilege 4552 v8319vt.exe Token: SeDebugPrivilege 1616 w26jh33.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5096 wrote to memory of 2836 5096 ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe 83 PID 5096 wrote to memory of 2836 5096 ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe 83 PID 5096 wrote to memory of 2836 5096 ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe 83 PID 2836 wrote to memory of 2260 2836 zap7510.exe 84 PID 2836 wrote to memory of 2260 2836 zap7510.exe 84 PID 2836 wrote to memory of 2260 2836 zap7510.exe 84 PID 2260 wrote to memory of 4876 2260 zap0684.exe 85 PID 2260 wrote to memory of 4876 2260 zap0684.exe 85 PID 2260 wrote to memory of 4876 2260 zap0684.exe 85 PID 4876 wrote to memory of 2592 4876 zap3176.exe 86 PID 4876 wrote to memory of 2592 4876 zap3176.exe 86 PID 4876 wrote to memory of 4552 4876 zap3176.exe 88 PID 4876 wrote to memory of 4552 4876 zap3176.exe 88 PID 4876 wrote to memory of 4552 4876 zap3176.exe 88 PID 2260 wrote to memory of 1616 2260 zap0684.exe 92 PID 2260 wrote to memory of 1616 2260 zap0684.exe 92 PID 2260 wrote to memory of 1616 2260 zap0684.exe 92 PID 2836 wrote to memory of 4760 2836 zap7510.exe 95 PID 2836 wrote to memory of 4760 2836 zap7510.exe 95 PID 2836 wrote to memory of 4760 2836 zap7510.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe"C:\Users\Admin\AppData\Local\Temp\ff56ca12f44f9d87d740f4a54e38f31bb427e20457fd94cf5921fded0a63445a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7510.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7510.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0684.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0684.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3176.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3176.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8683.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8683.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8319vt.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8319vt.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 10446⤵
- Program crash
PID:4116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w26jh33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w26jh33.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 11885⤵
- Program crash
PID:4876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpHEu19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpHEu19.exe3⤵
- Executes dropped EXE
PID:4760
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4552 -ip 45521⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1616 -ip 16161⤵PID:4244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD57ff9b063b7a496b7978bd9c282713a5d
SHA1b4a91897120eeb1370fc9253f0d0dc9a51c32ab1
SHA256ecbf75e61237ea15e43f37deb7bc78991ea445544277eff1688eccaf8b4d198a
SHA512d0250a58bb964e5987bee27fe21e0cb701200622634aa9978faefa0b69fa71d743e82c512d51150782a5162fef6744fe309b4907eac2a8df365a8527ed7bf256
-
Filesize
816KB
MD57ff9b063b7a496b7978bd9c282713a5d
SHA1b4a91897120eeb1370fc9253f0d0dc9a51c32ab1
SHA256ecbf75e61237ea15e43f37deb7bc78991ea445544277eff1688eccaf8b4d198a
SHA512d0250a58bb964e5987bee27fe21e0cb701200622634aa9978faefa0b69fa71d743e82c512d51150782a5162fef6744fe309b4907eac2a8df365a8527ed7bf256
-
Filesize
175KB
MD5ef8722318c95b3ad70a57a81b9f151c2
SHA1f5cca80f10fcf6cfc07f04072018e31f058c3f6c
SHA2567cb42419ebd25d2a64a7048418ecf81b5786961468744b99641ca896bfe5bd4b
SHA51246c024359a385b910057816fa3b3d68854b33077a89a1f5bc1fe6cae4f304d37508fe89282fbcecbb2dfd13907e4ec3cac9a32a08b0278e37c5dce6b219b37a8
-
Filesize
175KB
MD5ef8722318c95b3ad70a57a81b9f151c2
SHA1f5cca80f10fcf6cfc07f04072018e31f058c3f6c
SHA2567cb42419ebd25d2a64a7048418ecf81b5786961468744b99641ca896bfe5bd4b
SHA51246c024359a385b910057816fa3b3d68854b33077a89a1f5bc1fe6cae4f304d37508fe89282fbcecbb2dfd13907e4ec3cac9a32a08b0278e37c5dce6b219b37a8
-
Filesize
675KB
MD512554898d59b5036da157cc548ea2b36
SHA12f041c8421de549d4c333d95a4654f3a5f65fd5d
SHA256d213d6cd7baa421521caed5d38a0d04e433838c90e73747298a7678fa8e204a3
SHA512b1ccafbaa19bf34efd911701722031705d66e96cd24a72714ba570c99d01ac3fa47f58b5b94be24cc12c8d84e45720be90e32b51b0c3e2e558c81610dd103973
-
Filesize
675KB
MD512554898d59b5036da157cc548ea2b36
SHA12f041c8421de549d4c333d95a4654f3a5f65fd5d
SHA256d213d6cd7baa421521caed5d38a0d04e433838c90e73747298a7678fa8e204a3
SHA512b1ccafbaa19bf34efd911701722031705d66e96cd24a72714ba570c99d01ac3fa47f58b5b94be24cc12c8d84e45720be90e32b51b0c3e2e558c81610dd103973
-
Filesize
319KB
MD5c87cfa7f5ce69083ded90d99119599f9
SHA1c0d75b2f4988753a6707f146fce9287d03ab245c
SHA25624aab3ead3fdd0cbde251eccccd8cae1f2f244506e7166231cf29e0a162797b2
SHA512e07b32f293123341ff520d727def295e5aff503d395a20178cf5845d8443077ff836faaa82776745e1d9439580113dec278d17786372feda7d335d577e7317c8
-
Filesize
319KB
MD5c87cfa7f5ce69083ded90d99119599f9
SHA1c0d75b2f4988753a6707f146fce9287d03ab245c
SHA25624aab3ead3fdd0cbde251eccccd8cae1f2f244506e7166231cf29e0a162797b2
SHA512e07b32f293123341ff520d727def295e5aff503d395a20178cf5845d8443077ff836faaa82776745e1d9439580113dec278d17786372feda7d335d577e7317c8
-
Filesize
333KB
MD5f4651a6d3633f13d5149eb86432376fc
SHA15918864d14366c6dc562966a621fc30c960c540c
SHA2564d12b464638a85c99413f7a7a6d4e5d736dee8c1f272ab858cf494569c9c0e5c
SHA5123ec8455c087c796856eef283fa98df57f51ffa96effb5f8f7b1f585ad2109323866eb66bb6d9af340ce16b17528e0214d6f4e6673db60b08a2d228132296ff42
-
Filesize
333KB
MD5f4651a6d3633f13d5149eb86432376fc
SHA15918864d14366c6dc562966a621fc30c960c540c
SHA2564d12b464638a85c99413f7a7a6d4e5d736dee8c1f272ab858cf494569c9c0e5c
SHA5123ec8455c087c796856eef283fa98df57f51ffa96effb5f8f7b1f585ad2109323866eb66bb6d9af340ce16b17528e0214d6f4e6673db60b08a2d228132296ff42
-
Filesize
11KB
MD5642377b5de019d773408064ec1e1f04c
SHA1dff912e15d670066d80b8ac8da841ea2dd1baef8
SHA25628333858d408966ad797a0ec919d1df4ed50795006babf0d7fd787b4cf1c534e
SHA512e843a4c78f19021e4b737a68170fbdf701489fd0c3d10d51a9b2e2832550d1147e1c6991ff28e6fb130c272abfe293a073befb4ca130bc01aaf43517d0de6fe5
-
Filesize
11KB
MD5642377b5de019d773408064ec1e1f04c
SHA1dff912e15d670066d80b8ac8da841ea2dd1baef8
SHA25628333858d408966ad797a0ec919d1df4ed50795006babf0d7fd787b4cf1c534e
SHA512e843a4c78f19021e4b737a68170fbdf701489fd0c3d10d51a9b2e2832550d1147e1c6991ff28e6fb130c272abfe293a073befb4ca130bc01aaf43517d0de6fe5
-
Filesize
259KB
MD5f85dc89be72ba2df8158f85d4b0aad64
SHA191c548623685280d9cd592980a5eeb7df8e97b56
SHA256c6102cbb9f9e66d18578d17daabddb0f59c0696f8828fde2247b5ba895a58f46
SHA5127e831dd1536f87044a7989be694f096402a9bcd4987d24df56b25695438f25931d28ac5abe77c4f575593627e08cc7d62466bb4e2786e214f0552d32f644dc5b
-
Filesize
259KB
MD5f85dc89be72ba2df8158f85d4b0aad64
SHA191c548623685280d9cd592980a5eeb7df8e97b56
SHA256c6102cbb9f9e66d18578d17daabddb0f59c0696f8828fde2247b5ba895a58f46
SHA5127e831dd1536f87044a7989be694f096402a9bcd4987d24df56b25695438f25931d28ac5abe77c4f575593627e08cc7d62466bb4e2786e214f0552d32f644dc5b