Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
Resource
win10v2004-20230220-en
General
-
Target
fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
-
Size
530KB
-
MD5
b52004ffb148171d78dcaea46236ee08
-
SHA1
4b70ee6720be5d38f436295bec60300c053ef543
-
SHA256
fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882
-
SHA512
94b69f766559da1d079c63ee79c87a61cbd55a5986082dff258043cb2f8508c88c8c8e04a6e454670eb6b1c3f03a1d8bc84e73e4c7737f8103ecbd147f6432ec
-
SSDEEP
12288:NMray90C3u9ULo4tQ2nd0zjtjyf5KXa/Im38/67:DyJi4/wEADm38/67
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr743286.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr743286.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr743286.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr743286.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr743286.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr743286.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/240-158-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-159-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-161-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-163-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-165-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-169-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-167-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-171-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-173-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-175-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-177-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-179-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-181-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-183-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-185-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-187-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-189-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-191-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-193-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-195-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-197-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-199-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-201-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-203-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-205-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-207-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-209-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-211-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-213-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-215-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-217-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-219-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/240-221-0x0000000002750000-0x000000000278F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1712 ziae7760.exe 3400 jr743286.exe 240 ku776635.exe 3872 lr783654.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr743286.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziae7760.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziae7760.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4956 240 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3400 jr743286.exe 3400 jr743286.exe 240 ku776635.exe 240 ku776635.exe 3872 lr783654.exe 3872 lr783654.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3400 jr743286.exe Token: SeDebugPrivilege 240 ku776635.exe Token: SeDebugPrivilege 3872 lr783654.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1712 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 87 PID 2412 wrote to memory of 1712 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 87 PID 2412 wrote to memory of 1712 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 87 PID 1712 wrote to memory of 3400 1712 ziae7760.exe 88 PID 1712 wrote to memory of 3400 1712 ziae7760.exe 88 PID 1712 wrote to memory of 240 1712 ziae7760.exe 89 PID 1712 wrote to memory of 240 1712 ziae7760.exe 89 PID 1712 wrote to memory of 240 1712 ziae7760.exe 89 PID 2412 wrote to memory of 3872 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 93 PID 2412 wrote to memory of 3872 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 93 PID 2412 wrote to memory of 3872 2412 fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe"C:\Users\Admin\AppData\Local\Temp\fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 13564⤵
- Program crash
PID:4956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 240 -ip 2401⤵PID:4204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5af64d54415127b90e78f1a197a6af6dd
SHA1fe63fe22fcb8b5c71fb86dddf019d9c384f60adc
SHA256c10f1c18151ca88f994120efa676dfe5537583f51df70e8205ec970d48d47631
SHA512af58b52e1d93ed920ae36231cc6bf77f9f0c9909cada0bf18df951e4c043c38a71f77e116b7e24181c151abd77b484fa002f91d7ce2e4726ad9c0fbaf77997a3
-
Filesize
176KB
MD5af64d54415127b90e78f1a197a6af6dd
SHA1fe63fe22fcb8b5c71fb86dddf019d9c384f60adc
SHA256c10f1c18151ca88f994120efa676dfe5537583f51df70e8205ec970d48d47631
SHA512af58b52e1d93ed920ae36231cc6bf77f9f0c9909cada0bf18df951e4c043c38a71f77e116b7e24181c151abd77b484fa002f91d7ce2e4726ad9c0fbaf77997a3
-
Filesize
388KB
MD54e5de196ab7c381b91cb327521bd2aa5
SHA1cd6c486e9d4e8f87436ef178c6147ccb6267b732
SHA256aa1be19c6cbc1e58e8c9a1f06d4e75cdfa477bb695a6d68192a8d15066edbfed
SHA512b2f7a72c47ed70682e37a9b79738a7682c2b97ed4838bebd8ac6fc92c87d8f854a5cf7aca0c8f137d24cf2cfbf132b54e2f99e7c0f8cce43182144824fbd1ede
-
Filesize
388KB
MD54e5de196ab7c381b91cb327521bd2aa5
SHA1cd6c486e9d4e8f87436ef178c6147ccb6267b732
SHA256aa1be19c6cbc1e58e8c9a1f06d4e75cdfa477bb695a6d68192a8d15066edbfed
SHA512b2f7a72c47ed70682e37a9b79738a7682c2b97ed4838bebd8ac6fc92c87d8f854a5cf7aca0c8f137d24cf2cfbf132b54e2f99e7c0f8cce43182144824fbd1ede
-
Filesize
11KB
MD5d7a7116167a6c60a3c647ca61e7e6941
SHA1ee28334678459ac5d5491126a11df86e55c7ad1b
SHA256c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b
SHA5128edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13
-
Filesize
11KB
MD5d7a7116167a6c60a3c647ca61e7e6941
SHA1ee28334678459ac5d5491126a11df86e55c7ad1b
SHA256c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b
SHA5128edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13
-
Filesize
434KB
MD550c773daa155b28bb5d263421d6f4990
SHA10bbe6e922993b240a9eed5b15029dd8a316581eb
SHA2565d4ab781b21e88a9557499154f49804599770c9f47973cdc78aa2f0af083ebbc
SHA51269ac8ca5b819925d3979ab49a364199d5612c9c4c2832a87e82ad5eb092eaa73a4963f9e7ae33e56a151df268a5428c5797038759089e6edc76257df41cb6509
-
Filesize
434KB
MD550c773daa155b28bb5d263421d6f4990
SHA10bbe6e922993b240a9eed5b15029dd8a316581eb
SHA2565d4ab781b21e88a9557499154f49804599770c9f47973cdc78aa2f0af083ebbc
SHA51269ac8ca5b819925d3979ab49a364199d5612c9c4c2832a87e82ad5eb092eaa73a4963f9e7ae33e56a151df268a5428c5797038759089e6edc76257df41cb6509