Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe
Resource
win10v2004-20230220-en
General
-
Target
cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe
-
Size
658KB
-
MD5
d1ec2ae3d8ec49ec4c18daf91b1d33de
-
SHA1
59828e7e518fea0b07afbc906a73bb8f377105cc
-
SHA256
cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce
-
SHA512
00851235473082ad1936d8ea81a00b9c9c39a2f8287b04e07c8851366da2ecc76a630ab6c98b981197b19f46180cf42043d3a8239489e4721942af668ff9f383
-
SSDEEP
12288:9MrCy90aAT76SorYaljePHnlJNtnw322h4IQaU4cgG3:jyT/bj4H3NtS2rValG3
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0359.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/400-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/400-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3976 un127179.exe 3936 pro0359.exe 400 qu4031.exe 4380 si976644.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0359.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un127179.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un127179.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2876 3936 WerFault.exe 85 1756 400 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3936 pro0359.exe 3936 pro0359.exe 400 qu4031.exe 400 qu4031.exe 4380 si976644.exe 4380 si976644.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3936 pro0359.exe Token: SeDebugPrivilege 400 qu4031.exe Token: SeDebugPrivilege 4380 si976644.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3976 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 84 PID 1980 wrote to memory of 3976 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 84 PID 1980 wrote to memory of 3976 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 84 PID 3976 wrote to memory of 3936 3976 un127179.exe 85 PID 3976 wrote to memory of 3936 3976 un127179.exe 85 PID 3976 wrote to memory of 3936 3976 un127179.exe 85 PID 3976 wrote to memory of 400 3976 un127179.exe 91 PID 3976 wrote to memory of 400 3976 un127179.exe 91 PID 3976 wrote to memory of 400 3976 un127179.exe 91 PID 1980 wrote to memory of 4380 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 96 PID 1980 wrote to memory of 4380 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 96 PID 1980 wrote to memory of 4380 1980 cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe"C:\Users\Admin\AppData\Local\Temp\cc4d93d2cf1d16109941077199bfedbbbbf37abcccc79660d6229907c2ab06ce.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127179.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127179.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0359.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0359.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 10564⤵
- Program crash
PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4031.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4031.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 13444⤵
- Program crash
PID:1756
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976644.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976644.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3936 -ip 39361⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 400 -ip 4001⤵PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD50f5e15f1da41e9faf71e8f07e4efd42c
SHA1e0c1f491e16637628665d9b61d8252ff908ba0cf
SHA2562eb72d3ae75a3589cec37c3158a6d69ad6d678ea6cff85b18f455b9eabd1e684
SHA512b3ef0607c33da73b778707ed495a69ffb85a62d124ae57f7f7558e3c0146ac15df583e551e7b2393fdf79046659db3e2578df56cb210ec77318204bccc9f93cc
-
Filesize
176KB
MD50f5e15f1da41e9faf71e8f07e4efd42c
SHA1e0c1f491e16637628665d9b61d8252ff908ba0cf
SHA2562eb72d3ae75a3589cec37c3158a6d69ad6d678ea6cff85b18f455b9eabd1e684
SHA512b3ef0607c33da73b778707ed495a69ffb85a62d124ae57f7f7558e3c0146ac15df583e551e7b2393fdf79046659db3e2578df56cb210ec77318204bccc9f93cc
-
Filesize
516KB
MD50753f783dde4af7ddd7ea77eac96caae
SHA1f7b323267a842521914e21e29e94f23d2d171bef
SHA256dd8d074a089b5999db7ad82384741b0e4ab330cdb0579f5bc5de5eed9ae6d288
SHA51201ea2fc7da4aa37c949333c51f40febed8c9f035c87f7dc0bd2a8591bbcfd6a716d5d97a6ef2470518fc7e0fc028de676a4516c4ab24441f22dc19576ecbb241
-
Filesize
516KB
MD50753f783dde4af7ddd7ea77eac96caae
SHA1f7b323267a842521914e21e29e94f23d2d171bef
SHA256dd8d074a089b5999db7ad82384741b0e4ab330cdb0579f5bc5de5eed9ae6d288
SHA51201ea2fc7da4aa37c949333c51f40febed8c9f035c87f7dc0bd2a8591bbcfd6a716d5d97a6ef2470518fc7e0fc028de676a4516c4ab24441f22dc19576ecbb241
-
Filesize
284KB
MD5469ab66a1f1647fb4a964ea87126336f
SHA19c49c45e5f9af5a4b2f32143ff960a3f256f5dd9
SHA256b1ada215ba827e9c838a07ee2ad491f2405afdea30f4d03001ede42feff0111f
SHA5125bac082e2fa80a8099824df77635cf7251c9d8731950ae34b3b4302f97121811f8178e1ff9511776f031dfeca0910c8e9be58870769acc084a4bdfd7cf028352
-
Filesize
284KB
MD5469ab66a1f1647fb4a964ea87126336f
SHA19c49c45e5f9af5a4b2f32143ff960a3f256f5dd9
SHA256b1ada215ba827e9c838a07ee2ad491f2405afdea30f4d03001ede42feff0111f
SHA5125bac082e2fa80a8099824df77635cf7251c9d8731950ae34b3b4302f97121811f8178e1ff9511776f031dfeca0910c8e9be58870769acc084a4bdfd7cf028352
-
Filesize
342KB
MD573eb21c0db54186deb05d6b6f24a9cf7
SHA14e2c6c738e8d03b9cc73863e4266f4e722544a01
SHA256dcb4a6b6ad242df41cb58752384eb85aa5b81239f734c56047736b3ff2f03824
SHA512f4a9b3b9a38471bf29c952a7f179fff5bfc1c55df58588583be47b6653b48489efe095cb8dfe5742f79101fccb96c67ece63d11a428d902dfce19a39b4eebe48
-
Filesize
342KB
MD573eb21c0db54186deb05d6b6f24a9cf7
SHA14e2c6c738e8d03b9cc73863e4266f4e722544a01
SHA256dcb4a6b6ad242df41cb58752384eb85aa5b81239f734c56047736b3ff2f03824
SHA512f4a9b3b9a38471bf29c952a7f179fff5bfc1c55df58588583be47b6653b48489efe095cb8dfe5742f79101fccb96c67ece63d11a428d902dfce19a39b4eebe48