Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe
Resource
win10v2004-20230220-en
General
-
Target
653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe
-
Size
529KB
-
MD5
2edeed5a0b4e38a18add2a1c4bca506e
-
SHA1
f54e12995f6c164482dc8ae44b25ee8b55f6c1a0
-
SHA256
653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3
-
SHA512
d709ab38dc823d44dec52e3e49299dc0e10adcbb806c18234ea33044328a54fcf272af4991037b249cb7caeb29eaca799ecc5c734d801abe5bad678ace6fefcf
-
SSDEEP
12288:mMrAy90u8qFtWkqN+rPnWnlgFOJNl4I4Nbnsf:CyV8qtdqYrPnWnlgFOi9Nnsf
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr917794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr917794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr917794.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr917794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr917794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr917794.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4368-158-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-161-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-159-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-163-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-165-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-167-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-169-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-171-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-173-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-175-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-177-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-179-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-181-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-183-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-185-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-187-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-189-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-191-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-193-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-195-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-197-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-199-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-201-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-203-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-205-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-207-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-209-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-211-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-213-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-215-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-217-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-219-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/4368-221-0x0000000007160000-0x000000000719F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3116 ziiN1560.exe 1940 jr917794.exe 4368 ku369100.exe 4672 lr487916.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr917794.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziiN1560.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziiN1560.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1868 4368 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1940 jr917794.exe 1940 jr917794.exe 4368 ku369100.exe 4368 ku369100.exe 4672 lr487916.exe 4672 lr487916.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1940 jr917794.exe Token: SeDebugPrivilege 4368 ku369100.exe Token: SeDebugPrivilege 4672 lr487916.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 748 wrote to memory of 3116 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 84 PID 748 wrote to memory of 3116 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 84 PID 748 wrote to memory of 3116 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 84 PID 3116 wrote to memory of 1940 3116 ziiN1560.exe 85 PID 3116 wrote to memory of 1940 3116 ziiN1560.exe 85 PID 3116 wrote to memory of 4368 3116 ziiN1560.exe 88 PID 3116 wrote to memory of 4368 3116 ziiN1560.exe 88 PID 3116 wrote to memory of 4368 3116 ziiN1560.exe 88 PID 748 wrote to memory of 4672 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 92 PID 748 wrote to memory of 4672 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 92 PID 748 wrote to memory of 4672 748 653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe"C:\Users\Admin\AppData\Local\Temp\653a4c748bb35f724a975d4c2d94ce29399b4f03a5f48163e7a319e5d5db1ee3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiN1560.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiN1560.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr917794.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr917794.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku369100.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku369100.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 15404⤵
- Program crash
PID:1868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr487916.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr487916.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4368 -ip 43681⤵PID:4636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD515954d71cd070d7675b363819d360c7a
SHA14175d5c67812d67190232a666f36623fd9d24d16
SHA2562f5198d54113edd7adef1139c3e4845c00f058d06510beac04b60a1d3b1eb25a
SHA5125d492b47438ad220b7ca701cb394921f94c50e5c700ba4c9c49ab7dc30652925e252528a30b684b789a8bd77e6adac568ea17c3974dacf464be7c36b9e1e5cd3
-
Filesize
176KB
MD515954d71cd070d7675b363819d360c7a
SHA14175d5c67812d67190232a666f36623fd9d24d16
SHA2562f5198d54113edd7adef1139c3e4845c00f058d06510beac04b60a1d3b1eb25a
SHA5125d492b47438ad220b7ca701cb394921f94c50e5c700ba4c9c49ab7dc30652925e252528a30b684b789a8bd77e6adac568ea17c3974dacf464be7c36b9e1e5cd3
-
Filesize
387KB
MD55c96db2e509715448aaaebd743fc0321
SHA19713360d6b0d920e56902aa1eee505be696eb621
SHA25636cf1850762fdcefc3ae89be47a7a048ffbe15a1ad9a99df061c6f02c6cca9cc
SHA512350b06648b30216f2bd6a1c60b1da5f41bd5452d9f4ec2b5e109c07d11296e20e875a47ce5b33ef45a84c6dca5ee8d40dcf68b2be718f54c09b11042ed12c5ca
-
Filesize
387KB
MD55c96db2e509715448aaaebd743fc0321
SHA19713360d6b0d920e56902aa1eee505be696eb621
SHA25636cf1850762fdcefc3ae89be47a7a048ffbe15a1ad9a99df061c6f02c6cca9cc
SHA512350b06648b30216f2bd6a1c60b1da5f41bd5452d9f4ec2b5e109c07d11296e20e875a47ce5b33ef45a84c6dca5ee8d40dcf68b2be718f54c09b11042ed12c5ca
-
Filesize
12KB
MD56ac66d1a98c37c51da386bd2208dd012
SHA108daef8e147afa47fe8b0138334dcafea531e7cb
SHA256a0d613cf1f9606ffd5a7df4c085cb8fb82b0b3b5c4ef6ea3101ef5f49c89ffbe
SHA5120d0d46e7a443890e55d32ad29ee3f10c25e50c10b8b2901207cbf827ea36ceb6ddc61e02e3a9a80043d7a8e7c9af5a6a32e575f9a3c8a0ca3e88d4745026f358
-
Filesize
12KB
MD56ac66d1a98c37c51da386bd2208dd012
SHA108daef8e147afa47fe8b0138334dcafea531e7cb
SHA256a0d613cf1f9606ffd5a7df4c085cb8fb82b0b3b5c4ef6ea3101ef5f49c89ffbe
SHA5120d0d46e7a443890e55d32ad29ee3f10c25e50c10b8b2901207cbf827ea36ceb6ddc61e02e3a9a80043d7a8e7c9af5a6a32e575f9a3c8a0ca3e88d4745026f358
-
Filesize
342KB
MD59d7fd4e29776137b72cbe8126bd24068
SHA1eda9df70acc5d11bf6e570e00d696b1eba9f249e
SHA256868d29a7a80fb39da5f85da67957c0bfa9d28ce15a215a69856db8ecaad351d6
SHA512eb83dca0618600f9d38c81ac4c0dd4a1e3576ac0e21246fc8d13de87de48a31c5f6aa4f029c7bd2914f63210b467163bb9376d94ea52567dbf1e6c550fc3750c
-
Filesize
342KB
MD59d7fd4e29776137b72cbe8126bd24068
SHA1eda9df70acc5d11bf6e570e00d696b1eba9f249e
SHA256868d29a7a80fb39da5f85da67957c0bfa9d28ce15a215a69856db8ecaad351d6
SHA512eb83dca0618600f9d38c81ac4c0dd4a1e3576ac0e21246fc8d13de87de48a31c5f6aa4f029c7bd2914f63210b467163bb9376d94ea52567dbf1e6c550fc3750c