Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe
Resource
win10v2004-20230221-en
General
-
Target
8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe
-
Size
530KB
-
MD5
86c3a9b7c1158a77e50d28c917a476b4
-
SHA1
6ef7f05c051e1b9fba25309e09d733b07a69403b
-
SHA256
8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1
-
SHA512
3e2fd1588d9cd269849c15299fbb9f261f5fb210717850408fc5a904db2483148732cb2021863b95c543730bf7f09a88509c7349e440be189c5c17de8875c1c3
-
SSDEEP
12288:uMrhy90o3dGh63gYi0peunIqVveuT4IlLVJQGAlKMjk:LyzdQ6QYJejqlYYLEMMk
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr779457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr779457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr779457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr779457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr779457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr779457.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3240-158-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-161-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-163-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-159-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-165-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-167-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-169-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-171-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-173-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-175-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-177-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-179-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-181-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-183-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-185-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-187-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-189-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-191-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-193-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-195-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-197-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-199-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-201-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-203-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-205-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-207-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-209-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-211-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-213-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-215-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-217-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-219-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/3240-221-0x0000000007730000-0x000000000776F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3396 ziNB4096.exe 2016 jr779457.exe 3240 ku863852.exe 5020 lr325744.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr779457.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziNB4096.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziNB4096.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4976 3240 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2016 jr779457.exe 2016 jr779457.exe 3240 ku863852.exe 3240 ku863852.exe 5020 lr325744.exe 5020 lr325744.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2016 jr779457.exe Token: SeDebugPrivilege 3240 ku863852.exe Token: SeDebugPrivilege 5020 lr325744.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3396 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 85 PID 2884 wrote to memory of 3396 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 85 PID 2884 wrote to memory of 3396 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 85 PID 3396 wrote to memory of 2016 3396 ziNB4096.exe 86 PID 3396 wrote to memory of 2016 3396 ziNB4096.exe 86 PID 3396 wrote to memory of 3240 3396 ziNB4096.exe 87 PID 3396 wrote to memory of 3240 3396 ziNB4096.exe 87 PID 3396 wrote to memory of 3240 3396 ziNB4096.exe 87 PID 2884 wrote to memory of 5020 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 91 PID 2884 wrote to memory of 5020 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 91 PID 2884 wrote to memory of 5020 2884 8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe"C:\Users\Admin\AppData\Local\Temp\8426ed557b582e696f69b5fc98b375ca33b8e6033162baaa820fab22ba0e41b1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNB4096.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNB4096.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr779457.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr779457.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku863852.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku863852.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 14884⤵
- Program crash
PID:4976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr325744.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr325744.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3240 -ip 32401⤵PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD572229c24c4118bf3c5e30acbd08e165a
SHA1aa347e4493e2a6c7d1e48e73182eca5e47d22fac
SHA256f8d20bbac51439befcf6d0850ad1d27bc14cda5180d69b42ca93421d845bbbe4
SHA512c25a2541e4cc52f236d1956febf99f8f4d349a3fcc2968a01dfa53d0d641aff4aa56f9ae45f3a08be36a6169b6e7ca6636b8a9bc5028a1c7d2cccd168fb73649
-
Filesize
176KB
MD572229c24c4118bf3c5e30acbd08e165a
SHA1aa347e4493e2a6c7d1e48e73182eca5e47d22fac
SHA256f8d20bbac51439befcf6d0850ad1d27bc14cda5180d69b42ca93421d845bbbe4
SHA512c25a2541e4cc52f236d1956febf99f8f4d349a3fcc2968a01dfa53d0d641aff4aa56f9ae45f3a08be36a6169b6e7ca6636b8a9bc5028a1c7d2cccd168fb73649
-
Filesize
387KB
MD5045a11f234ded9b734d604aafcbcdf7a
SHA135a8bb8b6df2236043cdfd987b57a34f574380d6
SHA2568b04673063d0996e21f46ebf4a2fedf7a8890b0f41a4258aa62f5a9aecf1d4ea
SHA51229f4e7c5915cefab680d7cb5bc278f00da66b4cc974aa766c464d19fcb5e955cf463fb0220288691df9a832d71cf0c6f7c862ee0b21e1f21acacbe7dbbbdfdce
-
Filesize
387KB
MD5045a11f234ded9b734d604aafcbcdf7a
SHA135a8bb8b6df2236043cdfd987b57a34f574380d6
SHA2568b04673063d0996e21f46ebf4a2fedf7a8890b0f41a4258aa62f5a9aecf1d4ea
SHA51229f4e7c5915cefab680d7cb5bc278f00da66b4cc974aa766c464d19fcb5e955cf463fb0220288691df9a832d71cf0c6f7c862ee0b21e1f21acacbe7dbbbdfdce
-
Filesize
12KB
MD5296f85ad313fc204c888a274bc44d2a2
SHA165e23ebad3bb0f613db5a5a3d85d183b80ff6880
SHA25670b2af74b3af8847ce7ada713b73dc6766be159d52759c35d4ae0489e83bbca4
SHA5120b507ec0a969f421c9b48cd4683c43c76b674a9ea66bcffaa0830fae936c9ecffdcab52cb69ab9737489e5dc6f8ab621b6ac1cca5d51dc1496cdb43c9ee10e4b
-
Filesize
12KB
MD5296f85ad313fc204c888a274bc44d2a2
SHA165e23ebad3bb0f613db5a5a3d85d183b80ff6880
SHA25670b2af74b3af8847ce7ada713b73dc6766be159d52759c35d4ae0489e83bbca4
SHA5120b507ec0a969f421c9b48cd4683c43c76b674a9ea66bcffaa0830fae936c9ecffdcab52cb69ab9737489e5dc6f8ab621b6ac1cca5d51dc1496cdb43c9ee10e4b
-
Filesize
342KB
MD5c6d40473e84ce1da0fb47a84dd65fed0
SHA1076675e3372731a3f1eddde59f8ada4f833f1d67
SHA2566bc4af1ebd89932c2e0fedf83931038958547bf6f56c12f9c1033c42273afa47
SHA5129e3ed94ba2d10d5229c1b51485d82ea9add1d995a76a17c354b2b8dccc6249b5823c34cef55ef1e50f306457563ff5cb98bde01cb98e6d12254b70c0c445c600
-
Filesize
342KB
MD5c6d40473e84ce1da0fb47a84dd65fed0
SHA1076675e3372731a3f1eddde59f8ada4f833f1d67
SHA2566bc4af1ebd89932c2e0fedf83931038958547bf6f56c12f9c1033c42273afa47
SHA5129e3ed94ba2d10d5229c1b51485d82ea9add1d995a76a17c354b2b8dccc6249b5823c34cef55ef1e50f306457563ff5cb98bde01cb98e6d12254b70c0c445c600