Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe
Resource
win10v2004-20230220-en
General
-
Target
4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe
-
Size
659KB
-
MD5
8096ff88aa06d2813ccd1a4746ad8bcc
-
SHA1
c7757ea82150e25b4a341f1c877e7e53da540d28
-
SHA256
4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f
-
SHA512
17b9fdb89405dd3692be3eff16fd13a41deb29046d49ceca9e7d1fecc955b2b5cfd6ee4263b4d319e7928c7490317e1f5d48bed0acc048e24b18dc9abe227046
-
SSDEEP
12288:OMrUy90hzHj4zPC4xeBOBSMDWb4Q/LKoJYtY1gh0o0bCFEb/:myozD2PzooBSyQWC1gKE4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0066.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/3144-191-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-193-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-197-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-200-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-202-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-204-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-206-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-208-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-210-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-212-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-214-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-216-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-218-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-220-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-222-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-224-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-226-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline behavioral1/memory/3144-228-0x00000000076F0000-0x000000000772F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2764 un434046.exe 5104 pro0066.exe 3144 qu8868.exe 3184 si133238.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0066.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un434046.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un434046.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2712 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4736 5104 WerFault.exe 84 2788 3144 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5104 pro0066.exe 5104 pro0066.exe 3144 qu8868.exe 3144 qu8868.exe 3184 si133238.exe 3184 si133238.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5104 pro0066.exe Token: SeDebugPrivilege 3144 qu8868.exe Token: SeDebugPrivilege 3184 si133238.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5044 wrote to memory of 2764 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 83 PID 5044 wrote to memory of 2764 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 83 PID 5044 wrote to memory of 2764 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 83 PID 2764 wrote to memory of 5104 2764 un434046.exe 84 PID 2764 wrote to memory of 5104 2764 un434046.exe 84 PID 2764 wrote to memory of 5104 2764 un434046.exe 84 PID 2764 wrote to memory of 3144 2764 un434046.exe 91 PID 2764 wrote to memory of 3144 2764 un434046.exe 91 PID 2764 wrote to memory of 3144 2764 un434046.exe 91 PID 5044 wrote to memory of 3184 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 95 PID 5044 wrote to memory of 3184 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 95 PID 5044 wrote to memory of 3184 5044 4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe"C:\Users\Admin\AppData\Local\Temp\4bf26ce561f73a6dbb4e2dac51eb47b43d564a1be31fd422147452730046dd3f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un434046.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un434046.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0066.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0066.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 10804⤵
- Program crash
PID:4736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8868.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8868.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 20364⤵
- Program crash
PID:2788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si133238.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si133238.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 51041⤵PID:3084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3144 -ip 31441⤵PID:4536
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD54b78aacd0680ccbbd11397bf13771462
SHA1fa8e8bd75d2defb2807fe0fce6ff6b8dbe1e9447
SHA256ebc1838741b358037e8f35ecd1a6b956e108d1baf92693b6e81e7cdfb09ce249
SHA512edf36f161a42daefd0810569b384de80cf75c8166d0460427530669c856baac3ef862a326f2310073fe8c26fba61e5289ecc4b7ad407f5d59ba841586fba394d
-
Filesize
175KB
MD54b78aacd0680ccbbd11397bf13771462
SHA1fa8e8bd75d2defb2807fe0fce6ff6b8dbe1e9447
SHA256ebc1838741b358037e8f35ecd1a6b956e108d1baf92693b6e81e7cdfb09ce249
SHA512edf36f161a42daefd0810569b384de80cf75c8166d0460427530669c856baac3ef862a326f2310073fe8c26fba61e5289ecc4b7ad407f5d59ba841586fba394d
-
Filesize
517KB
MD52271f382415e9d6e18359ce9da792923
SHA12646331ba16da23fefe230b16dd3b14ffa5b5e99
SHA2567f99ffa0fa3e4a4371ee7a1e59fad663517dcfa16c0901f72c62341f7d601389
SHA512eadefb44c5162ef1e4f76986d7c9a1cd9a6264b7b77257c99ea9751284ff47ea714862f62a615b0c2b58f2c54c3760f0a4e6e8d713ac0b1d7898d015bdcd04d1
-
Filesize
517KB
MD52271f382415e9d6e18359ce9da792923
SHA12646331ba16da23fefe230b16dd3b14ffa5b5e99
SHA2567f99ffa0fa3e4a4371ee7a1e59fad663517dcfa16c0901f72c62341f7d601389
SHA512eadefb44c5162ef1e4f76986d7c9a1cd9a6264b7b77257c99ea9751284ff47ea714862f62a615b0c2b58f2c54c3760f0a4e6e8d713ac0b1d7898d015bdcd04d1
-
Filesize
296KB
MD57f2b1a4309156096e16debc52b059592
SHA1df3a32ef0e9c7a0ae593c1e4625397af79bd965d
SHA256c36ee115946c41a26d778878a496d3872e9ba0805dd284b89d7853117c3202a4
SHA512318a3c76c6e2382fc79682b254d737522d954b6de9e2ca159b53eb41121dc13ee61a8989829cf8120ce5db1a75d756235b482c79ea03570e21c3c09d0d4009b4
-
Filesize
296KB
MD57f2b1a4309156096e16debc52b059592
SHA1df3a32ef0e9c7a0ae593c1e4625397af79bd965d
SHA256c36ee115946c41a26d778878a496d3872e9ba0805dd284b89d7853117c3202a4
SHA512318a3c76c6e2382fc79682b254d737522d954b6de9e2ca159b53eb41121dc13ee61a8989829cf8120ce5db1a75d756235b482c79ea03570e21c3c09d0d4009b4
-
Filesize
355KB
MD57a3d85fd0ae5779101a754a3b2133a0e
SHA131630de17c0249b04784bd2796ba82d3683aeeb4
SHA256ded08a49d682ac318afc38ef6d8c7106909be30c5a70e27e123dff021f12f8c5
SHA51252b23ea56a71fbf0f68d73267c3798952deaa4165a139d1b95c24eede07d19103885d43030015870a45c073d04ce8e79beab88c715c9ed9ea7d8307187aeeaa5
-
Filesize
355KB
MD57a3d85fd0ae5779101a754a3b2133a0e
SHA131630de17c0249b04784bd2796ba82d3683aeeb4
SHA256ded08a49d682ac318afc38ef6d8c7106909be30c5a70e27e123dff021f12f8c5
SHA51252b23ea56a71fbf0f68d73267c3798952deaa4165a139d1b95c24eede07d19103885d43030015870a45c073d04ce8e79beab88c715c9ed9ea7d8307187aeeaa5