Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe
Resource
win10v2004-20230220-en
General
-
Target
824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe
-
Size
530KB
-
MD5
47774209882a4d6e18b3647dc4c263ef
-
SHA1
a2ce99f6201cec5d222a51d673a71dd886770fdf
-
SHA256
824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2
-
SHA512
b7b62bdc4441653d4b2f004f4338b82a8941fd8609ae9e4f5bd9fc1bf66de15667f19e691ba058de9ec9dfb67eaeadfc2c6b1fd2ae3201d6640d30c8ca93b343
-
SSDEEP
12288:zMrdy9025Ya76IGg3wJS+ZBNuXij2xgm3I1FcGpBeK:Cyl59fGiQnDj2xXI1qGGK
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr780228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr780228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr780228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr780228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr780228.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr780228.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3560-154-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-155-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-158-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-162-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-166-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-164-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-168-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-170-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-172-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-174-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-176-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-178-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-180-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-182-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-184-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-186-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-188-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-190-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-192-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-194-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-196-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-198-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-200-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-202-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-204-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-206-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-208-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-210-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-212-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-214-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-218-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-216-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline behavioral1/memory/3560-220-0x0000000004470000-0x00000000044AF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4592 ziJe2273.exe 1008 jr780228.exe 3560 ku735626.exe 4504 lr745538.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr780228.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziJe2273.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziJe2273.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2784 3560 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1008 jr780228.exe 1008 jr780228.exe 3560 ku735626.exe 3560 ku735626.exe 4504 lr745538.exe 4504 lr745538.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1008 jr780228.exe Token: SeDebugPrivilege 3560 ku735626.exe Token: SeDebugPrivilege 4504 lr745538.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4592 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 83 PID 4936 wrote to memory of 4592 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 83 PID 4936 wrote to memory of 4592 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 83 PID 4592 wrote to memory of 1008 4592 ziJe2273.exe 84 PID 4592 wrote to memory of 1008 4592 ziJe2273.exe 84 PID 4592 wrote to memory of 3560 4592 ziJe2273.exe 87 PID 4592 wrote to memory of 3560 4592 ziJe2273.exe 87 PID 4592 wrote to memory of 3560 4592 ziJe2273.exe 87 PID 4936 wrote to memory of 4504 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 91 PID 4936 wrote to memory of 4504 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 91 PID 4936 wrote to memory of 4504 4936 824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe"C:\Users\Admin\AppData\Local\Temp\824b1a3562465f7e2c56019e7dae7482c5ec91f5885412d0a4cfbc6cbfc68fa2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJe2273.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJe2273.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr780228.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr780228.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku735626.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku735626.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 13524⤵
- Program crash
PID:2784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr745538.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr745538.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3560 -ip 35601⤵PID:5048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5574501f5d42baaf6508ee3ac7681ee75
SHA161879a1bc2a7b6bdb2959ac6bd5c628e8e63b86c
SHA256cd3cb25ae9c2cd3b4e43299948baaf98793fb0b3f2a6067c76801315d2b5c584
SHA512d1debc7b7fd78b3f8ed6540855c56068da3e378323a6f60b6a2eb550166b7b1bff982293c4fb9453960a61e0ff8f61a3f7a95740fddcb16cf77c146bd92efaef
-
Filesize
176KB
MD5574501f5d42baaf6508ee3ac7681ee75
SHA161879a1bc2a7b6bdb2959ac6bd5c628e8e63b86c
SHA256cd3cb25ae9c2cd3b4e43299948baaf98793fb0b3f2a6067c76801315d2b5c584
SHA512d1debc7b7fd78b3f8ed6540855c56068da3e378323a6f60b6a2eb550166b7b1bff982293c4fb9453960a61e0ff8f61a3f7a95740fddcb16cf77c146bd92efaef
-
Filesize
389KB
MD5c6f233abf2ea96d41abb6c10364ec34d
SHA12fe6852abfba23dd45461c513391ca6f5dd3ec0a
SHA256138b67054a9acea573cf227414aecbfc686dd8c4eed5dcd3c171f5f8aed44306
SHA5125edf9a3f43f27bdef2e835c9938a986d3a86ed5c056cd16b5dca50ddae9628b1c43facb67903db11562523de9e22c6f3e990dc38b427d761006ceff21f34f01c
-
Filesize
389KB
MD5c6f233abf2ea96d41abb6c10364ec34d
SHA12fe6852abfba23dd45461c513391ca6f5dd3ec0a
SHA256138b67054a9acea573cf227414aecbfc686dd8c4eed5dcd3c171f5f8aed44306
SHA5125edf9a3f43f27bdef2e835c9938a986d3a86ed5c056cd16b5dca50ddae9628b1c43facb67903db11562523de9e22c6f3e990dc38b427d761006ceff21f34f01c
-
Filesize
12KB
MD50ee9057f54482764d57de3704660c52f
SHA136fb1302d8d7f90cf4645737a3eb522b7f1c2412
SHA2569f30ec1839b39b042cc00cd4f86173ab99e5d5df9a99d4d2bb32232caf749bc7
SHA5129e8822e2f793e3a39d90138beae5d8f4a42f3155ce67e0e090e7845f16b651667158f13090cf5b9cfe6411396f0fbc68b23a1f9ebab3765f89da449ca25bc85b
-
Filesize
12KB
MD50ee9057f54482764d57de3704660c52f
SHA136fb1302d8d7f90cf4645737a3eb522b7f1c2412
SHA2569f30ec1839b39b042cc00cd4f86173ab99e5d5df9a99d4d2bb32232caf749bc7
SHA5129e8822e2f793e3a39d90138beae5d8f4a42f3155ce67e0e090e7845f16b651667158f13090cf5b9cfe6411396f0fbc68b23a1f9ebab3765f89da449ca25bc85b
-
Filesize
435KB
MD54d309571e3fb1307d574f2ca5d12827b
SHA189b3742e2c5e8e4133755d38b9342c904f8e8db3
SHA25618ee55bc2fc206b372fe0cf692cb19b43c0d4fcccb969641f65505416ba3f31c
SHA512be56976e58f6af0eaaf5d9ce4cfb6c7138b90957f1f816c4c578308ef09005e81fbb5f96ae548a3227837a8c8b002773e1263e8b32857dd284920e388fc2d631
-
Filesize
435KB
MD54d309571e3fb1307d574f2ca5d12827b
SHA189b3742e2c5e8e4133755d38b9342c904f8e8db3
SHA25618ee55bc2fc206b372fe0cf692cb19b43c0d4fcccb969641f65505416ba3f31c
SHA512be56976e58f6af0eaaf5d9ce4cfb6c7138b90957f1f816c4c578308ef09005e81fbb5f96ae548a3227837a8c8b002773e1263e8b32857dd284920e388fc2d631