Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe
Resource
win10v2004-20230220-en
General
-
Target
fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe
-
Size
531KB
-
MD5
c31c248209a2523466fa0e841a6d52d0
-
SHA1
b47db6f63703ada7c7fd68e0e9560d8248df841e
-
SHA256
fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0
-
SHA512
4a694980324289fe47244ca6396acce6e853b4acfead13fd86fda36255ba81c2abfbb39b6ab22735562ada9d7c1ae5ccb761bcdad3121a93123201c70f82fce4
-
SSDEEP
12288:/MrZy90rcxaVM8DYjRE/uXxj2Iv6ff0+wJAeIU:eyTE+8sj8+j2IvWUWU
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr473268.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr473268.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr473268.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr473268.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr473268.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr473268.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/1256-158-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-159-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-163-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-161-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-165-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-175-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-181-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-183-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-179-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-191-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-193-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-195-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-199-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-209-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-211-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-219-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-221-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-217-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-215-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-213-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-207-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-205-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-203-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-201-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-197-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-189-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-187-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-185-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-177-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-173-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-171-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-169-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline behavioral1/memory/1256-167-0x00000000068D0000-0x000000000690F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3404 ziuP8574.exe 848 jr473268.exe 1256 ku759341.exe 2944 lr925006.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr473268.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziuP8574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziuP8574.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4656 1256 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 848 jr473268.exe 848 jr473268.exe 1256 ku759341.exe 1256 ku759341.exe 2944 lr925006.exe 2944 lr925006.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 848 jr473268.exe Token: SeDebugPrivilege 1256 ku759341.exe Token: SeDebugPrivilege 2944 lr925006.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 876 wrote to memory of 3404 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 83 PID 876 wrote to memory of 3404 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 83 PID 876 wrote to memory of 3404 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 83 PID 3404 wrote to memory of 848 3404 ziuP8574.exe 84 PID 3404 wrote to memory of 848 3404 ziuP8574.exe 84 PID 3404 wrote to memory of 1256 3404 ziuP8574.exe 89 PID 3404 wrote to memory of 1256 3404 ziuP8574.exe 89 PID 3404 wrote to memory of 1256 3404 ziuP8574.exe 89 PID 876 wrote to memory of 2944 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 93 PID 876 wrote to memory of 2944 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 93 PID 876 wrote to memory of 2944 876 fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe"C:\Users\Admin\AppData\Local\Temp\fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 13484⤵
- Program crash
PID:4656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1256 -ip 12561⤵PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5b61fdbf445bf7bd8ee5b674fb6bc508f
SHA125532401081ec06b3c6042bdb9bdf029fe41fde0
SHA256698f432e971bd0a6243d8c4c0e702c878968bce4e9c266b0f0b6d32903eae76f
SHA5125bd3823b32ac121bd69aedc14bbbe0d49127653e7771eec2f957333cb67f34620fc87270bd5f49def9ca1ef291aacc9d1cecffd0b5cf32be20b86e25d738a841
-
Filesize
176KB
MD5b61fdbf445bf7bd8ee5b674fb6bc508f
SHA125532401081ec06b3c6042bdb9bdf029fe41fde0
SHA256698f432e971bd0a6243d8c4c0e702c878968bce4e9c266b0f0b6d32903eae76f
SHA5125bd3823b32ac121bd69aedc14bbbe0d49127653e7771eec2f957333cb67f34620fc87270bd5f49def9ca1ef291aacc9d1cecffd0b5cf32be20b86e25d738a841
-
Filesize
389KB
MD5ba61b169084cf9e3eff6e7294a4ceae3
SHA15a9c5e56dd597811b42c1a5badd2121e4d79afeb
SHA25696d226dfc52b109f45ea9b2c95a4f8f8081ca3a855d6b5039648feb7b731decd
SHA512fc9cb7461cf1c8e789b45a5e6fb754546e5cdf3415f539ec5b8f0c36b110a3a9d911598508cc288e03f9c79da6281d8ea9ef342e9f288dae5660a2b107320bbc
-
Filesize
389KB
MD5ba61b169084cf9e3eff6e7294a4ceae3
SHA15a9c5e56dd597811b42c1a5badd2121e4d79afeb
SHA25696d226dfc52b109f45ea9b2c95a4f8f8081ca3a855d6b5039648feb7b731decd
SHA512fc9cb7461cf1c8e789b45a5e6fb754546e5cdf3415f539ec5b8f0c36b110a3a9d911598508cc288e03f9c79da6281d8ea9ef342e9f288dae5660a2b107320bbc
-
Filesize
12KB
MD55092b44f4f627eced613c3bb696bceca
SHA16f847da6bfac1074fac8cd55520130477da8bc9e
SHA2567936ddf9158d156bcc0a5ce94f7c39b0314a03ef83c74871c56d3ec99db7e60d
SHA512d96630e57e100df7cf8af958ab337c83416e2722c8b22b07fffdebbd1e82a3ae955a1504539fe944bb12e0c616135d7dd9e86430e5cd87ad913f5b2480a29f3b
-
Filesize
12KB
MD55092b44f4f627eced613c3bb696bceca
SHA16f847da6bfac1074fac8cd55520130477da8bc9e
SHA2567936ddf9158d156bcc0a5ce94f7c39b0314a03ef83c74871c56d3ec99db7e60d
SHA512d96630e57e100df7cf8af958ab337c83416e2722c8b22b07fffdebbd1e82a3ae955a1504539fe944bb12e0c616135d7dd9e86430e5cd87ad913f5b2480a29f3b
-
Filesize
435KB
MD5a5f56037e628ce339c37047af9c29320
SHA15109b706b6d2945d48194f3e57dc5ec4d279b3fc
SHA256a65aa3136a2cdeb1421bd53e405a94d9621dc90fada9a85182ea20de01218ee3
SHA512101f14316aa34fa36a9b80dac290fffd9087f38983e74b9e66a5f8c01c4755f7fd4116e6fa256bab772d3278a65efbe7359f37c37a300e7a736464ecff982f62
-
Filesize
435KB
MD5a5f56037e628ce339c37047af9c29320
SHA15109b706b6d2945d48194f3e57dc5ec4d279b3fc
SHA256a65aa3136a2cdeb1421bd53e405a94d9621dc90fada9a85182ea20de01218ee3
SHA512101f14316aa34fa36a9b80dac290fffd9087f38983e74b9e66a5f8c01c4755f7fd4116e6fa256bab772d3278a65efbe7359f37c37a300e7a736464ecff982f62