Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe
Resource
win10v2004-20230220-en
General
-
Target
2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe
-
Size
530KB
-
MD5
0a865ba9c50b969838d8f6209fcdf585
-
SHA1
7706483e4519cd0499270502f7b95fe7140fd39f
-
SHA256
2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f
-
SHA512
4470df50b8f54be701cf432bbd046c4aad49799f97a8de68dd618da8fe0f0e7dd41367f0fa525d599b82cf915d2225684f2793671d11f8c7ec722563b19c7642
-
SSDEEP
12288:oMrHy90j77i/jdEeU6TMbwwluXRk2OIBOjBMW/X+iX:vyI7iqeBkw8Ok2VBOjtX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr562006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr562006.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr562006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr562006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr562006.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr562006.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3604-158-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-161-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-163-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-159-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-165-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-167-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-169-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-171-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-173-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-175-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-177-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-179-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-181-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-183-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-185-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-187-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-189-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-191-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-193-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-195-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-197-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-199-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-201-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-203-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-205-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-207-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-209-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-211-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-213-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-215-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-217-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-219-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline behavioral1/memory/3604-221-0x0000000006880000-0x00000000068BF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1836 ziMK0162.exe 1164 jr562006.exe 3604 ku451890.exe 2108 lr652886.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr562006.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziMK0162.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziMK0162.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3312 3604 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1164 jr562006.exe 1164 jr562006.exe 3604 ku451890.exe 3604 ku451890.exe 2108 lr652886.exe 2108 lr652886.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1164 jr562006.exe Token: SeDebugPrivilege 3604 ku451890.exe Token: SeDebugPrivilege 2108 lr652886.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1836 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 84 PID 2192 wrote to memory of 1836 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 84 PID 2192 wrote to memory of 1836 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 84 PID 1836 wrote to memory of 1164 1836 ziMK0162.exe 85 PID 1836 wrote to memory of 1164 1836 ziMK0162.exe 85 PID 1836 wrote to memory of 3604 1836 ziMK0162.exe 90 PID 1836 wrote to memory of 3604 1836 ziMK0162.exe 90 PID 1836 wrote to memory of 3604 1836 ziMK0162.exe 90 PID 2192 wrote to memory of 2108 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 97 PID 2192 wrote to memory of 2108 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 97 PID 2192 wrote to memory of 2108 2192 2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe"C:\Users\Admin\AppData\Local\Temp\2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 13284⤵
- Program crash
PID:3312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 36041⤵PID:372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD519875be0dffb21ccb2555ebe154640a6
SHA181b01ffc072f24a57aa4839e81e2860b968d4d31
SHA2566fc8bbbbfb4ffea103a8c41c7f6eaff73dbe626c2945df13206cbe6f55422b2b
SHA51262797bfc7580d66ff34789c4023eb980841c52e7192b0e2e1197a4baa9c861ab829009dd0cb371ca94d0cb0f3ee584312dc11b553b5ae2b6cf25e9d38f8b0fcc
-
Filesize
176KB
MD519875be0dffb21ccb2555ebe154640a6
SHA181b01ffc072f24a57aa4839e81e2860b968d4d31
SHA2566fc8bbbbfb4ffea103a8c41c7f6eaff73dbe626c2945df13206cbe6f55422b2b
SHA51262797bfc7580d66ff34789c4023eb980841c52e7192b0e2e1197a4baa9c861ab829009dd0cb371ca94d0cb0f3ee584312dc11b553b5ae2b6cf25e9d38f8b0fcc
-
Filesize
389KB
MD5ea06f461435d0694f5f0f4b09f9f2170
SHA1bc2b5a11b8af0dbaba55e1d46cd95c924a43482f
SHA256f9fee6e7609ec6a75e650c202c33a4190ad33d7175fa2f8d4713944bc1fae61f
SHA512f3a57284da1b017426fb1c2a872b3e2126d069ee7c860dca126298f95678b6a0f13f68ebf2ffa44c49add6f1dbef36cb3dc98e372e3f7397de48aad1924fbda4
-
Filesize
389KB
MD5ea06f461435d0694f5f0f4b09f9f2170
SHA1bc2b5a11b8af0dbaba55e1d46cd95c924a43482f
SHA256f9fee6e7609ec6a75e650c202c33a4190ad33d7175fa2f8d4713944bc1fae61f
SHA512f3a57284da1b017426fb1c2a872b3e2126d069ee7c860dca126298f95678b6a0f13f68ebf2ffa44c49add6f1dbef36cb3dc98e372e3f7397de48aad1924fbda4
-
Filesize
12KB
MD500447b6d03715584cd6b395dcbae18ec
SHA1f2374d606d17fb39ac40e9dc6afe67466d1dfcd1
SHA25640e6fcc94adaa16a1ca6be07a0ee074085bd18c3115af7fae7b8e320f0c37ef8
SHA512fcea47d7227550b2673d3ed4216c1ed7c42bf1aba05a8e91ac4649c2a7a9c378052b218d4e292bc19da154791a1caa969b844ca930db9496bdade85b81591e6f
-
Filesize
12KB
MD500447b6d03715584cd6b395dcbae18ec
SHA1f2374d606d17fb39ac40e9dc6afe67466d1dfcd1
SHA25640e6fcc94adaa16a1ca6be07a0ee074085bd18c3115af7fae7b8e320f0c37ef8
SHA512fcea47d7227550b2673d3ed4216c1ed7c42bf1aba05a8e91ac4649c2a7a9c378052b218d4e292bc19da154791a1caa969b844ca930db9496bdade85b81591e6f
-
Filesize
435KB
MD5f4e8bff69f760eabb80695eec6832064
SHA162c7a332670553906c87351042ce66c9d89e613a
SHA256da7bf5e12356a217892c15968d5a86fe4b6e89902fce38dff38a8d458b399895
SHA5122e369a23c0c5189282d5e20c2127e1346a2ceef8c52c4aa43c6aa3d4bc77479a9acb5b9a5d55c31f33015e972aa52f4ca9e09eed43dd1a6b3cb2410833bb7fb1
-
Filesize
435KB
MD5f4e8bff69f760eabb80695eec6832064
SHA162c7a332670553906c87351042ce66c9d89e613a
SHA256da7bf5e12356a217892c15968d5a86fe4b6e89902fce38dff38a8d458b399895
SHA5122e369a23c0c5189282d5e20c2127e1346a2ceef8c52c4aa43c6aa3d4bc77479a9acb5b9a5d55c31f33015e972aa52f4ca9e09eed43dd1a6b3cb2410833bb7fb1