Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe
Resource
win10v2004-20230220-en
General
-
Target
cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe
-
Size
659KB
-
MD5
f6e228646713aef367970feb593df6e1
-
SHA1
adc615539b1898c8f94bd44e850016946c60c0a8
-
SHA256
cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef
-
SHA512
c50e9f2cce12d3aae110f48bafd5f76ab50baf8859d2b624044b913624630686fd03b04171ca9e711e0f56d25d68bdc227cce8e80493221ee5c78b93c1c7c821
-
SSDEEP
12288:UMr8y90cNIf+Fz0ErbJB8+TheB5EuHdUh7B0GpewsTe6Siv35jVqomVy:wypq+RG8o5p9wBcrSYpZmA
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5475.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4796-190-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-191-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-193-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-195-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-197-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-199-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-201-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-203-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-205-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-207-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-209-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-211-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-213-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-215-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-217-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-219-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-221-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-223-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4796-479-0x0000000004EA0000-0x0000000004EB0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2792 un306820.exe 4880 pro5475.exe 4796 qu8754.exe 1216 si487633.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5475.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un306820.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un306820.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3836 4880 WerFault.exe 86 4588 4796 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4880 pro5475.exe 4880 pro5475.exe 4796 qu8754.exe 4796 qu8754.exe 1216 si487633.exe 1216 si487633.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4880 pro5475.exe Token: SeDebugPrivilege 4796 qu8754.exe Token: SeDebugPrivilege 1216 si487633.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 864 wrote to memory of 2792 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 85 PID 864 wrote to memory of 2792 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 85 PID 864 wrote to memory of 2792 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 85 PID 2792 wrote to memory of 4880 2792 un306820.exe 86 PID 2792 wrote to memory of 4880 2792 un306820.exe 86 PID 2792 wrote to memory of 4880 2792 un306820.exe 86 PID 2792 wrote to memory of 4796 2792 un306820.exe 92 PID 2792 wrote to memory of 4796 2792 un306820.exe 92 PID 2792 wrote to memory of 4796 2792 un306820.exe 92 PID 864 wrote to memory of 1216 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 96 PID 864 wrote to memory of 1216 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 96 PID 864 wrote to memory of 1216 864 cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe"C:\Users\Admin\AppData\Local\Temp\cb602bc2c5e083f8edac0a6e0d5d6420bdf231b702fdd036db8406424bef72ef.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un306820.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un306820.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5475.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5475.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 11004⤵
- Program crash
PID:3836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8754.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8754.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 13284⤵
- Program crash
PID:4588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487633.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487633.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4880 -ip 48801⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4796 -ip 47961⤵PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD59d80a52f486eb620dd74426ac507c62e
SHA1b5381841079b36a6e90bf5c7089cf8cfdc9d99c5
SHA2567b1deb4fc6f3090ca0b0d8147611404d85177cf084e6feaa41dd77ef6955c5dc
SHA512d16345ba50239f68b5f48ba9a1e15bcb0a2f9751eaccbed0e6e809708801cdd6f303326ef45707555ec438dc033a517cbc70674b09b488bde56a1911f6cbdfa9
-
Filesize
176KB
MD59d80a52f486eb620dd74426ac507c62e
SHA1b5381841079b36a6e90bf5c7089cf8cfdc9d99c5
SHA2567b1deb4fc6f3090ca0b0d8147611404d85177cf084e6feaa41dd77ef6955c5dc
SHA512d16345ba50239f68b5f48ba9a1e15bcb0a2f9751eaccbed0e6e809708801cdd6f303326ef45707555ec438dc033a517cbc70674b09b488bde56a1911f6cbdfa9
-
Filesize
518KB
MD5af87ecdf12fbdabfa48cca829e66a606
SHA1ecdd92309b9ffeea51170d96943fde222e76a8c6
SHA2563f3f9266a458d7e7f14b4e00b8eedd0bd28550bc6657a61d0349bb4c7274aa8b
SHA512edf768f5fa4c20d029dc6f47e9cd84031ad58188bf5bafc4e72e18618d162ac8e4e4753e01fb410ab070980faf429897980c9240413d3a4977c45364c0218d36
-
Filesize
518KB
MD5af87ecdf12fbdabfa48cca829e66a606
SHA1ecdd92309b9ffeea51170d96943fde222e76a8c6
SHA2563f3f9266a458d7e7f14b4e00b8eedd0bd28550bc6657a61d0349bb4c7274aa8b
SHA512edf768f5fa4c20d029dc6f47e9cd84031ad58188bf5bafc4e72e18618d162ac8e4e4753e01fb410ab070980faf429897980c9240413d3a4977c45364c0218d36
-
Filesize
376KB
MD57db7b690f053a1696ef1c5b711e35a8e
SHA1e2f68da3f84275633861780261462efda7cceda2
SHA256a309b973eb4636fdb00db9d2b8f355b4551f7efad5affb0b76545c4e46bd7f7e
SHA512c59a370b44020ed87e012edc9c9ae30fd2b68d73709fe71d70823bb6a325c06ccbb708a3ab5a12ec1d797a43683961d7e7463d7dd3c4c4d97d3736f5613ce81c
-
Filesize
376KB
MD57db7b690f053a1696ef1c5b711e35a8e
SHA1e2f68da3f84275633861780261462efda7cceda2
SHA256a309b973eb4636fdb00db9d2b8f355b4551f7efad5affb0b76545c4e46bd7f7e
SHA512c59a370b44020ed87e012edc9c9ae30fd2b68d73709fe71d70823bb6a325c06ccbb708a3ab5a12ec1d797a43683961d7e7463d7dd3c4c4d97d3736f5613ce81c
-
Filesize
434KB
MD51df5ced9072c1fb5a89407d3396f107c
SHA127a46ecd42f7f6c077aecc1f8fa033eb196cacf0
SHA25651d0bf01b533ecbd7682cb82a28de2c656afaa362ce5dce4537001850f7cae1b
SHA512c0823e3fb9a941db45f0a240aa370a09d7e1c6b97aa91b401d3df868abb4dceeefece3e62cc2a263dba7a5073465ad7e4e116d53d843526162f603f3ccc0ad6f
-
Filesize
434KB
MD51df5ced9072c1fb5a89407d3396f107c
SHA127a46ecd42f7f6c077aecc1f8fa033eb196cacf0
SHA25651d0bf01b533ecbd7682cb82a28de2c656afaa362ce5dce4537001850f7cae1b
SHA512c0823e3fb9a941db45f0a240aa370a09d7e1c6b97aa91b401d3df868abb4dceeefece3e62cc2a263dba7a5073465ad7e4e116d53d843526162f603f3ccc0ad6f