Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe
Resource
win10v2004-20230220-en
General
-
Target
a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe
-
Size
537KB
-
MD5
dd093277d330325f17b6dfbd871a5978
-
SHA1
0dd63d8e8f354967547b18d9f8b1287fbc2dd387
-
SHA256
a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303
-
SHA512
36f8eac1f028a0654dd122b1a4c99cac6886ded26c581907421a502caeb234effa463a92b77492afed00df1e580144d46c5fb14699324f9dfabf3be6e9f10590
-
SSDEEP
12288:sMr6y90sX+IMHVhpKX5QNTz28I7Lz61ShnwLyLc:Gy5OhpYKNTm7yCwLgc
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr158618.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr158618.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr158618.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr158618.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr158618.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr158618.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/2004-156-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-157-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-159-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-161-0x00000000027B0000-0x00000000027C0000-memory.dmp family_redline behavioral1/memory/2004-162-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-165-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-167-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-169-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-171-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-173-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-175-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-177-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-179-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-181-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-183-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-185-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-187-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-191-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-193-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-189-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-195-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-197-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-199-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-201-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-203-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-205-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-207-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-209-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-211-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-213-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-215-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-217-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-219-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/2004-221-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 648 ziKK5821.exe 1324 jr158618.exe 2004 ku215130.exe 2016 lr104805.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr158618.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziKK5821.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziKK5821.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4844 2004 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1324 jr158618.exe 1324 jr158618.exe 2004 ku215130.exe 2004 ku215130.exe 2016 lr104805.exe 2016 lr104805.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1324 jr158618.exe Token: SeDebugPrivilege 2004 ku215130.exe Token: SeDebugPrivilege 2016 lr104805.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 456 wrote to memory of 648 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 83 PID 456 wrote to memory of 648 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 83 PID 456 wrote to memory of 648 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 83 PID 648 wrote to memory of 1324 648 ziKK5821.exe 84 PID 648 wrote to memory of 1324 648 ziKK5821.exe 84 PID 648 wrote to memory of 2004 648 ziKK5821.exe 91 PID 648 wrote to memory of 2004 648 ziKK5821.exe 91 PID 648 wrote to memory of 2004 648 ziKK5821.exe 91 PID 456 wrote to memory of 2016 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 96 PID 456 wrote to memory of 2016 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 96 PID 456 wrote to memory of 2016 456 a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe"C:\Users\Admin\AppData\Local\Temp\a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 16364⤵
- Program crash
PID:4844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2004 -ip 20041⤵PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5108a4e38f44183679ef854dba2f70db0
SHA1af791f8c9c24ad4bfecf5e8e211d0850e48460d6
SHA256704491a698e542b47d3027e05f272589f87274b17059fa719ab1edd810ca8425
SHA512da05eacf72d1cef0c4b6c52fc40cf674b9ee8af710d8259457684bff6df5342283ae5605a6a08fc30b8b186176d62121d8c999035c2c5d43a3be91ef8c245df9
-
Filesize
175KB
MD5108a4e38f44183679ef854dba2f70db0
SHA1af791f8c9c24ad4bfecf5e8e211d0850e48460d6
SHA256704491a698e542b47d3027e05f272589f87274b17059fa719ab1edd810ca8425
SHA512da05eacf72d1cef0c4b6c52fc40cf674b9ee8af710d8259457684bff6df5342283ae5605a6a08fc30b8b186176d62121d8c999035c2c5d43a3be91ef8c245df9
-
Filesize
394KB
MD59827d53ef0e504a7eac4641e371707d2
SHA16fdbb93879e2103703688eaf384f04d9c5c076f9
SHA25628d306963084391bb507cb09ebcbef4dd16ce85cd410828827b0bc01ae4da4c0
SHA51292d08f77fe95e95fa67af5207b812352da6372190e1a45a98fde7af6137f35b4236ae6f28de6c7e84a9e1fda4c1c6d5f114dc7a6231390a9717e91ac37f70916
-
Filesize
394KB
MD59827d53ef0e504a7eac4641e371707d2
SHA16fdbb93879e2103703688eaf384f04d9c5c076f9
SHA25628d306963084391bb507cb09ebcbef4dd16ce85cd410828827b0bc01ae4da4c0
SHA51292d08f77fe95e95fa67af5207b812352da6372190e1a45a98fde7af6137f35b4236ae6f28de6c7e84a9e1fda4c1c6d5f114dc7a6231390a9717e91ac37f70916
-
Filesize
13KB
MD531a98cf3f4bab812175b9e47683f6c0c
SHA1a8babf91edc245bb2736f087105f546732eab145
SHA25645b161f07233c7ca1102a61ef0ed5369de7e7894ac049a997792dfe5a56fb97b
SHA512ebe6763f0e2e6c2543529572f5c043b032d7dade023de77093fd4ec8c1d42fc20a27a188821ada50eacda039a1cc4271b7da3fa53a8e2c4c6cc5e0ae35b4c20e
-
Filesize
13KB
MD531a98cf3f4bab812175b9e47683f6c0c
SHA1a8babf91edc245bb2736f087105f546732eab145
SHA25645b161f07233c7ca1102a61ef0ed5369de7e7894ac049a997792dfe5a56fb97b
SHA512ebe6763f0e2e6c2543529572f5c043b032d7dade023de77093fd4ec8c1d42fc20a27a188821ada50eacda039a1cc4271b7da3fa53a8e2c4c6cc5e0ae35b4c20e
-
Filesize
353KB
MD5f3a7c5b23c114a19ab41de8a5c6fb867
SHA1789c4d88c49d4c6868a4984b9adddc52fe708472
SHA25614ec403b545f89b29101a4f9603ea577b20c6a71c98c1cd6de526840432ccadd
SHA5129fa1cc71f337ac1da68d630ebc6d0264486ce8ac95c1ec5005f0cbf4e94ef080e2775b10a92a82a389991e96d803a13e00cb97ad246e4bdf76c6885500e79c5a
-
Filesize
353KB
MD5f3a7c5b23c114a19ab41de8a5c6fb867
SHA1789c4d88c49d4c6868a4984b9adddc52fe708472
SHA25614ec403b545f89b29101a4f9603ea577b20c6a71c98c1cd6de526840432ccadd
SHA5129fa1cc71f337ac1da68d630ebc6d0264486ce8ac95c1ec5005f0cbf4e94ef080e2775b10a92a82a389991e96d803a13e00cb97ad246e4bdf76c6885500e79c5a