Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 21:59
Static task
static1
Behavioral task
behavioral1
Sample
31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
Resource
win10v2004-20230221-en
General
-
Target
31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
-
Size
659KB
-
MD5
0da5a0fc4ad00a860e777bb73770cee9
-
SHA1
b57540efb160aa5d37699cdf0bb919147036381d
-
SHA256
31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e
-
SHA512
1f275b5f0552805c4656853a3c6245708eba025c365ae9b6efcc1b5d3a4f8baa7e23241f68b8364754e4d25b0e98c814141bfb5e3278b021f7947a9e8c9f649b
-
SSDEEP
12288:IMr2y90FfPPzt6/40pbY/oj7y8T4ere3JlNt59/rwZZiCXa7ft/ju2MJ:eyKfPbUDO87y3TlNt5RqZjXgBE
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5294.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5294.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 16 IoCs
resource yara_rule behavioral1/memory/2016-199-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-200-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-202-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-204-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-206-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-208-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-210-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-212-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-214-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-216-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-218-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-220-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-222-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-224-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-226-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/2016-228-0x0000000002610000-0x000000000264F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3568 un408399.exe 4780 pro5294.exe 2016 qu3116.exe 2552 si487329.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5294.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un408399.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un408399.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3952 4780 WerFault.exe 87 3096 2016 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4780 pro5294.exe 4780 pro5294.exe 2016 qu3116.exe 2016 qu3116.exe 2552 si487329.exe 2552 si487329.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4780 pro5294.exe Token: SeDebugPrivilege 2016 qu3116.exe Token: SeDebugPrivilege 2552 si487329.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3568 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 86 PID 4272 wrote to memory of 3568 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 86 PID 4272 wrote to memory of 3568 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 86 PID 3568 wrote to memory of 4780 3568 un408399.exe 87 PID 3568 wrote to memory of 4780 3568 un408399.exe 87 PID 3568 wrote to memory of 4780 3568 un408399.exe 87 PID 3568 wrote to memory of 2016 3568 un408399.exe 91 PID 3568 wrote to memory of 2016 3568 un408399.exe 91 PID 3568 wrote to memory of 2016 3568 un408399.exe 91 PID 4272 wrote to memory of 2552 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 94 PID 4272 wrote to memory of 2552 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 94 PID 4272 wrote to memory of 2552 4272 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe"C:\Users\Admin\AppData\Local\Temp\31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 10804⤵
- Program crash
PID:3952
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 18644⤵
- Program crash
PID:3096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4780 -ip 47801⤵PID:3740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2016 -ip 20161⤵PID:2672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58ea8fbd3361ac12fc0a1325198de2c4c
SHA1793bd1ed426027f2806ad9c83425c1be5200fc8e
SHA2569f9e624b1252940cc16fb96d70ac8cfb7a56d47494c073a995548912385015aa
SHA512786cf752b22d922bea3e0765256ebfe20ec9106b3321a9e30e3d1ab9ff6fa8ef2966ccdbe4bc397c011064639cbecfd6c2d658762f217a8e18b6e00c1e40156b
-
Filesize
175KB
MD58ea8fbd3361ac12fc0a1325198de2c4c
SHA1793bd1ed426027f2806ad9c83425c1be5200fc8e
SHA2569f9e624b1252940cc16fb96d70ac8cfb7a56d47494c073a995548912385015aa
SHA512786cf752b22d922bea3e0765256ebfe20ec9106b3321a9e30e3d1ab9ff6fa8ef2966ccdbe4bc397c011064639cbecfd6c2d658762f217a8e18b6e00c1e40156b
-
Filesize
517KB
MD5e34f28dce574df4497846150840b5f87
SHA17ea23dce83591ed2f5393db7aeb4c0f1ba18e22f
SHA25611437fec59964b7d35f06393d1345c5a860a34904b00bb4f1a55fa8cef21af5d
SHA51243fd9542b85a18892fb9b4cd7d69b8d1d0fad8609d7a84e10598d2330a4c6b19446c269576fa114d40c82eecdb2c4e15b503a57ddaa5f721af380feabab9afa0
-
Filesize
517KB
MD5e34f28dce574df4497846150840b5f87
SHA17ea23dce83591ed2f5393db7aeb4c0f1ba18e22f
SHA25611437fec59964b7d35f06393d1345c5a860a34904b00bb4f1a55fa8cef21af5d
SHA51243fd9542b85a18892fb9b4cd7d69b8d1d0fad8609d7a84e10598d2330a4c6b19446c269576fa114d40c82eecdb2c4e15b503a57ddaa5f721af380feabab9afa0
-
Filesize
237KB
MD5b31bc9102c58ed1ea6772e3256172f31
SHA1790dd26472b3ab6d64ca9d879fc9cb680e06602e
SHA256a7b333242bbe35f81b756fafd286a422601fd50efd7ef7bb3bb697ae81ff75ec
SHA512259401e5b28ddefd08fa207b3a1512033573aecd117539ec332fe86f21b03ab8b2bb44e699af17d09b6f0f2414686f68a6bfbe539b315b6f3b669179bb4532fb
-
Filesize
237KB
MD5b31bc9102c58ed1ea6772e3256172f31
SHA1790dd26472b3ab6d64ca9d879fc9cb680e06602e
SHA256a7b333242bbe35f81b756fafd286a422601fd50efd7ef7bb3bb697ae81ff75ec
SHA512259401e5b28ddefd08fa207b3a1512033573aecd117539ec332fe86f21b03ab8b2bb44e699af17d09b6f0f2414686f68a6bfbe539b315b6f3b669179bb4532fb
-
Filesize
295KB
MD5f10c7fa9223ed8e0e2b503c1418e54aa
SHA19ed4d29665b67fbae28c716acd244c9ed08ad013
SHA256486498f8adbc7e9baef7b8735ea9f3ef1340ea214ad493ea79255996b91207aa
SHA512e2f00eaefad22904df361de942edcc99fc2454db39afd3074ee2398f398b2deca2bba865c6237eefc3f412b80138b8ce6ea0a5fe6a123e443197e87f157d616d
-
Filesize
295KB
MD5f10c7fa9223ed8e0e2b503c1418e54aa
SHA19ed4d29665b67fbae28c716acd244c9ed08ad013
SHA256486498f8adbc7e9baef7b8735ea9f3ef1340ea214ad493ea79255996b91207aa
SHA512e2f00eaefad22904df361de942edcc99fc2454db39afd3074ee2398f398b2deca2bba865c6237eefc3f412b80138b8ce6ea0a5fe6a123e443197e87f157d616d