Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe
Resource
win10v2004-20230220-en
General
-
Target
55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe
-
Size
666KB
-
MD5
91ca781d845088b272c48365aa33e477
-
SHA1
829569eaf6b7d5039511b09713639c8c77346de5
-
SHA256
55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2
-
SHA512
9bba31a38cbaf22c52bfb19b61c652b3929b8ac486491698f247a792a6ff228a8bb9a23e6fc587c84b97b8508f5fb850e4c6c4f0ce00ba4d7b8c2197bee7df82
-
SSDEEP
12288:sMrky902cBLtWTpQbuWiy3as/74WjO0XiXOrUYSQ/wo83onUp:QyhA6pQ6WiIj4qOlXOrM+wokp
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7630.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7630.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4336-189-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-190-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-192-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-194-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-196-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-198-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-200-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-202-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-204-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-206-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-208-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-210-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-212-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-214-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-216-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-218-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-221-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline behavioral1/memory/4336-226-0x0000000004F00000-0x0000000004F10000-memory.dmp family_redline behavioral1/memory/4336-225-0x0000000004DB0000-0x0000000004DEF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4556 un295645.exe 4848 pro7630.exe 4336 qu7775.exe 2996 si537955.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7630.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un295645.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un295645.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4776 4848 WerFault.exe 84 1664 4336 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4848 pro7630.exe 4848 pro7630.exe 4336 qu7775.exe 4336 qu7775.exe 2996 si537955.exe 2996 si537955.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4848 pro7630.exe Token: SeDebugPrivilege 4336 qu7775.exe Token: SeDebugPrivilege 2996 si537955.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4344 wrote to memory of 4556 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 83 PID 4344 wrote to memory of 4556 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 83 PID 4344 wrote to memory of 4556 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 83 PID 4556 wrote to memory of 4848 4556 un295645.exe 84 PID 4556 wrote to memory of 4848 4556 un295645.exe 84 PID 4556 wrote to memory of 4848 4556 un295645.exe 84 PID 4556 wrote to memory of 4336 4556 un295645.exe 90 PID 4556 wrote to memory of 4336 4556 un295645.exe 90 PID 4556 wrote to memory of 4336 4556 un295645.exe 90 PID 4344 wrote to memory of 2996 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 94 PID 4344 wrote to memory of 2996 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 94 PID 4344 wrote to memory of 2996 4344 55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe"C:\Users\Admin\AppData\Local\Temp\55b8e474ced2de258d6b241477d0e82b1d85704ddb410076de7a0564996298f2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295645.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295645.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7630.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7630.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 10844⤵
- Program crash
PID:4776
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7775.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7775.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 10964⤵
- Program crash
PID:1664
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si537955.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si537955.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4848 -ip 48481⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4336 -ip 43361⤵PID:3308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD573e19f5758c346b5eabd59f67ed84af2
SHA18c92fa78336a1a1a4fda8c39e06413f2fa05d015
SHA2566cd47c78bd558e5e9120e15881bd623baf08b19a0e146aad2dcb15ef7c536b73
SHA512aa7d6626387ef481d71d0a813bb7dbc7906859a11bddcbd328109b061922973d013da9920bab45c392b579fd9564be208222dd6968b661baa3cb27cd233b7eef
-
Filesize
176KB
MD573e19f5758c346b5eabd59f67ed84af2
SHA18c92fa78336a1a1a4fda8c39e06413f2fa05d015
SHA2566cd47c78bd558e5e9120e15881bd623baf08b19a0e146aad2dcb15ef7c536b73
SHA512aa7d6626387ef481d71d0a813bb7dbc7906859a11bddcbd328109b061922973d013da9920bab45c392b579fd9564be208222dd6968b661baa3cb27cd233b7eef
-
Filesize
524KB
MD5d099ca629d6b9b8515db9de902f5bc82
SHA10bc596b0f582515d79c4b01702b56e5746d46aa9
SHA25616e60f821f96f1b6a1241cf3d2e2474144d7a23f60e7795d4dd55abce02482ac
SHA512d70bc0faaffe2cdf2a752c8119408ccd191bd3ee19fe76e5d61231fdad85a35c1d04e5db8a2165baa00a038a62223365f5742262405927b9e8cb5e0a24dfb8ed
-
Filesize
524KB
MD5d099ca629d6b9b8515db9de902f5bc82
SHA10bc596b0f582515d79c4b01702b56e5746d46aa9
SHA25616e60f821f96f1b6a1241cf3d2e2474144d7a23f60e7795d4dd55abce02482ac
SHA512d70bc0faaffe2cdf2a752c8119408ccd191bd3ee19fe76e5d61231fdad85a35c1d04e5db8a2165baa00a038a62223365f5742262405927b9e8cb5e0a24dfb8ed
-
Filesize
294KB
MD552095ebdd9cc53708b10cbe660a55740
SHA10be6d4a25c4473a6e71f5ad1397ea73d6f50bc48
SHA256b110a1a863a2fb881bed991af0f4c770d0973e409086e340c0d5aa91561ce8b6
SHA512cd6e82f18b5f19ac71db7cff4867db2c61ba29b403b2cbddca46e24a4156a6aed91437e5345ed9613b1c861f0a788c372934e69408bfd8c7279b3f3a72fd6a3f
-
Filesize
294KB
MD552095ebdd9cc53708b10cbe660a55740
SHA10be6d4a25c4473a6e71f5ad1397ea73d6f50bc48
SHA256b110a1a863a2fb881bed991af0f4c770d0973e409086e340c0d5aa91561ce8b6
SHA512cd6e82f18b5f19ac71db7cff4867db2c61ba29b403b2cbddca46e24a4156a6aed91437e5345ed9613b1c861f0a788c372934e69408bfd8c7279b3f3a72fd6a3f
-
Filesize
352KB
MD53ea7571209f946c36c4cb51c2cb53b88
SHA1def71bbfda426947e913d968d03bcb8ddf57b346
SHA256137370de319453f35933c42033ef6aba56e1ac87d968698e55fc88a1d6572751
SHA512326315d86dde6466d55df9d235a67055b962da1cd8e94807cf38648922d991840ade12daa7997ddb18945e77b356fcf7f1326bd242f381b22f0b3c58e2e17845
-
Filesize
352KB
MD53ea7571209f946c36c4cb51c2cb53b88
SHA1def71bbfda426947e913d968d03bcb8ddf57b346
SHA256137370de319453f35933c42033ef6aba56e1ac87d968698e55fc88a1d6572751
SHA512326315d86dde6466d55df9d235a67055b962da1cd8e94807cf38648922d991840ade12daa7997ddb18945e77b356fcf7f1326bd242f381b22f0b3c58e2e17845