Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe
Resource
win10v2004-20230220-en
General
-
Target
4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe
-
Size
660KB
-
MD5
50215917ada7cf6189594770feddb403
-
SHA1
9921b892113895ce505dc3bb5849acb79f7325ee
-
SHA256
4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc
-
SHA512
5dfdb284f12e43e9ba54cad9d3f4cf5c19c5fa75fbc158898c793278bb4c5d2b9e861195e11141009a7d2cff464f096e6002b76183861f788e0777d6beb0ace4
-
SSDEEP
12288:+Mryy90S+Lwi32FjshDqv6U31wi0yswrLiCiGaWPSETQHv:gyp+Lf2FjshISizsw6CiG55+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6251.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6251.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6251.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6251.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6251.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6251.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/744-190-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-192-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-189-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-194-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-196-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-198-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-200-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-202-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-209-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-205-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-212-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-214-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-216-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-218-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-220-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-222-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-224-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-226-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/744-1109-0x0000000004D30000-0x0000000004D40000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1284 un621258.exe 3752 pro6251.exe 744 qu0788.exe 2340 si448774.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6251.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6251.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un621258.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un621258.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2132 3752 WerFault.exe 86 1248 744 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3752 pro6251.exe 3752 pro6251.exe 744 qu0788.exe 744 qu0788.exe 2340 si448774.exe 2340 si448774.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3752 pro6251.exe Token: SeDebugPrivilege 744 qu0788.exe Token: SeDebugPrivilege 2340 si448774.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1284 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 85 PID 2596 wrote to memory of 1284 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 85 PID 2596 wrote to memory of 1284 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 85 PID 1284 wrote to memory of 3752 1284 un621258.exe 86 PID 1284 wrote to memory of 3752 1284 un621258.exe 86 PID 1284 wrote to memory of 3752 1284 un621258.exe 86 PID 1284 wrote to memory of 744 1284 un621258.exe 95 PID 1284 wrote to memory of 744 1284 un621258.exe 95 PID 1284 wrote to memory of 744 1284 un621258.exe 95 PID 2596 wrote to memory of 2340 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 100 PID 2596 wrote to memory of 2340 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 100 PID 2596 wrote to memory of 2340 2596 4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe"C:\Users\Admin\AppData\Local\Temp\4bbcc65e69b88c64231eb1f54301d1f78d4a26ce9154631515d628a5610961fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621258.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6251.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6251.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 10804⤵
- Program crash
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0788.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0788.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 13684⤵
- Program crash
PID:1248
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si448774.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si448774.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3752 -ip 37521⤵PID:948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 744 -ip 7441⤵PID:516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
518KB
MD5e91b03ca94141af0a5b5daaa20480687
SHA167979b315ece26ba4b06e9313a188da3dce01919
SHA25605b04be8b8d40b080df3d57b2b576455aacd04d1fbad9ad8ef5f0082f701f51b
SHA512e039b99f9939a54ca333d3cf72f918bc07990e2e22366225f7ec6f8fde589a84fccceda56c291046c81b414bcf4056a007eff0c6660c6a4d6e2851726266549f
-
Filesize
518KB
MD5e91b03ca94141af0a5b5daaa20480687
SHA167979b315ece26ba4b06e9313a188da3dce01919
SHA25605b04be8b8d40b080df3d57b2b576455aacd04d1fbad9ad8ef5f0082f701f51b
SHA512e039b99f9939a54ca333d3cf72f918bc07990e2e22366225f7ec6f8fde589a84fccceda56c291046c81b414bcf4056a007eff0c6660c6a4d6e2851726266549f
-
Filesize
236KB
MD513696a09359bd25a476cafaafd37e289
SHA1a8a62d8501722665b888526238ad811498a07f1d
SHA2566c5e252d95d871070c4a359d69880b5a5a555238d8e9b56b5be931e4b199d59c
SHA5127ffcdf5e8aad4c6d857ba73c5ec50d785098da14401c5f7a681f1f601b2dae112113d3b248780e3e8c34343cdb33a01187c70616c5cf7af2404a58a3e021b8a1
-
Filesize
236KB
MD513696a09359bd25a476cafaafd37e289
SHA1a8a62d8501722665b888526238ad811498a07f1d
SHA2566c5e252d95d871070c4a359d69880b5a5a555238d8e9b56b5be931e4b199d59c
SHA5127ffcdf5e8aad4c6d857ba73c5ec50d785098da14401c5f7a681f1f601b2dae112113d3b248780e3e8c34343cdb33a01187c70616c5cf7af2404a58a3e021b8a1
-
Filesize
295KB
MD5dc3c0b135a60c113fe29757b2a9bcd9c
SHA12fc0b2473b8c355b1a22e39b6592723ba6123109
SHA2562b135a8d1429c3be8afedc59fedff28c72e6a6fb944e20fc6dd92a2678c3e2e8
SHA5122b206ae3118d9a5a5d4e01cf5563c98a3636e5f8fda7b5130345cce203cbe3592c84b95bdab5f20d2bb3c9bfdf018f3e137ca673311210149f6da05f314d4337
-
Filesize
295KB
MD5dc3c0b135a60c113fe29757b2a9bcd9c
SHA12fc0b2473b8c355b1a22e39b6592723ba6123109
SHA2562b135a8d1429c3be8afedc59fedff28c72e6a6fb944e20fc6dd92a2678c3e2e8
SHA5122b206ae3118d9a5a5d4e01cf5563c98a3636e5f8fda7b5130345cce203cbe3592c84b95bdab5f20d2bb3c9bfdf018f3e137ca673311210149f6da05f314d4337