Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2023, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe
Resource
win10v2004-20230220-en
General
-
Target
1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe
-
Size
1.0MB
-
MD5
7e3c5dd8469fae45642704ac8eb6f0a4
-
SHA1
eb56c1978ebe0f8db5d0e707305c6890daa76a55
-
SHA256
1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c
-
SHA512
11614d1ef414c0a4b57f08ad7790c85640f231055f99d4f6e4410e664468cc9dd4c2a17da4ec958cb3225312e9f72075dd9684c0edc2915cd1f85bcc1e582b6e
-
SSDEEP
12288:pMruy90s9EhlTW+GTd5WnEInm7fT3mkcQFNEh9WLp2X/GdpjfGuECLo8ubkmW0yN:ryxW0d2m7rmkBpoPGdpLBo868ua/vd
Malware Config
Extracted
redline
luna
77.91.68.253:4138
-
auth_value
16dec8addb01db1c11c59667022ef7a2
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o7753466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o7753466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o7753466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o7753466.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o7753466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o7753466.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1476-211-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-210-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-213-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-215-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-217-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-219-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-221-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-223-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-225-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-227-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-229-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-231-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-233-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-235-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-237-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-239-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-241-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-243-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-245-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1476-1122-0x0000000004A30000-0x0000000004A40000-memory.dmp family_redline -
Executes dropped EXE 8 IoCs
pid Process 1696 z8289880.exe 2660 z8625650.exe 5068 o7753466.exe 1792 p0097015.exe 1476 r5797614.exe 944 s3508505.exe 908 s3508505.exe 632 s3508505.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o7753466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o7753466.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z8289880.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8289880.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z8625650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z8625650.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 944 set thread context of 632 944 s3508505.exe 94 -
Program crash 1 IoCs
pid pid_target Process procid_target 2228 632 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5068 o7753466.exe 5068 o7753466.exe 1792 p0097015.exe 1792 p0097015.exe 1476 r5797614.exe 1476 r5797614.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5068 o7753466.exe Token: SeDebugPrivilege 1792 p0097015.exe Token: SeDebugPrivilege 1476 r5797614.exe Token: SeDebugPrivilege 944 s3508505.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 632 s3508505.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4784 wrote to memory of 1696 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 86 PID 4784 wrote to memory of 1696 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 86 PID 4784 wrote to memory of 1696 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 86 PID 1696 wrote to memory of 2660 1696 z8289880.exe 87 PID 1696 wrote to memory of 2660 1696 z8289880.exe 87 PID 1696 wrote to memory of 2660 1696 z8289880.exe 87 PID 2660 wrote to memory of 5068 2660 z8625650.exe 88 PID 2660 wrote to memory of 5068 2660 z8625650.exe 88 PID 2660 wrote to memory of 5068 2660 z8625650.exe 88 PID 2660 wrote to memory of 1792 2660 z8625650.exe 89 PID 2660 wrote to memory of 1792 2660 z8625650.exe 89 PID 2660 wrote to memory of 1792 2660 z8625650.exe 89 PID 1696 wrote to memory of 1476 1696 z8289880.exe 90 PID 1696 wrote to memory of 1476 1696 z8289880.exe 90 PID 1696 wrote to memory of 1476 1696 z8289880.exe 90 PID 4784 wrote to memory of 944 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 92 PID 4784 wrote to memory of 944 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 92 PID 4784 wrote to memory of 944 4784 1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe 92 PID 944 wrote to memory of 908 944 s3508505.exe 93 PID 944 wrote to memory of 908 944 s3508505.exe 93 PID 944 wrote to memory of 908 944 s3508505.exe 93 PID 944 wrote to memory of 908 944 s3508505.exe 93 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94 PID 944 wrote to memory of 632 944 s3508505.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe"C:\Users\Admin\AppData\Local\Temp\1bdfb86c567fb1e945a6e892e10adf1637c8bc0e92cd45367a11de24e3070d0c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289880.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289880.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8625650.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8625650.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7753466.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7753466.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0097015.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0097015.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5797614.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5797614.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exe3⤵
- Executes dropped EXE
PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3508505.exe3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 124⤵
- Program crash
PID:2228
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 632 -ip 6321⤵PID:2496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
962KB
MD542d775ab396ef990629170e7749168e6
SHA19c2634622a69730e1bdcf986825f03dca9231b9f
SHA2562892e80b57ee7feac2b7b8d602f2c040cc28f72388a802d7e7be08f70872bae8
SHA512ca7888533ca648d16169870afddb5d9cfd264459064fd888d02961cb491f537c604d363f922a8c861552d1708d172cabf55f186dacc45651554e8f346006153b
-
Filesize
962KB
MD542d775ab396ef990629170e7749168e6
SHA19c2634622a69730e1bdcf986825f03dca9231b9f
SHA2562892e80b57ee7feac2b7b8d602f2c040cc28f72388a802d7e7be08f70872bae8
SHA512ca7888533ca648d16169870afddb5d9cfd264459064fd888d02961cb491f537c604d363f922a8c861552d1708d172cabf55f186dacc45651554e8f346006153b
-
Filesize
962KB
MD542d775ab396ef990629170e7749168e6
SHA19c2634622a69730e1bdcf986825f03dca9231b9f
SHA2562892e80b57ee7feac2b7b8d602f2c040cc28f72388a802d7e7be08f70872bae8
SHA512ca7888533ca648d16169870afddb5d9cfd264459064fd888d02961cb491f537c604d363f922a8c861552d1708d172cabf55f186dacc45651554e8f346006153b
-
Filesize
962KB
MD542d775ab396ef990629170e7749168e6
SHA19c2634622a69730e1bdcf986825f03dca9231b9f
SHA2562892e80b57ee7feac2b7b8d602f2c040cc28f72388a802d7e7be08f70872bae8
SHA512ca7888533ca648d16169870afddb5d9cfd264459064fd888d02961cb491f537c604d363f922a8c861552d1708d172cabf55f186dacc45651554e8f346006153b
-
Filesize
585KB
MD5c1a18d21d5221e75bf1dec8e11a47979
SHA1e469a558f359d80af923fad18bc59733b80b4fe7
SHA2564bf1d3f7b175cef489fb5392a05488f30686ea97e4d8f92a441965f77c3dde51
SHA5129c3123d6808b9e1dbeb21462c2bf2f36b7e225b55ff2da76c3e451f3bf9b2a191d17c07bab59050b2e1f5ec44129eb3f68733ee887c753b28f3bedf430a83214
-
Filesize
585KB
MD5c1a18d21d5221e75bf1dec8e11a47979
SHA1e469a558f359d80af923fad18bc59733b80b4fe7
SHA2564bf1d3f7b175cef489fb5392a05488f30686ea97e4d8f92a441965f77c3dde51
SHA5129c3123d6808b9e1dbeb21462c2bf2f36b7e225b55ff2da76c3e451f3bf9b2a191d17c07bab59050b2e1f5ec44129eb3f68733ee887c753b28f3bedf430a83214
-
Filesize
284KB
MD5eb1e767f5b888a021c6ef53fb937c319
SHA1e6c8e4ca5fa3b3eea6f134050df65da151884a20
SHA25640bc68d5b54c3ff4c5170ebdf7f0ce54b42b7a11fe1649be0e01a389d440164e
SHA512d32e0e409e445f985df77385e5e26547b2a1f427a66fd65d41499bfe3264570eacecaddbd5a2c0f905533abeea728008eafbdfae01e9d3e4bced28a3b5f01984
-
Filesize
284KB
MD5eb1e767f5b888a021c6ef53fb937c319
SHA1e6c8e4ca5fa3b3eea6f134050df65da151884a20
SHA25640bc68d5b54c3ff4c5170ebdf7f0ce54b42b7a11fe1649be0e01a389d440164e
SHA512d32e0e409e445f985df77385e5e26547b2a1f427a66fd65d41499bfe3264570eacecaddbd5a2c0f905533abeea728008eafbdfae01e9d3e4bced28a3b5f01984
-
Filesize
305KB
MD5d2bf50a7c5f54b4f1bb88d215d06aaa5
SHA1586f77a3332f74f07a3f6d2cb16af0b818c0097c
SHA2567edc350f15870a73d1726503132cdfa4fd4daab2f41704ff0e2394ba0ebab7ff
SHA51252627e8e0b73aa21d76fe61c364b33e69817c4640fe3242111122dca3cc32ea9bd4dc1e32926bd99aa5b8d6d87764a5d3dc7a1fc7bed57159dbf0ebc9d03af65
-
Filesize
305KB
MD5d2bf50a7c5f54b4f1bb88d215d06aaa5
SHA1586f77a3332f74f07a3f6d2cb16af0b818c0097c
SHA2567edc350f15870a73d1726503132cdfa4fd4daab2f41704ff0e2394ba0ebab7ff
SHA51252627e8e0b73aa21d76fe61c364b33e69817c4640fe3242111122dca3cc32ea9bd4dc1e32926bd99aa5b8d6d87764a5d3dc7a1fc7bed57159dbf0ebc9d03af65
-
Filesize
184KB
MD5f624d1cff774d3852b8424f3bc87bcf8
SHA194bf8654b869c2dd2c7cd645f81ace1209d1a7e5
SHA2560680f3af2daf22fc83c265759ae453f501fd3b56af9d83225ed53c0d67b63a6e
SHA5127cf7641872502ba5152790c8ed7524dd030d997296cef9758488870a38bb5cf214afbc4551038073f42470b1002aaec35ea02ddd51144c84a328daadbbfd2cb1
-
Filesize
184KB
MD5f624d1cff774d3852b8424f3bc87bcf8
SHA194bf8654b869c2dd2c7cd645f81ace1209d1a7e5
SHA2560680f3af2daf22fc83c265759ae453f501fd3b56af9d83225ed53c0d67b63a6e
SHA5127cf7641872502ba5152790c8ed7524dd030d997296cef9758488870a38bb5cf214afbc4551038073f42470b1002aaec35ea02ddd51144c84a328daadbbfd2cb1
-
Filesize
145KB
MD56999eeb76dd31fdd9fd0f631eb315f0a
SHA14660a3bd6a62fc70eb8e6fbe2cebe43ae2213347
SHA256b292b25e8116dedf8e94a635524731fcab7c141f378795382d5dffecfc8400a8
SHA512d43f0029bdd59d4c8b2259f515b2e3fdac673ac470b292e670385f095dc6105dbe15c146297dd4c0265c12d2f8b06d26fd6024a3fee04d78e7bfb112e8816fac
-
Filesize
145KB
MD56999eeb76dd31fdd9fd0f631eb315f0a
SHA14660a3bd6a62fc70eb8e6fbe2cebe43ae2213347
SHA256b292b25e8116dedf8e94a635524731fcab7c141f378795382d5dffecfc8400a8
SHA512d43f0029bdd59d4c8b2259f515b2e3fdac673ac470b292e670385f095dc6105dbe15c146297dd4c0265c12d2f8b06d26fd6024a3fee04d78e7bfb112e8816fac