Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2023, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe
Resource
win10v2004-20230220-en
General
-
Target
ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe
-
Size
1.0MB
-
MD5
43ecad9168b97028b03c445e2bd3013c
-
SHA1
8d974f38c618ef67b6f2120d514de53307cd3856
-
SHA256
ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388
-
SHA512
6890a8e4d7090e2ed6de3269e51bf27d9a367f71e79e899ec8f7f27db0fbded5461fd4e1f80aacee99c0acf32f7638a8369e0a5e47ce9e97b0ff6bdf16f4cca4
-
SSDEEP
24576:eyZbthJmJyW/M3YFWXw5XEDbFtTB/amUCKcOH:t5tbuyeM3mWg5XEDptlakO
Malware Config
Extracted
redline
duper
77.91.68.253:19065
-
auth_value
57e17ebbdb18f4882b95fe05402ef1c8
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4956795.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/3496-218-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-219-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-221-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-223-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-225-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-227-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-229-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-231-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-233-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-235-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-237-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-239-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-246-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-248-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-241-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-250-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-252-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-254-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/3496-1133-0x0000000004A60000-0x0000000004A70000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2940 y1363267.exe 4504 y8409918.exe 1884 k4956795.exe 2708 l3486910.exe 948 m0376972.exe 1308 m0376972.exe 3496 n5859375.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4956795.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4956795.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y1363267.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y1363267.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8409918.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y8409918.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 948 set thread context of 1308 948 m0376972.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 4056 1308 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1884 k4956795.exe 1884 k4956795.exe 2708 l3486910.exe 2708 l3486910.exe 3496 n5859375.exe 3496 n5859375.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1884 k4956795.exe Token: SeDebugPrivilege 2708 l3486910.exe Token: SeDebugPrivilege 948 m0376972.exe Token: SeDebugPrivilege 3496 n5859375.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1308 m0376972.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2940 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 84 PID 2868 wrote to memory of 2940 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 84 PID 2868 wrote to memory of 2940 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 84 PID 2940 wrote to memory of 4504 2940 y1363267.exe 85 PID 2940 wrote to memory of 4504 2940 y1363267.exe 85 PID 2940 wrote to memory of 4504 2940 y1363267.exe 85 PID 4504 wrote to memory of 1884 4504 y8409918.exe 86 PID 4504 wrote to memory of 1884 4504 y8409918.exe 86 PID 4504 wrote to memory of 1884 4504 y8409918.exe 86 PID 4504 wrote to memory of 2708 4504 y8409918.exe 91 PID 4504 wrote to memory of 2708 4504 y8409918.exe 91 PID 4504 wrote to memory of 2708 4504 y8409918.exe 91 PID 2940 wrote to memory of 948 2940 y1363267.exe 95 PID 2940 wrote to memory of 948 2940 y1363267.exe 95 PID 2940 wrote to memory of 948 2940 y1363267.exe 95 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 948 wrote to memory of 1308 948 m0376972.exe 96 PID 2868 wrote to memory of 3496 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 98 PID 2868 wrote to memory of 3496 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 98 PID 2868 wrote to memory of 3496 2868 ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe"C:\Users\Admin\AppData\Local\Temp\ab2a976e6dbb7ac7a870b643a6cd30f4ce38e4bf175a4be25f3da2acbc632388.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1363267.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1363267.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8409918.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8409918.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4956795.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4956795.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3486910.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3486910.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0376972.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0376972.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0376972.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0376972.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 125⤵
- Program crash
PID:4056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5859375.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5859375.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1308 -ip 13081⤵PID:4616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD542d51312218efa1724707c205a694656
SHA16df1e68f9a8084b235ebdf6c44ee08f20ccaf3ce
SHA25642f165677c203510161cbfd6aaeb765f93dcbc62da4bb4f57a03401ff240bf79
SHA5128979279e92e4ce93e938a7e7212a9a62156a10148b34b4dc921d02c65f511e395a612902dd982c5c47f56d5e2275f95da71caf62225e09c436b5554110c7e5c8
-
Filesize
284KB
MD542d51312218efa1724707c205a694656
SHA16df1e68f9a8084b235ebdf6c44ee08f20ccaf3ce
SHA25642f165677c203510161cbfd6aaeb765f93dcbc62da4bb4f57a03401ff240bf79
SHA5128979279e92e4ce93e938a7e7212a9a62156a10148b34b4dc921d02c65f511e395a612902dd982c5c47f56d5e2275f95da71caf62225e09c436b5554110c7e5c8
-
Filesize
749KB
MD54327e27ff749627a7a77fa8996eccf04
SHA16651dfe0f689d9a7aa345bdf33a1ef83ab03a33b
SHA256997c92d031ad6c9c3471400fb633156b9dcc85fc06c6b313f6414ae778d13319
SHA512780794b3981bb0e47c2c846788d4180171fe8593700a5d22f07686e7a77ec6142942d4773edc51f2a67a6aeece11b52442bad9a850e2d4475fc9fbcb5697650c
-
Filesize
749KB
MD54327e27ff749627a7a77fa8996eccf04
SHA16651dfe0f689d9a7aa345bdf33a1ef83ab03a33b
SHA256997c92d031ad6c9c3471400fb633156b9dcc85fc06c6b313f6414ae778d13319
SHA512780794b3981bb0e47c2c846788d4180171fe8593700a5d22f07686e7a77ec6142942d4773edc51f2a67a6aeece11b52442bad9a850e2d4475fc9fbcb5697650c
-
Filesize
963KB
MD56558a0af4ec83d583e47352a1abd6d82
SHA138389ee51287380b6cf69c934b5d00104d597ea0
SHA2569b1dc9c732314dbc992b24518cced88dd68498bc85a66340ce46ceea34bc7df1
SHA5129556664694317d3a813f117ccdc812582b3b9e3c97056824945a1d918d327694464a7c54c634e762b4f57871892d051ad01bc22681f59446c11e2ae07fad4ea0
-
Filesize
963KB
MD56558a0af4ec83d583e47352a1abd6d82
SHA138389ee51287380b6cf69c934b5d00104d597ea0
SHA2569b1dc9c732314dbc992b24518cced88dd68498bc85a66340ce46ceea34bc7df1
SHA5129556664694317d3a813f117ccdc812582b3b9e3c97056824945a1d918d327694464a7c54c634e762b4f57871892d051ad01bc22681f59446c11e2ae07fad4ea0
-
Filesize
963KB
MD56558a0af4ec83d583e47352a1abd6d82
SHA138389ee51287380b6cf69c934b5d00104d597ea0
SHA2569b1dc9c732314dbc992b24518cced88dd68498bc85a66340ce46ceea34bc7df1
SHA5129556664694317d3a813f117ccdc812582b3b9e3c97056824945a1d918d327694464a7c54c634e762b4f57871892d051ad01bc22681f59446c11e2ae07fad4ea0
-
Filesize
305KB
MD54bf1a1a76317aa843faa7efbe7cad460
SHA1c2ade6f88ad59774c4ef7729a74b3580b513597b
SHA2565bbab81c14b4e29b575415ae3fa9841a3d34f032cd83c3b912dcf2c36efeee55
SHA5125bcd0830b1524fd38ac05a33ff44dd270aa5350683410bf8186595de53d33c0c85b781d4dfbbf84bffa811277e0f0969657beda97179e65942617767b5cf324f
-
Filesize
305KB
MD54bf1a1a76317aa843faa7efbe7cad460
SHA1c2ade6f88ad59774c4ef7729a74b3580b513597b
SHA2565bbab81c14b4e29b575415ae3fa9841a3d34f032cd83c3b912dcf2c36efeee55
SHA5125bcd0830b1524fd38ac05a33ff44dd270aa5350683410bf8186595de53d33c0c85b781d4dfbbf84bffa811277e0f0969657beda97179e65942617767b5cf324f
-
Filesize
184KB
MD58d2aa71f829681b93608a06a621ed218
SHA1052007fc6ed3afed207fca670978febfc556947e
SHA25653dbe23aa1f86e9174c2523de7200fc9746d146792db818e201430ff575367fb
SHA51235dea5300d0ebc7c59fa83d7b5cc91c54d426867a7319d96d242940a5c1bd847285274a357881c10cb13139ee436141cc005822a983a815e6fc50838d9572f27
-
Filesize
184KB
MD58d2aa71f829681b93608a06a621ed218
SHA1052007fc6ed3afed207fca670978febfc556947e
SHA25653dbe23aa1f86e9174c2523de7200fc9746d146792db818e201430ff575367fb
SHA51235dea5300d0ebc7c59fa83d7b5cc91c54d426867a7319d96d242940a5c1bd847285274a357881c10cb13139ee436141cc005822a983a815e6fc50838d9572f27
-
Filesize
145KB
MD5eed36f44fe2b2c5f573cd39611c156aa
SHA1c558fed3c702d77aea75f59a63fc684536d0c9a3
SHA25652c9dee6bc1574f4f5b46e958b08eab6443e3568c02e446236fde0280d5e17d3
SHA512c39499a448f072f9ae9b1e452b799602346853fe9f0a693142780020f9cc6eaaec98cfd7b67a2f6642c7dce9fe6c94d4fe32c79495664873275df5a67fb61a4d
-
Filesize
145KB
MD5eed36f44fe2b2c5f573cd39611c156aa
SHA1c558fed3c702d77aea75f59a63fc684536d0c9a3
SHA25652c9dee6bc1574f4f5b46e958b08eab6443e3568c02e446236fde0280d5e17d3
SHA512c39499a448f072f9ae9b1e452b799602346853fe9f0a693142780020f9cc6eaaec98cfd7b67a2f6642c7dce9fe6c94d4fe32c79495664873275df5a67fb61a4d