Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2023, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe
Resource
win10v2004-20230220-en
General
-
Target
453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe
-
Size
1.0MB
-
MD5
1325a01757795ced1ea9b4911c30fc3c
-
SHA1
6552547e908e0bcdc13cf73fdcd26b272b241dd7
-
SHA256
453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b
-
SHA512
a5cf1828f16a392d8d330429bc730d8969901ad90d00cf06f9ca3ca11e6be5013aaf6df20912f9dd58b46f393978557ee40ae88110445a1647608259d5587e22
-
SSDEEP
24576:xy4MobkXmlInvWnC4XJmKt4Ci3LMeJ+FtNHI2TrCtwQJ:k4MoqmovuHG3AeIBBTI
Malware Config
Extracted
redline
deren
77.91.68.253:19065
-
auth_value
04a169f1fb198bfbeca74d0e06ea2d54
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g6524203.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/1456-215-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-216-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-218-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-220-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-222-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-224-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-226-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-228-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-230-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-232-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-236-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-234-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-238-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-240-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-242-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-244-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-246-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-248-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/1456-320-0x0000000004A70000-0x0000000004A80000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2168 x9411273.exe 1464 x6234044.exe 2220 f0119679.exe 728 g6524203.exe 2876 h8937852.exe 3316 h8937852.exe 1456 i6862285.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features g6524203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g6524203.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9411273.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x6234044.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6234044.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x9411273.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 3316 2876 h8937852.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 2656 3316 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2220 f0119679.exe 2220 f0119679.exe 728 g6524203.exe 728 g6524203.exe 1456 i6862285.exe 1456 i6862285.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2220 f0119679.exe Token: SeDebugPrivilege 728 g6524203.exe Token: SeDebugPrivilege 2876 h8937852.exe Token: SeDebugPrivilege 1456 i6862285.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3316 h8937852.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2168 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 85 PID 4868 wrote to memory of 2168 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 85 PID 4868 wrote to memory of 2168 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 85 PID 2168 wrote to memory of 1464 2168 x9411273.exe 86 PID 2168 wrote to memory of 1464 2168 x9411273.exe 86 PID 2168 wrote to memory of 1464 2168 x9411273.exe 86 PID 1464 wrote to memory of 2220 1464 x6234044.exe 87 PID 1464 wrote to memory of 2220 1464 x6234044.exe 87 PID 1464 wrote to memory of 2220 1464 x6234044.exe 87 PID 1464 wrote to memory of 728 1464 x6234044.exe 94 PID 1464 wrote to memory of 728 1464 x6234044.exe 94 PID 1464 wrote to memory of 728 1464 x6234044.exe 94 PID 2168 wrote to memory of 2876 2168 x9411273.exe 95 PID 2168 wrote to memory of 2876 2168 x9411273.exe 95 PID 2168 wrote to memory of 2876 2168 x9411273.exe 95 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 2876 wrote to memory of 3316 2876 h8937852.exe 96 PID 4868 wrote to memory of 1456 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 99 PID 4868 wrote to memory of 1456 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 99 PID 4868 wrote to memory of 1456 4868 453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe"C:\Users\Admin\AppData\Local\Temp\453bfed1bd93f009ed903b3163b3855f072756fafc209526f22ecd087b21e23b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9411273.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9411273.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6234044.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6234044.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0119679.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0119679.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6524203.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6524203.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8937852.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8937852.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8937852.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8937852.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 125⤵
- Program crash
PID:2656
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6862285.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6862285.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3316 -ip 33161⤵PID:4692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5680cf46c6f0df6babba251ef495448ee
SHA1eed0de68293c7607658d2aa048103624492022cb
SHA2566842eced19aa0c474521d9e16f6524dba9fc8c13514b8d1f80a10eda17afbc80
SHA51290f6a81800774c8bd27a5890db91bcc00d45ee040531653d385697599689f7fdfb564e97454184a8522cb204a19e2287022129d3f5bb26aa9b6fa00e0276f328
-
Filesize
284KB
MD5680cf46c6f0df6babba251ef495448ee
SHA1eed0de68293c7607658d2aa048103624492022cb
SHA2566842eced19aa0c474521d9e16f6524dba9fc8c13514b8d1f80a10eda17afbc80
SHA51290f6a81800774c8bd27a5890db91bcc00d45ee040531653d385697599689f7fdfb564e97454184a8522cb204a19e2287022129d3f5bb26aa9b6fa00e0276f328
-
Filesize
750KB
MD5728645a59479af80b716475d31d1c780
SHA110a1b5a3da3bb71516892710807c46b117881707
SHA256b558040f1a386666c65fd84849fb3cd6ac0015569cf0b8c3b1183837a8de1cb6
SHA5123897afda75da89d17cb56a9d1ba0cc2b48f731e38fc98708226da7022080d1f2ee266458e11339b8ae352d9a1a11f8e34d7a4d7af152d2df872d26ed8f9669cd
-
Filesize
750KB
MD5728645a59479af80b716475d31d1c780
SHA110a1b5a3da3bb71516892710807c46b117881707
SHA256b558040f1a386666c65fd84849fb3cd6ac0015569cf0b8c3b1183837a8de1cb6
SHA5123897afda75da89d17cb56a9d1ba0cc2b48f731e38fc98708226da7022080d1f2ee266458e11339b8ae352d9a1a11f8e34d7a4d7af152d2df872d26ed8f9669cd
-
Filesize
963KB
MD5480b35415a84456dd46abba375d8d23d
SHA16f3e9b780b13441b8e112837cc3353ebdf71d548
SHA2567c544d1ab874dda86ac6014f7c35b801b39c689c2e1abc80a36d31ac8c38fb0d
SHA5124892fe5e67062efebd28e699b61a1335d030c699619e09c4feb93186482c49344839a9deb3836de0d1e43ff3e4e950091a7a892aaf253f01d08bd770743617bb
-
Filesize
963KB
MD5480b35415a84456dd46abba375d8d23d
SHA16f3e9b780b13441b8e112837cc3353ebdf71d548
SHA2567c544d1ab874dda86ac6014f7c35b801b39c689c2e1abc80a36d31ac8c38fb0d
SHA5124892fe5e67062efebd28e699b61a1335d030c699619e09c4feb93186482c49344839a9deb3836de0d1e43ff3e4e950091a7a892aaf253f01d08bd770743617bb
-
Filesize
963KB
MD5480b35415a84456dd46abba375d8d23d
SHA16f3e9b780b13441b8e112837cc3353ebdf71d548
SHA2567c544d1ab874dda86ac6014f7c35b801b39c689c2e1abc80a36d31ac8c38fb0d
SHA5124892fe5e67062efebd28e699b61a1335d030c699619e09c4feb93186482c49344839a9deb3836de0d1e43ff3e4e950091a7a892aaf253f01d08bd770743617bb
-
Filesize
306KB
MD53d726bdcfc849389e430394155dd32f0
SHA14f9568ffb2f412663420ecd855e7efde74fa8da4
SHA256323ef3300155de5a335d1ab37881d7d25e7a697026a3f3cd8fc46fcd0fdeef2a
SHA512e053779bc65b7da727c6a676aa8410a47de6b3c2d08d8430ed00dc2258cd5569f3717bd7729eccacada4ba7f2de0cc4f5ff98dcfaf5c9a98a07e20e6937715f5
-
Filesize
306KB
MD53d726bdcfc849389e430394155dd32f0
SHA14f9568ffb2f412663420ecd855e7efde74fa8da4
SHA256323ef3300155de5a335d1ab37881d7d25e7a697026a3f3cd8fc46fcd0fdeef2a
SHA512e053779bc65b7da727c6a676aa8410a47de6b3c2d08d8430ed00dc2258cd5569f3717bd7729eccacada4ba7f2de0cc4f5ff98dcfaf5c9a98a07e20e6937715f5
-
Filesize
145KB
MD5bc73379bfcc3fb069de2ded9f99f8ef8
SHA12d14b3926dcb060903468ad6a72d46878c5f096a
SHA256594e2e0baddf0ed85f99a64672c85a76fc039be9030e56961c89e148d15c4df8
SHA5128b0e02c484ee565ad3135963012fd9cc7f87e0de0636436a91a892e1629d6377c12dc5a3cda6483dbf615dd1465a70e45587e7f44c1815a2ebf30dffd6db4d46
-
Filesize
145KB
MD5bc73379bfcc3fb069de2ded9f99f8ef8
SHA12d14b3926dcb060903468ad6a72d46878c5f096a
SHA256594e2e0baddf0ed85f99a64672c85a76fc039be9030e56961c89e148d15c4df8
SHA5128b0e02c484ee565ad3135963012fd9cc7f87e0de0636436a91a892e1629d6377c12dc5a3cda6483dbf615dd1465a70e45587e7f44c1815a2ebf30dffd6db4d46
-
Filesize
184KB
MD5951b41b2029474742b093f4723f7313d
SHA1c2fd6ec522cab71e9ab691c08ee950686fd0969f
SHA256f75fc487d09f98567f6fe090e310f4d6933e6d70ab4ff9bef731a226b808edb3
SHA512c942bee3b990a2c72c067990de6b863590c30f44241813ee876ef05d4b788eddaa0b99d072e893828a5522e8d7e37f0134795902bc07588903a006ddaff3dd8a
-
Filesize
184KB
MD5951b41b2029474742b093f4723f7313d
SHA1c2fd6ec522cab71e9ab691c08ee950686fd0969f
SHA256f75fc487d09f98567f6fe090e310f4d6933e6d70ab4ff9bef731a226b808edb3
SHA512c942bee3b990a2c72c067990de6b863590c30f44241813ee876ef05d4b788eddaa0b99d072e893828a5522e8d7e37f0134795902bc07588903a006ddaff3dd8a