Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2023, 06:57
Static task
static1
Behavioral task
behavioral1
Sample
160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe
Resource
win10v2004-20230220-en
General
-
Target
160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe
-
Size
1.0MB
-
MD5
44efdb18c708aeafb17978c6eff62efa
-
SHA1
7f151397945a8b9031d0d7a2e593b08e71847aa5
-
SHA256
160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5
-
SHA512
87193444e013f6c2f761199de8901bc657d5dbe91247614bf390eced33642d2ca56d62a000711a5f340cadaad4b87a7b7658345bb4f2745ae5fb59dbb5fbee07
-
SSDEEP
24576:yy9wCUn1Xrrxcwua2YmjopWkWg6t6+Suh0:Z9wCUdrMNYmjoD6cih
Malware Config
Extracted
redline
diza
185.161.248.37:4138
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g4137930.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection g4137930.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g4137930.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g4137930.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g4137930.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g4137930.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral2/memory/3900-221-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-223-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-220-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-225-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-227-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-230-0x0000000004A30000-0x0000000004A40000-memory.dmp family_redline behavioral2/memory/3900-229-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-233-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-236-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-238-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-240-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-242-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-244-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-246-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-248-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-250-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-252-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-254-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-256-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral2/memory/3900-1134-0x0000000004A30000-0x0000000004A40000-memory.dmp family_redline -
Executes dropped EXE 9 IoCs
pid Process 2148 x0952742.exe 2024 x4666682.exe 1896 f5749207.exe 4584 g4137930.exe 3224 h7064546.exe 4700 h7064546.exe 2508 h7064546.exe 616 h7064546.exe 3900 i7955426.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features g4137930.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g4137930.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x0952742.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0952742.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x4666682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4666682.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3224 set thread context of 616 3224 h7064546.exe 103 -
Program crash 1 IoCs
pid pid_target Process procid_target 2728 616 WerFault.exe 103 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1896 f5749207.exe 1896 f5749207.exe 4584 g4137930.exe 4584 g4137930.exe 3900 i7955426.exe 3900 i7955426.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1896 f5749207.exe Token: SeDebugPrivilege 4584 g4137930.exe Token: SeDebugPrivilege 3224 h7064546.exe Token: SeDebugPrivilege 3900 i7955426.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 616 h7064546.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2148 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 86 PID 1244 wrote to memory of 2148 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 86 PID 1244 wrote to memory of 2148 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 86 PID 2148 wrote to memory of 2024 2148 x0952742.exe 88 PID 2148 wrote to memory of 2024 2148 x0952742.exe 88 PID 2148 wrote to memory of 2024 2148 x0952742.exe 88 PID 2024 wrote to memory of 1896 2024 x4666682.exe 89 PID 2024 wrote to memory of 1896 2024 x4666682.exe 89 PID 2024 wrote to memory of 1896 2024 x4666682.exe 89 PID 2024 wrote to memory of 4584 2024 x4666682.exe 93 PID 2024 wrote to memory of 4584 2024 x4666682.exe 93 PID 2024 wrote to memory of 4584 2024 x4666682.exe 93 PID 2148 wrote to memory of 3224 2148 x0952742.exe 98 PID 2148 wrote to memory of 3224 2148 x0952742.exe 98 PID 2148 wrote to memory of 3224 2148 x0952742.exe 98 PID 3224 wrote to memory of 4700 3224 h7064546.exe 99 PID 3224 wrote to memory of 4700 3224 h7064546.exe 99 PID 3224 wrote to memory of 4700 3224 h7064546.exe 99 PID 3224 wrote to memory of 4700 3224 h7064546.exe 99 PID 3224 wrote to memory of 2508 3224 h7064546.exe 101 PID 3224 wrote to memory of 2508 3224 h7064546.exe 101 PID 3224 wrote to memory of 2508 3224 h7064546.exe 101 PID 3224 wrote to memory of 2508 3224 h7064546.exe 101 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 3224 wrote to memory of 616 3224 h7064546.exe 103 PID 1244 wrote to memory of 3900 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 105 PID 1244 wrote to memory of 3900 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 105 PID 1244 wrote to memory of 3900 1244 160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe"C:\Users\Admin\AppData\Local\Temp\160c36e5d33c1320ff1cb8909dc8d760ba615223f4ac903b6254d6c854a089b5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0952742.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0952742.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4666682.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4666682.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5749207.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5749207.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4137930.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4137930.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exe4⤵
- Executes dropped EXE
PID:4700
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exe4⤵
- Executes dropped EXE
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7064546.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 125⤵
- Program crash
PID:2728
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7955426.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i7955426.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 616 -ip 6161⤵PID:3360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
286KB
MD5290f1ef585fef64520c409c1dce54e7d
SHA1a66289d497773a28b7169631f8c557be69bd48ab
SHA256a7f2f57ed12dae6f09696a0080e6e417b945ed98b0954bcc0d565f2cd759764d
SHA5124b406faaebe548a1e6e45d5676617ef8b2a1756f04faac3e82f9fb67fa30669d4376dfd11e105c62f9db62dc13e7a5c630c459a303b950bd74eeec425c94cd92
-
Filesize
286KB
MD5290f1ef585fef64520c409c1dce54e7d
SHA1a66289d497773a28b7169631f8c557be69bd48ab
SHA256a7f2f57ed12dae6f09696a0080e6e417b945ed98b0954bcc0d565f2cd759764d
SHA5124b406faaebe548a1e6e45d5676617ef8b2a1756f04faac3e82f9fb67fa30669d4376dfd11e105c62f9db62dc13e7a5c630c459a303b950bd74eeec425c94cd92
-
Filesize
751KB
MD57e469354675ba2c757280e4993bb0318
SHA1be4c756756c13bc9f0c334aa197b17c9ee29fe70
SHA256e819c0aad8ac1cd60aee625253662413cc9ac5c078010037c7e4c526db2c0a50
SHA512d3755d76fa5782260b293993cd8e3e5935a792f6b3927fecea9379f00a83254bcc6511ed7b44617e64a31560c0ea9945bb90d59fd17c90028c6ab882332b4137
-
Filesize
751KB
MD57e469354675ba2c757280e4993bb0318
SHA1be4c756756c13bc9f0c334aa197b17c9ee29fe70
SHA256e819c0aad8ac1cd60aee625253662413cc9ac5c078010037c7e4c526db2c0a50
SHA512d3755d76fa5782260b293993cd8e3e5935a792f6b3927fecea9379f00a83254bcc6511ed7b44617e64a31560c0ea9945bb90d59fd17c90028c6ab882332b4137
-
Filesize
966KB
MD51012a9e9d9d7c5a799af770538729fa4
SHA15222d8212f8f109ba0d35b538c2eae8fd6e566d7
SHA256c17c916b989dc10721aa95141a693e6f2e55c4b6a66912e759ece415b82fb63c
SHA512158ff24434628e67223db9881861acdef4d9b31b1b37e418193740a0d6df9e4de0b7c4b57b8d421ff2d8c17b6922d25f149db12135281fd429181c0c1d74b615
-
Filesize
966KB
MD51012a9e9d9d7c5a799af770538729fa4
SHA15222d8212f8f109ba0d35b538c2eae8fd6e566d7
SHA256c17c916b989dc10721aa95141a693e6f2e55c4b6a66912e759ece415b82fb63c
SHA512158ff24434628e67223db9881861acdef4d9b31b1b37e418193740a0d6df9e4de0b7c4b57b8d421ff2d8c17b6922d25f149db12135281fd429181c0c1d74b615
-
Filesize
966KB
MD51012a9e9d9d7c5a799af770538729fa4
SHA15222d8212f8f109ba0d35b538c2eae8fd6e566d7
SHA256c17c916b989dc10721aa95141a693e6f2e55c4b6a66912e759ece415b82fb63c
SHA512158ff24434628e67223db9881861acdef4d9b31b1b37e418193740a0d6df9e4de0b7c4b57b8d421ff2d8c17b6922d25f149db12135281fd429181c0c1d74b615
-
Filesize
966KB
MD51012a9e9d9d7c5a799af770538729fa4
SHA15222d8212f8f109ba0d35b538c2eae8fd6e566d7
SHA256c17c916b989dc10721aa95141a693e6f2e55c4b6a66912e759ece415b82fb63c
SHA512158ff24434628e67223db9881861acdef4d9b31b1b37e418193740a0d6df9e4de0b7c4b57b8d421ff2d8c17b6922d25f149db12135281fd429181c0c1d74b615
-
Filesize
966KB
MD51012a9e9d9d7c5a799af770538729fa4
SHA15222d8212f8f109ba0d35b538c2eae8fd6e566d7
SHA256c17c916b989dc10721aa95141a693e6f2e55c4b6a66912e759ece415b82fb63c
SHA512158ff24434628e67223db9881861acdef4d9b31b1b37e418193740a0d6df9e4de0b7c4b57b8d421ff2d8c17b6922d25f149db12135281fd429181c0c1d74b615
-
Filesize
306KB
MD50720140a98dad699f20a47d978ebd546
SHA12a0a1bbb457b22e052abadc1f1032a2bfdbd4672
SHA2563601026b461e7270fc5fba7edeb349df7dc4f3e39abc8cc8535eb0b84c9c6344
SHA512fb4598b56a5a63aba6b2038ffd67cbcc5fd77f14d3f16c761863d893cd53a13660be9e52b2840f5c9e3879ae6037ae1befa4896784e280a7182d6a1bd67dfdfa
-
Filesize
306KB
MD50720140a98dad699f20a47d978ebd546
SHA12a0a1bbb457b22e052abadc1f1032a2bfdbd4672
SHA2563601026b461e7270fc5fba7edeb349df7dc4f3e39abc8cc8535eb0b84c9c6344
SHA512fb4598b56a5a63aba6b2038ffd67cbcc5fd77f14d3f16c761863d893cd53a13660be9e52b2840f5c9e3879ae6037ae1befa4896784e280a7182d6a1bd67dfdfa
-
Filesize
146KB
MD5d52841b6d1386577a98d1a521cdf99d0
SHA1f2172aab5a368cb120838b2b7bac5e486ecfcb6f
SHA256b55f667e95f2a65d72b2b314f493c17b193ce2c6dc48238460dd99ba967764a6
SHA51258f03195df2d3edfecb491bc9bdaae817dff5f0433e0e0944676a333bc9f99f644326f16c8228a07f5410e927fd3a8e8a2fb08f7283806d33086c5deb861bf6a
-
Filesize
146KB
MD5d52841b6d1386577a98d1a521cdf99d0
SHA1f2172aab5a368cb120838b2b7bac5e486ecfcb6f
SHA256b55f667e95f2a65d72b2b314f493c17b193ce2c6dc48238460dd99ba967764a6
SHA51258f03195df2d3edfecb491bc9bdaae817dff5f0433e0e0944676a333bc9f99f644326f16c8228a07f5410e927fd3a8e8a2fb08f7283806d33086c5deb861bf6a
-
Filesize
186KB
MD57bc917c948a152e0863f7af425263606
SHA1b87759119fbe80eb31f009c5c38e3e345e11a758
SHA256783a514be12d2d907f682a29e5144df0bbd1bac63ba175287cfa7bd6d22db568
SHA512eb1deafae129ec8e83344bf751c101dd11b570e34deff15ea3b2720aaec09b6e83ea60818ef51a2463b87556e56417c150db9ee3f3fb5f7263ce01d06a19b1a4
-
Filesize
186KB
MD57bc917c948a152e0863f7af425263606
SHA1b87759119fbe80eb31f009c5c38e3e345e11a758
SHA256783a514be12d2d907f682a29e5144df0bbd1bac63ba175287cfa7bd6d22db568
SHA512eb1deafae129ec8e83344bf751c101dd11b570e34deff15ea3b2720aaec09b6e83ea60818ef51a2463b87556e56417c150db9ee3f3fb5f7263ce01d06a19b1a4