Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2023, 10:47
Static task
static1
Behavioral task
behavioral1
Sample
6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe
Resource
win10v2004-20230220-en
General
-
Target
6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe
-
Size
1.0MB
-
MD5
d78b03ed997b0876100c13ee63f0337d
-
SHA1
2c3b2f4bee6d10573309ef0d6bcb13722140e6b9
-
SHA256
6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec
-
SHA512
64eda43b17557965e4af2b0214f3bf5327f0f805e0e07260de467056d2f47990a0e0ef23115e504db14d9b225a691737734e1daf24fb5cef2dcf856010dff7ca
-
SSDEEP
24576:qyvv74z2bQX0kiQ+3YSaDgNXJflDoXSbBgDo0BfuN:xv0+Qkkp+bacNIXS1gD
Malware Config
Extracted
redline
diza
83.97.73.122:19062
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Extracted
redline
fash
83.97.73.122:19062
-
auth_value
dd7165bcd22b0ed3df426d944e12f136
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3060 x5966302.exe 3668 x7516541.exe 1560 f9268293.exe 388 g9048909.exe 3548 h7271269.exe 2408 h7271269.exe 2884 i3658062.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x5966302.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5966302.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7516541.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x7516541.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 388 set thread context of 2508 388 g9048909.exe 94 PID 3548 set thread context of 2408 3548 h7271269.exe 96 PID 2884 set thread context of 1028 2884 i3658062.exe 101 -
Program crash 1 IoCs
pid pid_target Process procid_target 4380 2408 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1560 f9268293.exe 1560 f9268293.exe 2508 AppLaunch.exe 2508 AppLaunch.exe 1028 AppLaunch.exe 1028 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1560 f9268293.exe Token: SeDebugPrivilege 3548 h7271269.exe Token: SeDebugPrivilege 2508 AppLaunch.exe Token: SeDebugPrivilege 1028 AppLaunch.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2408 h7271269.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4784 wrote to memory of 3060 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 83 PID 4784 wrote to memory of 3060 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 83 PID 4784 wrote to memory of 3060 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 83 PID 3060 wrote to memory of 3668 3060 x5966302.exe 84 PID 3060 wrote to memory of 3668 3060 x5966302.exe 84 PID 3060 wrote to memory of 3668 3060 x5966302.exe 84 PID 3668 wrote to memory of 1560 3668 x7516541.exe 85 PID 3668 wrote to memory of 1560 3668 x7516541.exe 85 PID 3668 wrote to memory of 1560 3668 x7516541.exe 85 PID 3668 wrote to memory of 388 3668 x7516541.exe 92 PID 3668 wrote to memory of 388 3668 x7516541.exe 92 PID 3668 wrote to memory of 388 3668 x7516541.exe 92 PID 388 wrote to memory of 2508 388 g9048909.exe 94 PID 388 wrote to memory of 2508 388 g9048909.exe 94 PID 388 wrote to memory of 2508 388 g9048909.exe 94 PID 388 wrote to memory of 2508 388 g9048909.exe 94 PID 388 wrote to memory of 2508 388 g9048909.exe 94 PID 3060 wrote to memory of 3548 3060 x5966302.exe 95 PID 3060 wrote to memory of 3548 3060 x5966302.exe 95 PID 3060 wrote to memory of 3548 3060 x5966302.exe 95 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 3548 wrote to memory of 2408 3548 h7271269.exe 96 PID 4784 wrote to memory of 2884 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 98 PID 4784 wrote to memory of 2884 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 98 PID 4784 wrote to memory of 2884 4784 6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe 98 PID 2884 wrote to memory of 1028 2884 i3658062.exe 101 PID 2884 wrote to memory of 1028 2884 i3658062.exe 101 PID 2884 wrote to memory of 1028 2884 i3658062.exe 101 PID 2884 wrote to memory of 1028 2884 i3658062.exe 101 PID 2884 wrote to memory of 1028 2884 i3658062.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe"C:\Users\Admin\AppData\Local\Temp\6cdaf252160ad61c48179abd1addd6d8f349c37938c15349e12ab9c780f5acec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5966302.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5966302.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7516541.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7516541.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9268293.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9268293.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9048909.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9048909.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7271269.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7271269.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7271269.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7271269.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 125⤵
- Program crash
PID:4380
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3658062.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3658062.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2408 -ip 24081⤵PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
328KB
MD5fe08dd88a363323c2b66a69d7a3bfa61
SHA19b41a9964c6c86a9767c3c50d7fec8d4be3e2b20
SHA256d50731a345f2c88e328717da4fbd32ff0410974d9482cebb4e53ec788b83b6c9
SHA5126f25678f6d042a96402610b33a3efec0f44f8610cda0fd0505f6d1d5ff59be7e0498db7db788beec06639048a0a1b81f96eb037c398857a99bf7f1664461a18d
-
Filesize
328KB
MD5fe08dd88a363323c2b66a69d7a3bfa61
SHA19b41a9964c6c86a9767c3c50d7fec8d4be3e2b20
SHA256d50731a345f2c88e328717da4fbd32ff0410974d9482cebb4e53ec788b83b6c9
SHA5126f25678f6d042a96402610b33a3efec0f44f8610cda0fd0505f6d1d5ff59be7e0498db7db788beec06639048a0a1b81f96eb037c398857a99bf7f1664461a18d
-
Filesize
725KB
MD5131ed69f9fe2b38cbee30a417ab07c41
SHA1c8272b82f183bd76baf277523c13141aeb4da3d3
SHA25607f4b1e90369545f2ffc85b7f84b8dc1c962c3f8cee129e888b299d66e9c1aa6
SHA5128549bd87c2028ea80657300613fdfb69545661bebf6d0c0fed47c2d8aae6e5baa442efe0029354b73a52a7e6a3e8ddb893e8d8dd9230b5beb30967cd144dbcec
-
Filesize
725KB
MD5131ed69f9fe2b38cbee30a417ab07c41
SHA1c8272b82f183bd76baf277523c13141aeb4da3d3
SHA25607f4b1e90369545f2ffc85b7f84b8dc1c962c3f8cee129e888b299d66e9c1aa6
SHA5128549bd87c2028ea80657300613fdfb69545661bebf6d0c0fed47c2d8aae6e5baa442efe0029354b73a52a7e6a3e8ddb893e8d8dd9230b5beb30967cd144dbcec
-
Filesize
963KB
MD55d350a428cb5924af4fd3b17ee76dd3b
SHA1b59314018cd00304eb150963b6b0173f678d92e7
SHA25632d732e3025d9b4564f2ec8088c229b2de35625ff45ecc042dcfbc2dce38b397
SHA512418f18139f462a242c8decc5f3e72d1a2f660a047a514450897a59ef80634688296dbddfc67e86f948d106e4221ab6808e070047b025baf82af6540b626a2571
-
Filesize
963KB
MD55d350a428cb5924af4fd3b17ee76dd3b
SHA1b59314018cd00304eb150963b6b0173f678d92e7
SHA25632d732e3025d9b4564f2ec8088c229b2de35625ff45ecc042dcfbc2dce38b397
SHA512418f18139f462a242c8decc5f3e72d1a2f660a047a514450897a59ef80634688296dbddfc67e86f948d106e4221ab6808e070047b025baf82af6540b626a2571
-
Filesize
963KB
MD55d350a428cb5924af4fd3b17ee76dd3b
SHA1b59314018cd00304eb150963b6b0173f678d92e7
SHA25632d732e3025d9b4564f2ec8088c229b2de35625ff45ecc042dcfbc2dce38b397
SHA512418f18139f462a242c8decc5f3e72d1a2f660a047a514450897a59ef80634688296dbddfc67e86f948d106e4221ab6808e070047b025baf82af6540b626a2571
-
Filesize
280KB
MD5b2eca5afa1a163643e7bc0013c5128b5
SHA19f2dc292160f5a061d196f5068c29c2079bfd99e
SHA256dfd9359c1da79300636e1811194ffaa63c928c0e3ecdfd7ef18542bb8ae8178f
SHA512b55bcdecfe70463d01166c4174c6991ad025ef26c3c43d5679d9c70c4dcd24df163b4216b630fcce32e78c3a5126f6333087231dd67c2a2d7990f92268fd9739
-
Filesize
280KB
MD5b2eca5afa1a163643e7bc0013c5128b5
SHA19f2dc292160f5a061d196f5068c29c2079bfd99e
SHA256dfd9359c1da79300636e1811194ffaa63c928c0e3ecdfd7ef18542bb8ae8178f
SHA512b55bcdecfe70463d01166c4174c6991ad025ef26c3c43d5679d9c70c4dcd24df163b4216b630fcce32e78c3a5126f6333087231dd67c2a2d7990f92268fd9739
-
Filesize
146KB
MD5edb5d31b81c54121046aebec3849084f
SHA181a4979d7c4944f77582f003d17ce484a2cceb09
SHA25678887fe879c5d8866d626db502b0e0481e6cb9f914fe8a1111685eacabde45a5
SHA512bea16611584d323d3b287c90e6972fd8fbee8899679ff46cc660ff9c12567a2c4afe761d81414d99111a599b776507ccb8724f67ea3c9dddc3d80948d656513a
-
Filesize
146KB
MD5edb5d31b81c54121046aebec3849084f
SHA181a4979d7c4944f77582f003d17ce484a2cceb09
SHA25678887fe879c5d8866d626db502b0e0481e6cb9f914fe8a1111685eacabde45a5
SHA512bea16611584d323d3b287c90e6972fd8fbee8899679ff46cc660ff9c12567a2c4afe761d81414d99111a599b776507ccb8724f67ea3c9dddc3d80948d656513a
-
Filesize
194KB
MD51f7bc5ba4a71204b5d0c935761b63688
SHA1b2055c1c0b046dd69cb7d7221e2f9b8d0b23192c
SHA256fb638d288e95f4ea89efb12c8963028d3f8250ac3205c3a687f8c34070473009
SHA512a8b75d76e74cc9a6537acd9375fd24156642d5cf29098dabad8859680e87ba1de6cdea8ed0dfe2e943737cf3f4aa62d40aca4e0d3dfb5d298f171fc27af642ae
-
Filesize
194KB
MD51f7bc5ba4a71204b5d0c935761b63688
SHA1b2055c1c0b046dd69cb7d7221e2f9b8d0b23192c
SHA256fb638d288e95f4ea89efb12c8963028d3f8250ac3205c3a687f8c34070473009
SHA512a8b75d76e74cc9a6537acd9375fd24156642d5cf29098dabad8859680e87ba1de6cdea8ed0dfe2e943737cf3f4aa62d40aca4e0d3dfb5d298f171fc27af642ae