Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2023, 21:26
Static task
static1
Behavioral task
behavioral1
Sample
38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe
Resource
win10v2004-20230220-en
General
-
Target
38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe
-
Size
752KB
-
MD5
4a0c182882a703422d61d22cdefaf002
-
SHA1
d9ac862415d1db4dc24f538a228ad5a6a92b23b9
-
SHA256
38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464
-
SHA512
55267aea773a8de91d02f1512df9acb2582bcdeeb7e72ac9c4a58144917cdf3b196d1ef5f42b126b678d4cf935ab82190b25ad8d3627fabcb1e579130034bd5e
-
SSDEEP
12288:lMrzy90+qlduvdr97OJOz4JyuUgCdvvG3czYYRDzrmaw3XcXLJa2o5SuHMzjuF:ayU7uvdJikzqnSvvn8YpE3XcXLv1jCF
Malware Config
Extracted
redline
maxi
83.97.73.127:19045
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Extracted
redline
metro
83.97.73.127:19045
-
auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation c6917646.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation metado.exe -
Executes dropped EXE 7 IoCs
pid Process 4716 v1976757.exe 4736 v5734753.exe 4040 a9605163.exe 1988 b9977329.exe 1820 c6917646.exe 4992 metado.exe 1260 d9411816.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5734753.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5734753.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1976757.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1976757.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4040 set thread context of 2416 4040 a9605163.exe 88 PID 1260 set thread context of 1296 1260 d9411816.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2416 AppLaunch.exe 2416 AppLaunch.exe 1988 b9977329.exe 1988 b9977329.exe 1296 AppLaunch.exe 1296 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2416 AppLaunch.exe Token: SeDebugPrivilege 1988 b9977329.exe Token: SeDebugPrivilege 1296 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1820 c6917646.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 4600 wrote to memory of 4716 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 84 PID 4600 wrote to memory of 4716 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 84 PID 4600 wrote to memory of 4716 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 84 PID 4716 wrote to memory of 4736 4716 v1976757.exe 85 PID 4716 wrote to memory of 4736 4716 v1976757.exe 85 PID 4716 wrote to memory of 4736 4716 v1976757.exe 85 PID 4736 wrote to memory of 4040 4736 v5734753.exe 86 PID 4736 wrote to memory of 4040 4736 v5734753.exe 86 PID 4736 wrote to memory of 4040 4736 v5734753.exe 86 PID 4040 wrote to memory of 2416 4040 a9605163.exe 88 PID 4040 wrote to memory of 2416 4040 a9605163.exe 88 PID 4040 wrote to memory of 2416 4040 a9605163.exe 88 PID 4040 wrote to memory of 2416 4040 a9605163.exe 88 PID 4040 wrote to memory of 2416 4040 a9605163.exe 88 PID 4736 wrote to memory of 1988 4736 v5734753.exe 89 PID 4736 wrote to memory of 1988 4736 v5734753.exe 89 PID 4736 wrote to memory of 1988 4736 v5734753.exe 89 PID 4716 wrote to memory of 1820 4716 v1976757.exe 91 PID 4716 wrote to memory of 1820 4716 v1976757.exe 91 PID 4716 wrote to memory of 1820 4716 v1976757.exe 91 PID 1820 wrote to memory of 4992 1820 c6917646.exe 92 PID 1820 wrote to memory of 4992 1820 c6917646.exe 92 PID 1820 wrote to memory of 4992 1820 c6917646.exe 92 PID 4600 wrote to memory of 1260 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 93 PID 4600 wrote to memory of 1260 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 93 PID 4600 wrote to memory of 1260 4600 38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe 93 PID 4992 wrote to memory of 5108 4992 metado.exe 95 PID 4992 wrote to memory of 5108 4992 metado.exe 95 PID 4992 wrote to memory of 5108 4992 metado.exe 95 PID 4992 wrote to memory of 4660 4992 metado.exe 97 PID 4992 wrote to memory of 4660 4992 metado.exe 97 PID 4992 wrote to memory of 4660 4992 metado.exe 97 PID 4660 wrote to memory of 908 4660 cmd.exe 99 PID 4660 wrote to memory of 908 4660 cmd.exe 99 PID 4660 wrote to memory of 908 4660 cmd.exe 99 PID 4660 wrote to memory of 4844 4660 cmd.exe 100 PID 4660 wrote to memory of 4844 4660 cmd.exe 100 PID 4660 wrote to memory of 4844 4660 cmd.exe 100 PID 1260 wrote to memory of 1296 1260 d9411816.exe 101 PID 1260 wrote to memory of 1296 1260 d9411816.exe 101 PID 1260 wrote to memory of 1296 1260 d9411816.exe 101 PID 1260 wrote to memory of 1296 1260 d9411816.exe 101 PID 4660 wrote to memory of 2700 4660 cmd.exe 102 PID 4660 wrote to memory of 2700 4660 cmd.exe 102 PID 4660 wrote to memory of 2700 4660 cmd.exe 102 PID 1260 wrote to memory of 1296 1260 d9411816.exe 101 PID 4660 wrote to memory of 424 4660 cmd.exe 103 PID 4660 wrote to memory of 424 4660 cmd.exe 103 PID 4660 wrote to memory of 424 4660 cmd.exe 103 PID 4660 wrote to memory of 4044 4660 cmd.exe 104 PID 4660 wrote to memory of 4044 4660 cmd.exe 104 PID 4660 wrote to memory of 4044 4660 cmd.exe 104 PID 4660 wrote to memory of 4404 4660 cmd.exe 105 PID 4660 wrote to memory of 4404 4660 cmd.exe 105 PID 4660 wrote to memory of 4404 4660 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe"C:\Users\Admin\AppData\Local\Temp\38fd236b9e5e0d284be0bc7e1cc8c77aac470fa982e0a45f497e32b282ccf464.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1976757.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1976757.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5734753.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5734753.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9605163.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9605163.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9977329.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9977329.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6917646.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6917646.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F5⤵
- Creates scheduled task(s)
PID:5108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:908
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:N"6⤵PID:4844
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:R" /E6⤵PID:2700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:424
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:N"6⤵PID:4044
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:R" /E6⤵PID:4404
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9411816.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9411816.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
327KB
MD5bd194fa924d632466c6e6d53161c4e85
SHA1f6e7222f021e8d3ec35d0f62429b664ed5d5b55f
SHA256ea12221dbdc3afb96185df9a017df581d64d29e178ef78aae4dc1b9a9bf40025
SHA512260514a8f3c15d88b97a55da404694d9fbbc266fdf7339767f46005282d1892f67e5360b386642afdb0f614ae9b88883a2e60cc1948542d8cf8fe3d635c31ec1
-
Filesize
327KB
MD5bd194fa924d632466c6e6d53161c4e85
SHA1f6e7222f021e8d3ec35d0f62429b664ed5d5b55f
SHA256ea12221dbdc3afb96185df9a017df581d64d29e178ef78aae4dc1b9a9bf40025
SHA512260514a8f3c15d88b97a55da404694d9fbbc266fdf7339767f46005282d1892f67e5360b386642afdb0f614ae9b88883a2e60cc1948542d8cf8fe3d635c31ec1
-
Filesize
453KB
MD54564c5775bd50f98b6002e6ad624033c
SHA196d0e70b721cbdc5e404cdd1772d6c356fa4e4cc
SHA256f99b6fb75ffe05d612922521003cae9b831333b13a8c22700c2683406c452fad
SHA5121d7476a1f67321913ff82ec227074d09b17b6fe5cefabe2eaea89645b2aceec803c26d114bb1924d44f7a3182621a432aeae175bd809d72d1551bc2027aa006d
-
Filesize
453KB
MD54564c5775bd50f98b6002e6ad624033c
SHA196d0e70b721cbdc5e404cdd1772d6c356fa4e4cc
SHA256f99b6fb75ffe05d612922521003cae9b831333b13a8c22700c2683406c452fad
SHA5121d7476a1f67321913ff82ec227074d09b17b6fe5cefabe2eaea89645b2aceec803c26d114bb1924d44f7a3182621a432aeae175bd809d72d1551bc2027aa006d
-
Filesize
210KB
MD5f1beed89d94a88ea58dfde7e622fc1c0
SHA1ace1444e02365d3e5df8c50485e750ed005f80d9
SHA256a5c30c891bb250aa0c4d1ff31779b222421c1c9865a71cb4183792c2f25a22eb
SHA512a77009165478c61276218ddf422ebc8215dbef327ffd0f711025b84a0faf26558fdc77a0378a8b984eb6abbcd62028644b2229f72600673176e844445ddc740e
-
Filesize
210KB
MD5f1beed89d94a88ea58dfde7e622fc1c0
SHA1ace1444e02365d3e5df8c50485e750ed005f80d9
SHA256a5c30c891bb250aa0c4d1ff31779b222421c1c9865a71cb4183792c2f25a22eb
SHA512a77009165478c61276218ddf422ebc8215dbef327ffd0f711025b84a0faf26558fdc77a0378a8b984eb6abbcd62028644b2229f72600673176e844445ddc740e
-
Filesize
281KB
MD5a3b47fb218db6fa3572a5af14b5f4b07
SHA1452b46abb5a3661bf4ceabccbf434b9220362240
SHA256a53fee4b79f99324e5310e5beae514a1d5bab8d8005d5f9288fb9d7425a9c65b
SHA512f6dc6b87dcba3f2a46762ada47e182b1cca524cdd1458ae07c41e487f66a29419631b18d3cdc4b91cc50ae70fcac7c06719e75c549fd92580292bdfde350080a
-
Filesize
281KB
MD5a3b47fb218db6fa3572a5af14b5f4b07
SHA1452b46abb5a3661bf4ceabccbf434b9220362240
SHA256a53fee4b79f99324e5310e5beae514a1d5bab8d8005d5f9288fb9d7425a9c65b
SHA512f6dc6b87dcba3f2a46762ada47e182b1cca524cdd1458ae07c41e487f66a29419631b18d3cdc4b91cc50ae70fcac7c06719e75c549fd92580292bdfde350080a
-
Filesize
169KB
MD52f893d643824713272c1d7286b04203c
SHA112b562d45cc4094aca9058721234f76630d778a8
SHA2565bc79c4eb59ff48bdc9b7a32b5d312bf27e10ae2159705ae316f6d821ccd0bf3
SHA5123d4417f11ad7e95ac0359e47f49dabdf4571e607606a9f93b042353393083927a5548a2e14b60b4e51e86f88611ea9792f85a463286ee152840304e621f0612f
-
Filesize
169KB
MD52f893d643824713272c1d7286b04203c
SHA112b562d45cc4094aca9058721234f76630d778a8
SHA2565bc79c4eb59ff48bdc9b7a32b5d312bf27e10ae2159705ae316f6d821ccd0bf3
SHA5123d4417f11ad7e95ac0359e47f49dabdf4571e607606a9f93b042353393083927a5548a2e14b60b4e51e86f88611ea9792f85a463286ee152840304e621f0612f
-
Filesize
168KB
MD576ee6644b1c6dafd758f80dd2e4acd25
SHA1a508be6aee6ff6d735345fbe2ac7c8273918b5f8
SHA25654e858715d15043b38400a05c230004581a1e65de5bb69e0cdd099430c6cc265
SHA51246098a8bc94fed1cf44244b9ba7db805babdb13f99f132a4cb6592e8b7fd96a0529cb4aa4e8027145106e947a9857d24b5d832c7652661658eba84e84807d182
-
Filesize
168KB
MD576ee6644b1c6dafd758f80dd2e4acd25
SHA1a508be6aee6ff6d735345fbe2ac7c8273918b5f8
SHA25654e858715d15043b38400a05c230004581a1e65de5bb69e0cdd099430c6cc265
SHA51246098a8bc94fed1cf44244b9ba7db805babdb13f99f132a4cb6592e8b7fd96a0529cb4aa4e8027145106e947a9857d24b5d832c7652661658eba84e84807d182
-
Filesize
210KB
MD5f1beed89d94a88ea58dfde7e622fc1c0
SHA1ace1444e02365d3e5df8c50485e750ed005f80d9
SHA256a5c30c891bb250aa0c4d1ff31779b222421c1c9865a71cb4183792c2f25a22eb
SHA512a77009165478c61276218ddf422ebc8215dbef327ffd0f711025b84a0faf26558fdc77a0378a8b984eb6abbcd62028644b2229f72600673176e844445ddc740e
-
Filesize
210KB
MD5f1beed89d94a88ea58dfde7e622fc1c0
SHA1ace1444e02365d3e5df8c50485e750ed005f80d9
SHA256a5c30c891bb250aa0c4d1ff31779b222421c1c9865a71cb4183792c2f25a22eb
SHA512a77009165478c61276218ddf422ebc8215dbef327ffd0f711025b84a0faf26558fdc77a0378a8b984eb6abbcd62028644b2229f72600673176e844445ddc740e
-
Filesize
210KB
MD5f1beed89d94a88ea58dfde7e622fc1c0
SHA1ace1444e02365d3e5df8c50485e750ed005f80d9
SHA256a5c30c891bb250aa0c4d1ff31779b222421c1c9865a71cb4183792c2f25a22eb
SHA512a77009165478c61276218ddf422ebc8215dbef327ffd0f711025b84a0faf26558fdc77a0378a8b984eb6abbcd62028644b2229f72600673176e844445ddc740e