Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2023, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
Resource
win10v2004-20230220-en
General
-
Target
a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
-
Size
581KB
-
MD5
8ce40efd601775fd096265e1e74d9dd8
-
SHA1
c9e9fda8d3b3fe9fe1317903ab5c9cbe03896899
-
SHA256
a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b
-
SHA512
a7cf48306af8ae0baeb188dfcd91ac23727dc3b1d514554ce0e58cbac1486cbfb8eef5880cc1c7d495c0a8d359ccf6f0164496fbc9a86d389ca175d510999827
-
SSDEEP
12288:iMrCy90X3MMBIzilYy/wVRiO+AvFJXADhvfus:Uyo+zi9fevFWv7
Malware Config
Extracted
redline
diza
83.97.73.126:19046
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k0846945.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k0846945.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k0846945.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k0846945.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k0846945.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k0846945.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 2164 y5111759.exe 3196 y8277928.exe 4100 k0846945.exe 2016 l9492403.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k0846945.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y5111759.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5111759.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8277928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y8277928.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4100 k0846945.exe 4100 k0846945.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe 2016 l9492403.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4100 k0846945.exe Token: SeDebugPrivilege 2016 l9492403.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4260 wrote to memory of 2164 4260 a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe 84 PID 4260 wrote to memory of 2164 4260 a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe 84 PID 4260 wrote to memory of 2164 4260 a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe 84 PID 2164 wrote to memory of 3196 2164 y5111759.exe 85 PID 2164 wrote to memory of 3196 2164 y5111759.exe 85 PID 2164 wrote to memory of 3196 2164 y5111759.exe 85 PID 3196 wrote to memory of 4100 3196 y8277928.exe 86 PID 3196 wrote to memory of 4100 3196 y8277928.exe 86 PID 3196 wrote to memory of 2016 3196 y8277928.exe 89 PID 3196 wrote to memory of 2016 3196 y8277928.exe 89 PID 3196 wrote to memory of 2016 3196 y8277928.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe"C:\Users\Admin\AppData\Local\Temp\a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5213bac7fd35c50873e679f3c3f59105a
SHA1f1c48deda7d0b2f0237baa9910950f11a56a3fa0
SHA256bdb25bcd5105a9c4ee318c30a00460c4a9dc714096491ee3ea10db87452b0e5b
SHA512c29ff5eb6200ffd26b22504f52a4a2e623367c6032e63576f152f1bd12ea942ab5b86503bbd2c62916498848496646d62b004c017589c4b718facf18d84ee90a
-
Filesize
377KB
MD5213bac7fd35c50873e679f3c3f59105a
SHA1f1c48deda7d0b2f0237baa9910950f11a56a3fa0
SHA256bdb25bcd5105a9c4ee318c30a00460c4a9dc714096491ee3ea10db87452b0e5b
SHA512c29ff5eb6200ffd26b22504f52a4a2e623367c6032e63576f152f1bd12ea942ab5b86503bbd2c62916498848496646d62b004c017589c4b718facf18d84ee90a
-
Filesize
206KB
MD555c64f2c8a5104676de91ab7e47c6d11
SHA13ef5ec1bf88ea26be4b49115a759ff74557134ca
SHA256830946070f695dce764bfd6b30c8860663101db4881071e1eda68d32987ec5b7
SHA512e400a75e19e719f8a317d032972ff8c9035bc7408c7c1f52e2975120dc28b05b141a35c03dc940dcd50f8764535b978e81db790ad18a99c4599e13d9f4ee895b
-
Filesize
206KB
MD555c64f2c8a5104676de91ab7e47c6d11
SHA13ef5ec1bf88ea26be4b49115a759ff74557134ca
SHA256830946070f695dce764bfd6b30c8860663101db4881071e1eda68d32987ec5b7
SHA512e400a75e19e719f8a317d032972ff8c9035bc7408c7c1f52e2975120dc28b05b141a35c03dc940dcd50f8764535b978e81db790ad18a99c4599e13d9f4ee895b
-
Filesize
11KB
MD5df64bb318abf7bf0ca3defae3918d397
SHA1e66918862b02e01a64c217cad5ea165c099f5f4c
SHA256f68814bf170d9965f8efa549cf59fcae9bbe2bcf58e74673f1a70dafc751f4f9
SHA5120dbf16d2f894979e7aa1cd9eecf0c9c7097d0dda9928bd31f9a618426023af98055e43f9bae3705ae2fe097ad7318d6f45de6287155fb1c3b9e91a63b9599882
-
Filesize
11KB
MD5df64bb318abf7bf0ca3defae3918d397
SHA1e66918862b02e01a64c217cad5ea165c099f5f4c
SHA256f68814bf170d9965f8efa549cf59fcae9bbe2bcf58e74673f1a70dafc751f4f9
SHA5120dbf16d2f894979e7aa1cd9eecf0c9c7097d0dda9928bd31f9a618426023af98055e43f9bae3705ae2fe097ad7318d6f45de6287155fb1c3b9e91a63b9599882
-
Filesize
172KB
MD54cd3e1d98ff5ce7f3e9bfe095998e3d7
SHA179f71759166ea07e0ecd092eec3932f2e6972e53
SHA25655363be4ebdd9bdce81f56a8da8108d8da5f914c40eea89d8b4c6e7a33002548
SHA51265859518ea6a66d146239ffc6c687099ac7403b77a080b0a6fafca2910e8cdd055f8b8def6b1f948fdbdeb5e0393f0790d827ff66633ef79f9f003fc31c3e33b
-
Filesize
172KB
MD54cd3e1d98ff5ce7f3e9bfe095998e3d7
SHA179f71759166ea07e0ecd092eec3932f2e6972e53
SHA25655363be4ebdd9bdce81f56a8da8108d8da5f914c40eea89d8b4c6e7a33002548
SHA51265859518ea6a66d146239ffc6c687099ac7403b77a080b0a6fafca2910e8cdd055f8b8def6b1f948fdbdeb5e0393f0790d827ff66633ef79f9f003fc31c3e33b