Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2023, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
Resource
win10v2004-20230220-en
General
-
Target
6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
-
Size
580KB
-
MD5
8e9a4efaf38f0a13febed31d0cc20b56
-
SHA1
86c4b21f714bebb72f43a39660879af686aef950
-
SHA256
6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021
-
SHA512
067d2f517f77983e56fa9b81c3fc65c695e16f62e4d5bb24b82d34a49614f10216e1328fa2740dab45cc3eebecbe99d8dca4a0e687913a659cb246547e83559c
-
SSDEEP
12288:6Mryy90La31vaRC5DMkYJCN/f9SVlnZ3dKvQHzwVg6O8:UyeC5J+CN/fM7+QHEV5
Malware Config
Extracted
redline
diza
83.97.73.126:19046
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k2808567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k2808567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k2808567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k2808567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k2808567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k2808567.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 3408 y4879619.exe 1456 y8738743.exe 4696 k2808567.exe 1368 l1048866.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k2808567.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y4879619.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4879619.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8738743.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y8738743.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4696 k2808567.exe 4696 k2808567.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4696 k2808567.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 464 wrote to memory of 3408 464 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe 85 PID 464 wrote to memory of 3408 464 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe 85 PID 464 wrote to memory of 3408 464 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe 85 PID 3408 wrote to memory of 1456 3408 y4879619.exe 86 PID 3408 wrote to memory of 1456 3408 y4879619.exe 86 PID 3408 wrote to memory of 1456 3408 y4879619.exe 86 PID 1456 wrote to memory of 4696 1456 y8738743.exe 87 PID 1456 wrote to memory of 4696 1456 y8738743.exe 87 PID 1456 wrote to memory of 1368 1456 y8738743.exe 88 PID 1456 wrote to memory of 1368 1456 y8738743.exe 88 PID 1456 wrote to memory of 1368 1456 y8738743.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe"C:\Users\Admin\AppData\Local\Temp\6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exe4⤵
- Executes dropped EXE
PID:1368
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5ef89a9b3468fd350efdbf7b7e4f7f4e2
SHA16846eae21314e3498b3381ccbe489e0449bca1b9
SHA256e3bdbcf44f9daeab80e53bd58affe7d6f8279965f266176ae4291cf7df6a7002
SHA512179f91807d94b6c4f868381b17ec53764ffd77ad434475b40fae6c734d2a7eb9751abfb0fff44f6738cdf445b42184df1450d295309c1c5e598282100e8fa16c
-
Filesize
377KB
MD5ef89a9b3468fd350efdbf7b7e4f7f4e2
SHA16846eae21314e3498b3381ccbe489e0449bca1b9
SHA256e3bdbcf44f9daeab80e53bd58affe7d6f8279965f266176ae4291cf7df6a7002
SHA512179f91807d94b6c4f868381b17ec53764ffd77ad434475b40fae6c734d2a7eb9751abfb0fff44f6738cdf445b42184df1450d295309c1c5e598282100e8fa16c
-
Filesize
206KB
MD55bbef6117725ecf0e4a79a2c9ad9011d
SHA1a84f657d30f0a415a65643bdf07195f386ab84c9
SHA25612a8bd6344e8e496b4f0f232a8997d3d01e7062b7b2f6804d7fb55264d5ed6d3
SHA5124552556c3027e2f6516c921ecd507e8b534c01736db315312b1a3d8326bdd3a82e4cd92b40d8e4bceadd3f78633d597d9d227c771a9bfbbe6fdf747f0da26391
-
Filesize
206KB
MD55bbef6117725ecf0e4a79a2c9ad9011d
SHA1a84f657d30f0a415a65643bdf07195f386ab84c9
SHA25612a8bd6344e8e496b4f0f232a8997d3d01e7062b7b2f6804d7fb55264d5ed6d3
SHA5124552556c3027e2f6516c921ecd507e8b534c01736db315312b1a3d8326bdd3a82e4cd92b40d8e4bceadd3f78633d597d9d227c771a9bfbbe6fdf747f0da26391
-
Filesize
12KB
MD5cbbbea47fb4e20c8046c4ea991cb5fb0
SHA1b3ecf6484cb839fcb6160ee1d49662ab3cce4ee3
SHA25682147a07d042e6378822842014793f604367cccc0119efb446c41a8a5d5e2fc9
SHA5122ee45d79bb142f6b8f9a18e2d8833bb295aa9e3cfdb8369e138623c2be78ea73e5f25665f2acdb706dff5f95a544d796a76178c815288733747a99bbfa8d2726
-
Filesize
12KB
MD5cbbbea47fb4e20c8046c4ea991cb5fb0
SHA1b3ecf6484cb839fcb6160ee1d49662ab3cce4ee3
SHA25682147a07d042e6378822842014793f604367cccc0119efb446c41a8a5d5e2fc9
SHA5122ee45d79bb142f6b8f9a18e2d8833bb295aa9e3cfdb8369e138623c2be78ea73e5f25665f2acdb706dff5f95a544d796a76178c815288733747a99bbfa8d2726
-
Filesize
173KB
MD5a0de61da10995489798eebf79fd46eed
SHA1d439786b160c448a7c2807e8123bf488deef8ef9
SHA256f44b541f5e2fea9a666732309eee7897c6ae31f0bd841fa38e8b4b7f3142d5b2
SHA512c849bf6ffecfd5b8fdb3d42758e1f1d6a7900a79c47556d8d5cee21828c8ffb851222980431216ef9e1d7928bdc2ce1e6a378a9e1d6b1f8319687227d7e0f1c2
-
Filesize
173KB
MD5a0de61da10995489798eebf79fd46eed
SHA1d439786b160c448a7c2807e8123bf488deef8ef9
SHA256f44b541f5e2fea9a666732309eee7897c6ae31f0bd841fa38e8b4b7f3142d5b2
SHA512c849bf6ffecfd5b8fdb3d42758e1f1d6a7900a79c47556d8d5cee21828c8ffb851222980431216ef9e1d7928bdc2ce1e6a378a9e1d6b1f8319687227d7e0f1c2