Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2023, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe
Resource
win10v2004-20230220-en
General
-
Target
4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe
-
Size
579KB
-
MD5
4de752e5c952d10c3306cb90047d06cd
-
SHA1
2835a0a3e523781bedbc1364ec82ae28d2f19bb2
-
SHA256
4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf
-
SHA512
0c2a2396be9e0ff78ee847b2259d291ac70af7e514a41ba020453b612506d5851f11b7e08614a20c284e170224b852ccd9ee89728162d7484dcbeb061fdc19a6
-
SSDEEP
12288:6Mr+y90t5QvuofPRZwQnAI3WgOyPyTlg8Kg8PL:Ay7hfYQAI3WuPyTlVKgQL
Malware Config
Extracted
redline
diza
83.97.73.126:19046
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k1474329.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k1474329.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k1474329.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k1474329.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k1474329.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k1474329.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 3648 y8555894.exe 4996 y1618689.exe 4940 k1474329.exe 4864 l0671908.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k1474329.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8555894.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y1618689.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y1618689.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8555894.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4940 k1474329.exe 4940 k1474329.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe 4864 l0671908.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4940 k1474329.exe Token: SeDebugPrivilege 4864 l0671908.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3648 4280 4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe 84 PID 4280 wrote to memory of 3648 4280 4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe 84 PID 4280 wrote to memory of 3648 4280 4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe 84 PID 3648 wrote to memory of 4996 3648 y8555894.exe 85 PID 3648 wrote to memory of 4996 3648 y8555894.exe 85 PID 3648 wrote to memory of 4996 3648 y8555894.exe 85 PID 4996 wrote to memory of 4940 4996 y1618689.exe 86 PID 4996 wrote to memory of 4940 4996 y1618689.exe 86 PID 4996 wrote to memory of 4864 4996 y1618689.exe 91 PID 4996 wrote to memory of 4864 4996 y1618689.exe 91 PID 4996 wrote to memory of 4864 4996 y1618689.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe"C:\Users\Admin\AppData\Local\Temp\4501042e853acdf48227fe588a90f61e0abf6e134fe3054a8a8e10adbe74ddcf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8555894.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8555894.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1618689.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1618689.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1474329.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1474329.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0671908.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0671908.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5ca43492a69cfa73ed3a97f9631e5b171
SHA1151840a7f449d0f30ae68e6362070856c4656833
SHA256ef7ab8ddee6bcd5efdae5a77b4d61568b5fbefe8a1af4ae63d72474fd6a1240c
SHA512c856739753de3f9d0b447fa36ebf5972ecab927aecc45af1e06584056f8ce5bf0840cfa6368b5e5a7cb9a137922bf20f15a92b46653aed1e8c040a09aee09c36
-
Filesize
377KB
MD5ca43492a69cfa73ed3a97f9631e5b171
SHA1151840a7f449d0f30ae68e6362070856c4656833
SHA256ef7ab8ddee6bcd5efdae5a77b4d61568b5fbefe8a1af4ae63d72474fd6a1240c
SHA512c856739753de3f9d0b447fa36ebf5972ecab927aecc45af1e06584056f8ce5bf0840cfa6368b5e5a7cb9a137922bf20f15a92b46653aed1e8c040a09aee09c36
-
Filesize
206KB
MD55a632c9846c505922632ed46d4d85d73
SHA1d68c181790908b11b0f091074e8bfbbe853114e1
SHA2561f0f7d44bb3b6a8050d0854e3a04d0dad16623cdedcca1842ac46a5b5224320f
SHA5123ce2b9f51ea17e90f26a70966f648efa8f7031471a8ed32cb8da41829e57be65cb2a900c845de831cc923a22a84a49a4a9c3327cfd82b507a1f1441a813e89af
-
Filesize
206KB
MD55a632c9846c505922632ed46d4d85d73
SHA1d68c181790908b11b0f091074e8bfbbe853114e1
SHA2561f0f7d44bb3b6a8050d0854e3a04d0dad16623cdedcca1842ac46a5b5224320f
SHA5123ce2b9f51ea17e90f26a70966f648efa8f7031471a8ed32cb8da41829e57be65cb2a900c845de831cc923a22a84a49a4a9c3327cfd82b507a1f1441a813e89af
-
Filesize
12KB
MD5c7a9bfdeaf86846fd224764322da5112
SHA13aace1be7bac3dfff2a8723449cf06be30ffff14
SHA256f11ccfc7bdb807a14418a19a88614c095aef4206f02020b624b93b197ee53fbb
SHA5122418ccdafdb6f89c4b0d5eaf84059f434fe28bcdfc48c042ca212c0bde4d237c59180518d0253cd5d429fef175fca61db86acdc1190b0fb8f52f4b5b0475dfe7
-
Filesize
12KB
MD5c7a9bfdeaf86846fd224764322da5112
SHA13aace1be7bac3dfff2a8723449cf06be30ffff14
SHA256f11ccfc7bdb807a14418a19a88614c095aef4206f02020b624b93b197ee53fbb
SHA5122418ccdafdb6f89c4b0d5eaf84059f434fe28bcdfc48c042ca212c0bde4d237c59180518d0253cd5d429fef175fca61db86acdc1190b0fb8f52f4b5b0475dfe7
-
Filesize
173KB
MD5d095b506132c377890ac48a2e311073f
SHA1406bf479483c834edbb35ef9fb2d84a72ed1a775
SHA256bec167aeef90e3b8c7ab893f7896c3d1d6bb1e21680e689cda91c53312d3f906
SHA5125e2bb0cd9d7e124ea7bdf05977e783a1a7dc8bb15ddd8adb1ef15f7edc02288bb0916d0b6ea74b4097d56f3b978b1c7538fe27f1f41a27a70f731dd975322027
-
Filesize
173KB
MD5d095b506132c377890ac48a2e311073f
SHA1406bf479483c834edbb35ef9fb2d84a72ed1a775
SHA256bec167aeef90e3b8c7ab893f7896c3d1d6bb1e21680e689cda91c53312d3f906
SHA5125e2bb0cd9d7e124ea7bdf05977e783a1a7dc8bb15ddd8adb1ef15f7edc02288bb0916d0b6ea74b4097d56f3b978b1c7538fe27f1f41a27a70f731dd975322027