Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2023, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe
Resource
win10v2004-20230220-en
General
-
Target
f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe
-
Size
738KB
-
MD5
f634793c58e32402a29c27eed52abe14
-
SHA1
81eb03cf0815ce31017e1bd37ac0f859f520f14c
-
SHA256
f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60
-
SHA512
8e739445af721fdda21f362d49cdf6a2bf61560b6af85bfbbd64b72c06d4a51cbf0ff44eface619c0aca6d8b785d6ef473dd4a3cacbbfb461d8c9565d91fc30f
-
SSDEEP
12288:VMrHy90we9cWZFNaYGEP4+6KPbJtA0xE1UnIM42l1pYTcDxxUPKjhr6SK1r1:WyY3ZqYG7stAvUnIM4lYIPKjl6H1Z
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k5753626.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k5753626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k5753626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k5753626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k5753626.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k5753626.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 1920 y4575467.exe 4228 y6662005.exe 388 y9717969.exe 2648 j4604310.exe 2032 k5753626.exe 4832 l7776077.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k5753626.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y4575467.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4575467.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y6662005.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y6662005.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y9717969.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y9717969.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2648 set thread context of 2328 2648 j4604310.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 3920 2648 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2328 AppLaunch.exe 2328 AppLaunch.exe 2032 k5753626.exe 2032 k5753626.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe 4832 l7776077.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2328 AppLaunch.exe Token: SeDebugPrivilege 2032 k5753626.exe Token: SeDebugPrivilege 4832 l7776077.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3700 wrote to memory of 1920 3700 f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe 85 PID 3700 wrote to memory of 1920 3700 f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe 85 PID 3700 wrote to memory of 1920 3700 f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe 85 PID 1920 wrote to memory of 4228 1920 y4575467.exe 86 PID 1920 wrote to memory of 4228 1920 y4575467.exe 86 PID 1920 wrote to memory of 4228 1920 y4575467.exe 86 PID 4228 wrote to memory of 388 4228 y6662005.exe 87 PID 4228 wrote to memory of 388 4228 y6662005.exe 87 PID 4228 wrote to memory of 388 4228 y6662005.exe 87 PID 388 wrote to memory of 2648 388 y9717969.exe 88 PID 388 wrote to memory of 2648 388 y9717969.exe 88 PID 388 wrote to memory of 2648 388 y9717969.exe 88 PID 2648 wrote to memory of 2328 2648 j4604310.exe 90 PID 2648 wrote to memory of 2328 2648 j4604310.exe 90 PID 2648 wrote to memory of 2328 2648 j4604310.exe 90 PID 2648 wrote to memory of 2328 2648 j4604310.exe 90 PID 2648 wrote to memory of 2328 2648 j4604310.exe 90 PID 388 wrote to memory of 2032 388 y9717969.exe 93 PID 388 wrote to memory of 2032 388 y9717969.exe 93 PID 4228 wrote to memory of 4832 4228 y6662005.exe 98 PID 4228 wrote to memory of 4832 4228 y6662005.exe 98 PID 4228 wrote to memory of 4832 4228 y6662005.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe"C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 5606⤵
- Program crash
PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2648 -ip 26481⤵PID:4532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD58730e98b94bcd0f2e6e14148f80d40bc
SHA17db7a9f6883ed40306672a854ee76915336f30ae
SHA256f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30
SHA512116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4
-
Filesize
531KB
MD58730e98b94bcd0f2e6e14148f80d40bc
SHA17db7a9f6883ed40306672a854ee76915336f30ae
SHA256f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30
SHA512116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4
-
Filesize
359KB
MD510a396856099f237d80da3b18b4ad71f
SHA1b0af77f9f9fa47c1f13acf7220367f8cf156b0ea
SHA256b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f
SHA512ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b
-
Filesize
359KB
MD510a396856099f237d80da3b18b4ad71f
SHA1b0af77f9f9fa47c1f13acf7220367f8cf156b0ea
SHA256b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f
SHA512ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b
-
Filesize
172KB
MD598b7a229e10a9b04d2ede40124fc2221
SHA18efb2256d2c267cc152d54887e64854314462797
SHA25642845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d
SHA512ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158
-
Filesize
172KB
MD598b7a229e10a9b04d2ede40124fc2221
SHA18efb2256d2c267cc152d54887e64854314462797
SHA25642845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d
SHA512ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158
-
Filesize
203KB
MD5198fd07c6445abd12e0c96cca28a542a
SHA111ddef31934e1030f0b2c2bc74345a2ff7b922bc
SHA256b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e
SHA5128983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e
-
Filesize
203KB
MD5198fd07c6445abd12e0c96cca28a542a
SHA111ddef31934e1030f0b2c2bc74345a2ff7b922bc
SHA256b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e
SHA5128983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e
-
Filesize
120KB
MD5d53eed66cc91b6e6a17ef4dbd48941db
SHA14b569408824995114d9f2345aa59ba4cfe0b57c6
SHA25665924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780
SHA512b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd
-
Filesize
120KB
MD5d53eed66cc91b6e6a17ef4dbd48941db
SHA14b569408824995114d9f2345aa59ba4cfe0b57c6
SHA25665924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780
SHA512b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd
-
Filesize
14KB
MD529b0bb8fb33fe5ab4397c86f17eab2b9
SHA13237d20992f9345c386323bce9831f506dce92e7
SHA2569e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db
SHA512d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0
-
Filesize
14KB
MD529b0bb8fb33fe5ab4397c86f17eab2b9
SHA13237d20992f9345c386323bce9831f506dce92e7
SHA2569e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db
SHA512d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0