Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2023, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
Resource
win10v2004-20230221-en
General
-
Target
ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
-
Size
724KB
-
MD5
423682e315eb041dfca823f9258107cf
-
SHA1
8ae794b5765505b06d6a07166c697733a322d924
-
SHA256
ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2
-
SHA512
68f6df97f88c63604f16902b4fb53918a8e70380bf42a04ab203404eebbe7989c202421b37b713b6525206825c8d974fd6231736782916ccf9166fdc1f851a9d
-
SSDEEP
12288:iMrjy90WHZXBLd4Gm3SaannWR0/r55K8ziePqOzeMszP3gfsOjOUUyMlAtYxS:pyFZXNds3twnWR0zW8ujMs73gJOUU1E
Malware Config
Extracted
redline
doxa
83.97.73.129:19068
-
auth_value
8cf5ba009458c73b014353d79d8422c6
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k5291378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k5291378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k5291378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k5291378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k5291378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k5291378.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2692 y0513192.exe 1436 y6441693.exe 1184 y8231201.exe 2004 j7455522.exe 3488 k5291378.exe 4284 l0182589.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k5291378.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8231201.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y8231201.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y0513192.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0513192.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y6441693.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y6441693.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2004 set thread context of 1740 2004 j7455522.exe 88 -
Program crash 1 IoCs
pid pid_target Process procid_target 1884 2004 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1740 AppLaunch.exe 1740 AppLaunch.exe 3488 k5291378.exe 3488 k5291378.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe 4284 l0182589.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1740 AppLaunch.exe Token: SeDebugPrivilege 3488 k5291378.exe Token: SeDebugPrivilege 4284 l0182589.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2692 2580 ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe 83 PID 2580 wrote to memory of 2692 2580 ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe 83 PID 2580 wrote to memory of 2692 2580 ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe 83 PID 2692 wrote to memory of 1436 2692 y0513192.exe 84 PID 2692 wrote to memory of 1436 2692 y0513192.exe 84 PID 2692 wrote to memory of 1436 2692 y0513192.exe 84 PID 1436 wrote to memory of 1184 1436 y6441693.exe 85 PID 1436 wrote to memory of 1184 1436 y6441693.exe 85 PID 1436 wrote to memory of 1184 1436 y6441693.exe 85 PID 1184 wrote to memory of 2004 1184 y8231201.exe 86 PID 1184 wrote to memory of 2004 1184 y8231201.exe 86 PID 1184 wrote to memory of 2004 1184 y8231201.exe 86 PID 2004 wrote to memory of 1740 2004 j7455522.exe 88 PID 2004 wrote to memory of 1740 2004 j7455522.exe 88 PID 2004 wrote to memory of 1740 2004 j7455522.exe 88 PID 2004 wrote to memory of 1740 2004 j7455522.exe 88 PID 2004 wrote to memory of 1740 2004 j7455522.exe 88 PID 1184 wrote to memory of 3488 1184 y8231201.exe 91 PID 1184 wrote to memory of 3488 1184 y8231201.exe 91 PID 1436 wrote to memory of 4284 1436 y6441693.exe 92 PID 1436 wrote to memory of 4284 1436 y6441693.exe 92 PID 1436 wrote to memory of 4284 1436 y6441693.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe"C:\Users\Admin\AppData\Local\Temp\ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 5646⤵
- Program crash
PID:1884
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2004 -ip 20041⤵PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD59910b6b0350d3b3fa92110b1d6e78117
SHA1917c42b74a662b27d7d3cfd585ce98662afae34e
SHA256830d822d0b895b7ce1ca4140b6545f9e26ea0c6b5acff9cae7edbddd520e0fd1
SHA512a3d73a1f2aabd1c25c26b46d6331a57c5171fd86ced6c1fe95b3ebd802712c497d712e580e09990570edf7bc172e804f6ce95bd7fc99f8d7bb8e0d56ccb7cd61
-
Filesize
524KB
MD59910b6b0350d3b3fa92110b1d6e78117
SHA1917c42b74a662b27d7d3cfd585ce98662afae34e
SHA256830d822d0b895b7ce1ca4140b6545f9e26ea0c6b5acff9cae7edbddd520e0fd1
SHA512a3d73a1f2aabd1c25c26b46d6331a57c5171fd86ced6c1fe95b3ebd802712c497d712e580e09990570edf7bc172e804f6ce95bd7fc99f8d7bb8e0d56ccb7cd61
-
Filesize
352KB
MD5f2fc0c7346084a8912876e69cd9f2ce9
SHA114406274a6f6f927475d6841a764f539d3dcbb94
SHA25695bc711783c0a98d713802175b10de60ab4431ba0204ee1f586e995a2197520e
SHA51228b1740db2a5825563efac914934cd02246bef0baf2c64281da4f933736ceda5af6c0fd9b28ec8d69d637ea079c388c50c268a981030a8821465223983100ded
-
Filesize
352KB
MD5f2fc0c7346084a8912876e69cd9f2ce9
SHA114406274a6f6f927475d6841a764f539d3dcbb94
SHA25695bc711783c0a98d713802175b10de60ab4431ba0204ee1f586e995a2197520e
SHA51228b1740db2a5825563efac914934cd02246bef0baf2c64281da4f933736ceda5af6c0fd9b28ec8d69d637ea079c388c50c268a981030a8821465223983100ded
-
Filesize
172KB
MD5009477343b1f81d84ddc357ea019b1d2
SHA10b567aa93ee45f24b1657e79409827b3edff2013
SHA256cd33da8532ec9cf3fbfa586e7e16f1510b11440f109609bf36c3a670067cd516
SHA5128525fe57a4227cbdd0dcbe8b9fe182d3dff81ae0f65a2433a2e2c040d3fe3eb467d0f4e1b5f59c18e4833786568f674939501d187ffc8361315514f7a1d92397
-
Filesize
172KB
MD5009477343b1f81d84ddc357ea019b1d2
SHA10b567aa93ee45f24b1657e79409827b3edff2013
SHA256cd33da8532ec9cf3fbfa586e7e16f1510b11440f109609bf36c3a670067cd516
SHA5128525fe57a4227cbdd0dcbe8b9fe182d3dff81ae0f65a2433a2e2c040d3fe3eb467d0f4e1b5f59c18e4833786568f674939501d187ffc8361315514f7a1d92397
-
Filesize
197KB
MD5b0ecef42201eb7907790106e83d725f2
SHA1b0a5a4efc5fe9014162f1aa9fee07cb75a096e92
SHA256526709f6aee4d182bc6bd02bb30afffcb79cf9f832ab2427d13582104119dcf1
SHA512a8f59a76bb3f0aa84f5b28dcf56b61537b2b1946fb9b0a85539bb0e327c1f4cc6ec8d64a354b60acb9edc80a031116ba4e219ab6acf5c88efa163417b1113cd2
-
Filesize
197KB
MD5b0ecef42201eb7907790106e83d725f2
SHA1b0a5a4efc5fe9014162f1aa9fee07cb75a096e92
SHA256526709f6aee4d182bc6bd02bb30afffcb79cf9f832ab2427d13582104119dcf1
SHA512a8f59a76bb3f0aa84f5b28dcf56b61537b2b1946fb9b0a85539bb0e327c1f4cc6ec8d64a354b60acb9edc80a031116ba4e219ab6acf5c88efa163417b1113cd2
-
Filesize
101KB
MD59c76360c27b381804631f92f39737179
SHA16d90d26554f7f51107b2d14e2b2466211c3716e0
SHA2564b2f29e95ff34cf5eee19ba92fbad48c6432e3a13146bda1ff64e9a9882bba5b
SHA512eb3cfc1a40bbb705de0bd7368181315365ee9752cc16e44a78875e32a2692df8d3eb707189198cb0e30a0904348f61c7cb977166c5638a5f566e5253681ec379
-
Filesize
101KB
MD59c76360c27b381804631f92f39737179
SHA16d90d26554f7f51107b2d14e2b2466211c3716e0
SHA2564b2f29e95ff34cf5eee19ba92fbad48c6432e3a13146bda1ff64e9a9882bba5b
SHA512eb3cfc1a40bbb705de0bd7368181315365ee9752cc16e44a78875e32a2692df8d3eb707189198cb0e30a0904348f61c7cb977166c5638a5f566e5253681ec379
-
Filesize
11KB
MD5737ccf7aa996c8ec3f836263aeff8b52
SHA18a5c7cd0d0bf936ba20d281b0e04afa5c2e7b1f2
SHA25631c12a2ed1ded9c08ce0874d125b17673f1320e45812a4dd0e9cc171f68cbe3a
SHA512d405673f3a79b5d00b03f2183e557538cad5dc3da164c6878c88d2c80bc597ed5cfed6e060ef782395d4197d87fb0631f5904de2b715e50ebe7a9100a5580142
-
Filesize
11KB
MD5737ccf7aa996c8ec3f836263aeff8b52
SHA18a5c7cd0d0bf936ba20d281b0e04afa5c2e7b1f2
SHA25631c12a2ed1ded9c08ce0874d125b17673f1320e45812a4dd0e9cc171f68cbe3a
SHA512d405673f3a79b5d00b03f2183e557538cad5dc3da164c6878c88d2c80bc597ed5cfed6e060ef782395d4197d87fb0631f5904de2b715e50ebe7a9100a5580142