Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2023, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe
Resource
win10v2004-20230703-en
General
-
Target
09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe
-
Size
948KB
-
MD5
6cf78efc76477f55e90f505dfa51f387
-
SHA1
8e0dea09cd5ee342d2d4ecd96d6cce68c48417a0
-
SHA256
09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256
-
SHA512
80c45b20ac1de176e4c2e28c63df67df8e632a89e4e82c5c0d7cfee359431fe98909cd55d652c854955b533ad790c635b014488916e2f1d8597cb420e24ad06e
-
SSDEEP
24576:qyB1CZhsXzka/1K8t2s8ZO8rI6tdr9KPS8xrRJ8K86K:xiyp1KM2sHUhE1L8
Malware Config
Extracted
redline
chang
77.91.124.73:19071
-
auth_value
92b880db64e691d6bb290d1536ce7688
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3697802.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2620 v6559205.exe 2056 v4136862.exe 1356 v6229893.exe 3064 v1099898.exe 3416 a3697802.exe 1772 b0998700.exe 3364 c2775452.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3697802.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3697802.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6559205.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4136862.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6229893.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v1099898.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3416 a3697802.exe 3416 a3697802.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3416 a3697802.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2620 2856 09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe 82 PID 2856 wrote to memory of 2620 2856 09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe 82 PID 2856 wrote to memory of 2620 2856 09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe 82 PID 2620 wrote to memory of 2056 2620 v6559205.exe 83 PID 2620 wrote to memory of 2056 2620 v6559205.exe 83 PID 2620 wrote to memory of 2056 2620 v6559205.exe 83 PID 2056 wrote to memory of 1356 2056 v4136862.exe 84 PID 2056 wrote to memory of 1356 2056 v4136862.exe 84 PID 2056 wrote to memory of 1356 2056 v4136862.exe 84 PID 1356 wrote to memory of 3064 1356 v6229893.exe 85 PID 1356 wrote to memory of 3064 1356 v6229893.exe 85 PID 1356 wrote to memory of 3064 1356 v6229893.exe 85 PID 3064 wrote to memory of 3416 3064 v1099898.exe 86 PID 3064 wrote to memory of 3416 3064 v1099898.exe 86 PID 3064 wrote to memory of 3416 3064 v1099898.exe 86 PID 3064 wrote to memory of 1772 3064 v1099898.exe 91 PID 3064 wrote to memory of 1772 3064 v1099898.exe 91 PID 3064 wrote to memory of 1772 3064 v1099898.exe 91 PID 1356 wrote to memory of 3364 1356 v6229893.exe 92 PID 1356 wrote to memory of 3364 1356 v6229893.exe 92 PID 1356 wrote to memory of 3364 1356 v6229893.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe"C:\Users\Admin\AppData\Local\Temp\09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exe6⤵
- Executes dropped EXE
PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exe5⤵
- Executes dropped EXE
PID:3364
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
833KB
MD5243d35decd783cfbf5b6433d224741c0
SHA155fadd8ffa2c8e6e7014eab7a16494f32bee7747
SHA256ecab3b283931154768da2b0dbb1d957fba39f432e877204efffea6b2f71678ab
SHA512d3f5cbd2d199353cd678d808e7466238795c52381bff3d6750348462f80a86dfad02d785fb0c69fcfd51ebfdbc1cdcc02edc54d8663a98ce6b2099e245e79643
-
Filesize
833KB
MD5243d35decd783cfbf5b6433d224741c0
SHA155fadd8ffa2c8e6e7014eab7a16494f32bee7747
SHA256ecab3b283931154768da2b0dbb1d957fba39f432e877204efffea6b2f71678ab
SHA512d3f5cbd2d199353cd678d808e7466238795c52381bff3d6750348462f80a86dfad02d785fb0c69fcfd51ebfdbc1cdcc02edc54d8663a98ce6b2099e245e79643
-
Filesize
606KB
MD511493f583b0886e6349fcdf1524f5350
SHA139ed632950c5e33b9fe74167f6c09890b688d9d7
SHA2567a7f0a929aede796b9ae209951695b762ddf725b29ecb48f09ae2b3421608ae6
SHA5123ee40342b3c9bc85522ef61d190d7cda3c172ee417d22afdae4a85647899e7b366e7c99c5f03544a76127999142950b44802669348e2f11fbdbdccdf3710dd55
-
Filesize
606KB
MD511493f583b0886e6349fcdf1524f5350
SHA139ed632950c5e33b9fe74167f6c09890b688d9d7
SHA2567a7f0a929aede796b9ae209951695b762ddf725b29ecb48f09ae2b3421608ae6
SHA5123ee40342b3c9bc85522ef61d190d7cda3c172ee417d22afdae4a85647899e7b366e7c99c5f03544a76127999142950b44802669348e2f11fbdbdccdf3710dd55
-
Filesize
481KB
MD5c8f45a41bb62845a06a283d5115e2243
SHA141508b9d655154222dbb02f2053b7b7d68eb3697
SHA25614c426c0815e8eac2b78e625c45cc8f1bd56805abfcb2343f65e755d7a7ea733
SHA5127f919aa6cd3e2f4e7eea7a52bb4f2d2ce02be5c4253f0714fca140cfd053c74ec209c4ed6d355aa5df30b257ab01d2019433871c7727356c8a3e876d2bd43fdc
-
Filesize
481KB
MD5c8f45a41bb62845a06a283d5115e2243
SHA141508b9d655154222dbb02f2053b7b7d68eb3697
SHA25614c426c0815e8eac2b78e625c45cc8f1bd56805abfcb2343f65e755d7a7ea733
SHA5127f919aa6cd3e2f4e7eea7a52bb4f2d2ce02be5c4253f0714fca140cfd053c74ec209c4ed6d355aa5df30b257ab01d2019433871c7727356c8a3e876d2bd43fdc
-
Filesize
174KB
MD545adf5256312b4f5a61a5304b2b28b36
SHA17cb5f22b66871bf4e81b24077f5ae443a0b2ac29
SHA2567ccab2bc70a7c5acb043a0bc534baaecf8299691bec5f3c7164f739c0602a608
SHA512c6503b8b735f0ccfab94610394c36969c2b3d120c4bcc14fcbb588060ebc73e468d6fb0f21d78873dd38620f5ef90a1e4dcbd65ada3311a9e7ecedfa59b5092e
-
Filesize
174KB
MD545adf5256312b4f5a61a5304b2b28b36
SHA17cb5f22b66871bf4e81b24077f5ae443a0b2ac29
SHA2567ccab2bc70a7c5acb043a0bc534baaecf8299691bec5f3c7164f739c0602a608
SHA512c6503b8b735f0ccfab94610394c36969c2b3d120c4bcc14fcbb588060ebc73e468d6fb0f21d78873dd38620f5ef90a1e4dcbd65ada3311a9e7ecedfa59b5092e
-
Filesize
325KB
MD5f8dc778f38c4464a520cf14b264fdad9
SHA1d89ba5b8f4a3061009d3c76bef9c0873860e516f
SHA25653b563d74f71bbfb941fc0e97f1e7f6c26af88fca49c8187f9b7d7662b83ec9f
SHA5123a2eaf7dcc4c6549b67d71008406e8a59ad877cac1d73827edac07e7f512ea7eff68c06906433e0708a06c62858dc949cdf76464aad89e619237c5a8779e05e0
-
Filesize
325KB
MD5f8dc778f38c4464a520cf14b264fdad9
SHA1d89ba5b8f4a3061009d3c76bef9c0873860e516f
SHA25653b563d74f71bbfb941fc0e97f1e7f6c26af88fca49c8187f9b7d7662b83ec9f
SHA5123a2eaf7dcc4c6549b67d71008406e8a59ad877cac1d73827edac07e7f512ea7eff68c06906433e0708a06c62858dc949cdf76464aad89e619237c5a8779e05e0
-
Filesize
184KB
MD5bc9f930787176216ca86986ec3dd3cba
SHA14bab2013cd14cf78cde598aba19aeedc19467cc5
SHA2565b095aad0277509fde3cd03eb5de48d2dbbfd965f7021f3dc7395c1ea86c6b9d
SHA512ac48a4799d8a0056cd3ea44bfe1974ec24a9ef49a955eaa3784f49162cdfc9a61489f9414ce779f837c7e1a758716c0f5b4bc110d2c0d8f3dc80b0ea1587d06b
-
Filesize
184KB
MD5bc9f930787176216ca86986ec3dd3cba
SHA14bab2013cd14cf78cde598aba19aeedc19467cc5
SHA2565b095aad0277509fde3cd03eb5de48d2dbbfd965f7021f3dc7395c1ea86c6b9d
SHA512ac48a4799d8a0056cd3ea44bfe1974ec24a9ef49a955eaa3784f49162cdfc9a61489f9414ce779f837c7e1a758716c0f5b4bc110d2c0d8f3dc80b0ea1587d06b
-
Filesize
140KB
MD5b4c4800bf9a2f90826a945639f277476
SHA10fabde291ce2708a497ecc04aa0e301bd2d751b9
SHA256a7280e37edfd45235e1b9722111512213079a8b5277178b69460106434ce7b0d
SHA512141c07798fe1bc4ffe7eff9ae485939ecc495e1d577cc90a93c6faf9f334374b5f61fe47943891ac4039cef92e09512295128aea5265f44cf263baa0d6f5775b
-
Filesize
140KB
MD5b4c4800bf9a2f90826a945639f277476
SHA10fabde291ce2708a497ecc04aa0e301bd2d751b9
SHA256a7280e37edfd45235e1b9722111512213079a8b5277178b69460106434ce7b0d
SHA512141c07798fe1bc4ffe7eff9ae485939ecc495e1d577cc90a93c6faf9f334374b5f61fe47943891ac4039cef92e09512295128aea5265f44cf263baa0d6f5775b