Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2023, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe
Resource
win10v2004-20230831-en
General
-
Target
0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe
-
Size
938KB
-
MD5
712dc53f8f5ce26b3ad87268c5c54e65
-
SHA1
ecfa8c500b07f77ca9283e77954cb337341f7393
-
SHA256
0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35
-
SHA512
1029b058248160cc0c24d0c6d9f8895d10be3300a0b3fb3e79579651bdd78c9d8fde22048182530d30a24b40971f55d7d088e5d51b3b9956a8bb93da817d01ed
-
SSDEEP
12288:sMrYy901kqURGhyPgvvF4UgxYDW6UsOsvfmeoR1OA3yR39cNdMc+Ckke2e0yvTO:UyOUg+UlWAeLToNWFNe2efvTO
Malware Config
Extracted
redline
narik
77.91.124.82:19071
-
auth_value
07924f5ef90576eb64faea857b8ba3e5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7407967.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7407967.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7407967.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7407967.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7407967.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7407967.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3768 v3819941.exe 3244 v7145599.exe 1884 v8563003.exe 2808 v1604771.exe 3132 a7407967.exe 3420 b3047556.exe 2544 c1030060.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7407967.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7407967.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v1604771.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3819941.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7145599.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8563003.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3132 a7407967.exe 3132 a7407967.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3132 a7407967.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3872 wrote to memory of 3768 3872 0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe 87 PID 3872 wrote to memory of 3768 3872 0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe 87 PID 3872 wrote to memory of 3768 3872 0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe 87 PID 3768 wrote to memory of 3244 3768 v3819941.exe 88 PID 3768 wrote to memory of 3244 3768 v3819941.exe 88 PID 3768 wrote to memory of 3244 3768 v3819941.exe 88 PID 3244 wrote to memory of 1884 3244 v7145599.exe 89 PID 3244 wrote to memory of 1884 3244 v7145599.exe 89 PID 3244 wrote to memory of 1884 3244 v7145599.exe 89 PID 1884 wrote to memory of 2808 1884 v8563003.exe 90 PID 1884 wrote to memory of 2808 1884 v8563003.exe 90 PID 1884 wrote to memory of 2808 1884 v8563003.exe 90 PID 2808 wrote to memory of 3132 2808 v1604771.exe 91 PID 2808 wrote to memory of 3132 2808 v1604771.exe 91 PID 2808 wrote to memory of 3132 2808 v1604771.exe 91 PID 2808 wrote to memory of 3420 2808 v1604771.exe 92 PID 2808 wrote to memory of 3420 2808 v1604771.exe 92 PID 2808 wrote to memory of 3420 2808 v1604771.exe 92 PID 1884 wrote to memory of 2544 1884 v8563003.exe 93 PID 1884 wrote to memory of 2544 1884 v8563003.exe 93 PID 1884 wrote to memory of 2544 1884 v8563003.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe"C:\Users\Admin\AppData\Local\Temp\0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exe6⤵
- Executes dropped EXE
PID:3420
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exe5⤵
- Executes dropped EXE
PID:2544
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5e010bbd7f9f00b7d1f8da08927170946
SHA136d7272d79a8053959bdf8d4eee82178b5a6b94a
SHA25618f129ffeb3dd30a7738a4bd144586f78edd7cef926fc9c25c45e4a58d5baf78
SHA5122c11c02bc6fc121fb5431e57f87ae297d698952afe24b6ba46e2d2a58c152043f65d45065058673d33b04ff7fd8c7983874ce3e13879f4e422c02a13d169f10c
-
Filesize
832KB
MD5e010bbd7f9f00b7d1f8da08927170946
SHA136d7272d79a8053959bdf8d4eee82178b5a6b94a
SHA25618f129ffeb3dd30a7738a4bd144586f78edd7cef926fc9c25c45e4a58d5baf78
SHA5122c11c02bc6fc121fb5431e57f87ae297d698952afe24b6ba46e2d2a58c152043f65d45065058673d33b04ff7fd8c7983874ce3e13879f4e422c02a13d169f10c
-
Filesize
606KB
MD5ff42b45c470b8acd756a2fa18be7aabb
SHA10f9f64a6c651849371bd4b9e863c40bd907d2043
SHA2563c2d4cb980f5d726119782aeecb078ba761f17cd2fa27b637d241745782e0197
SHA512ec5adae56a1c13bbda0b1d2d995d2500c7f6d40d80bbe95b4a4339e51f7d31b9428520b1d995e27e89753dac7c8f0a861a5f36bd14a4f5521dec67c5f13260a8
-
Filesize
606KB
MD5ff42b45c470b8acd756a2fa18be7aabb
SHA10f9f64a6c651849371bd4b9e863c40bd907d2043
SHA2563c2d4cb980f5d726119782aeecb078ba761f17cd2fa27b637d241745782e0197
SHA512ec5adae56a1c13bbda0b1d2d995d2500c7f6d40d80bbe95b4a4339e51f7d31b9428520b1d995e27e89753dac7c8f0a861a5f36bd14a4f5521dec67c5f13260a8
-
Filesize
481KB
MD527ac0b432340327e5bc2fb7e546f903d
SHA1621f6b81ffc0b2022d46dccaca1ea9151bf1f71f
SHA25677186eff3a3f6d89a41cfef466257da6bd0a5c5b1a902564954938a6cf4794f3
SHA5125c863f2fe6f98a86363fea05004626cc5c9d23398aaa1f7fb7ffca13e253f3bd86c3c6ff0aef2e09e2eb4aacda256b20bc0956cc86f63bfb9eb39dca6491dae6
-
Filesize
481KB
MD527ac0b432340327e5bc2fb7e546f903d
SHA1621f6b81ffc0b2022d46dccaca1ea9151bf1f71f
SHA25677186eff3a3f6d89a41cfef466257da6bd0a5c5b1a902564954938a6cf4794f3
SHA5125c863f2fe6f98a86363fea05004626cc5c9d23398aaa1f7fb7ffca13e253f3bd86c3c6ff0aef2e09e2eb4aacda256b20bc0956cc86f63bfb9eb39dca6491dae6
-
Filesize
174KB
MD50f477beb21e5332cd47dda614a63e61e
SHA11a6f907e7d3898d377cc3c0c8111290514254c35
SHA25601e83488253ae2becf830e690bea7f559e9df7fc93742f33863e45592d2e2c5e
SHA5125053a84c278950f012b751f8eba245f15d869507724309aa5ea5bbf9cb7a88f3da078c302f6e77d733dff196f4126c94cae903ed1fee3249394694df0c151853
-
Filesize
174KB
MD50f477beb21e5332cd47dda614a63e61e
SHA11a6f907e7d3898d377cc3c0c8111290514254c35
SHA25601e83488253ae2becf830e690bea7f559e9df7fc93742f33863e45592d2e2c5e
SHA5125053a84c278950f012b751f8eba245f15d869507724309aa5ea5bbf9cb7a88f3da078c302f6e77d733dff196f4126c94cae903ed1fee3249394694df0c151853
-
Filesize
325KB
MD5d3b9213f634018ac51a239b5648bd775
SHA19d6648d0d33898a994aac5c4dcff0136faf0c3f8
SHA2569481a6ae0b09bef153666063bccbb6b6a1dbca1f218cfe0b1464f33a0d13fe7d
SHA512bb34114b711f7fed17bb57d2db0b8360fd792084448ca7aeada39ee3caaa144e97e25e1e7f505c25358b4106da4009e526f00584106d99b492a211d7f7c1ecad
-
Filesize
325KB
MD5d3b9213f634018ac51a239b5648bd775
SHA19d6648d0d33898a994aac5c4dcff0136faf0c3f8
SHA2569481a6ae0b09bef153666063bccbb6b6a1dbca1f218cfe0b1464f33a0d13fe7d
SHA512bb34114b711f7fed17bb57d2db0b8360fd792084448ca7aeada39ee3caaa144e97e25e1e7f505c25358b4106da4009e526f00584106d99b492a211d7f7c1ecad
-
Filesize
184KB
MD55160ef552476ef55422ed01c93f10a3b
SHA1ed5fc8f46102382dc2366966ea7efb27f56d1f22
SHA256f8b26d2172a42f3975fdaa5fcf307a6826ae68e930fc24d0c44d05d6a3540c8a
SHA512e92ac7f1a56027270499c1529d515e8c06de9567f26719fcfe546435e454b0c53718fa2235ac0c31391021a10167dc09e2edabb816afdb1ee6b19757072c6856
-
Filesize
184KB
MD55160ef552476ef55422ed01c93f10a3b
SHA1ed5fc8f46102382dc2366966ea7efb27f56d1f22
SHA256f8b26d2172a42f3975fdaa5fcf307a6826ae68e930fc24d0c44d05d6a3540c8a
SHA512e92ac7f1a56027270499c1529d515e8c06de9567f26719fcfe546435e454b0c53718fa2235ac0c31391021a10167dc09e2edabb816afdb1ee6b19757072c6856
-
Filesize
141KB
MD51566622a00baec0d3783f6cb52d07537
SHA1d98724d0eefda57b9cb24533acd5c9abd11429db
SHA256e3a30402bcc3aa7a6dde9e9ee60fffc98c9ff891c0952b398346dfe6fb0236b5
SHA5122db17f5fbbb3554f6eccd29823d50ba89f81a00898642f1dd8dcaf8d8323a89375329c19dbcf7c3a734cf7d675e6de2223a3396926971dddd3b837c3cf287cc4
-
Filesize
141KB
MD51566622a00baec0d3783f6cb52d07537
SHA1d98724d0eefda57b9cb24533acd5c9abd11429db
SHA256e3a30402bcc3aa7a6dde9e9ee60fffc98c9ff891c0952b398346dfe6fb0236b5
SHA5122db17f5fbbb3554f6eccd29823d50ba89f81a00898642f1dd8dcaf8d8323a89375329c19dbcf7c3a734cf7d675e6de2223a3396926971dddd3b837c3cf287cc4