Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2023, 16:11
Static task
static1
Behavioral task
behavioral1
Sample
14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe
Resource
win10v2004-20230831-en
General
-
Target
14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe
-
Size
1.0MB
-
MD5
9a3c2eed6740ec94af81160a13bd1332
-
SHA1
7d42e79b6b0f490d78edb39b29014118c6c9f839
-
SHA256
14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f
-
SHA512
b9c15ca26ca2b10ce11b5f90c5eb515cf758e51908e9fe2acabb1edb554d912a009eb0fdb14a723d01a9769e618b907701fe85f4cd677fa20f3ce6f8ea1d1deb
-
SSDEEP
24576:IydHObmPPxVlJZBvvNXqF/h0EqJFnz0FvOh7T9R+QN:PdHOqPxVlnRv5qnjqXz0FvOh7JR+Q
Malware Config
Extracted
redline
narik
77.91.124.82:19071
-
auth_value
07924f5ef90576eb64faea857b8ba3e5
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection q4667749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q4667749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q4667749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q4667749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q4667749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q4667749.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2872 z5413598.exe 1056 z3637545.exe 3864 z2724590.exe 2580 z3030458.exe 3416 q4667749.exe 4348 r4774417.exe 4396 s2271866.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" q4667749.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features q4667749.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5413598.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z3637545.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z2724590.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z3030458.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EC9E7C61-EDA3-47E6-B00B-AED82613F972}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3416 q4667749.exe 3416 q4667749.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3416 q4667749.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2872 1192 14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe 86 PID 1192 wrote to memory of 2872 1192 14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe 86 PID 1192 wrote to memory of 2872 1192 14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe 86 PID 2872 wrote to memory of 1056 2872 z5413598.exe 87 PID 2872 wrote to memory of 1056 2872 z5413598.exe 87 PID 2872 wrote to memory of 1056 2872 z5413598.exe 87 PID 1056 wrote to memory of 3864 1056 z3637545.exe 89 PID 1056 wrote to memory of 3864 1056 z3637545.exe 89 PID 1056 wrote to memory of 3864 1056 z3637545.exe 89 PID 3864 wrote to memory of 2580 3864 z2724590.exe 90 PID 3864 wrote to memory of 2580 3864 z2724590.exe 90 PID 3864 wrote to memory of 2580 3864 z2724590.exe 90 PID 2580 wrote to memory of 3416 2580 z3030458.exe 91 PID 2580 wrote to memory of 3416 2580 z3030458.exe 91 PID 2580 wrote to memory of 3416 2580 z3030458.exe 91 PID 2580 wrote to memory of 4348 2580 z3030458.exe 92 PID 2580 wrote to memory of 4348 2580 z3030458.exe 92 PID 2580 wrote to memory of 4348 2580 z3030458.exe 92 PID 3864 wrote to memory of 4396 3864 z2724590.exe 93 PID 3864 wrote to memory of 4396 3864 z2724590.exe 93 PID 3864 wrote to memory of 4396 3864 z2724590.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:728
-
C:\Users\Admin\AppData\Local\Temp\14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe"C:\Users\Admin\AppData\Local\Temp\14e66789ed13e60a8e16aae8f6f50b6c26466b75bdef72c289d22514720fa22f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5413598.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5413598.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3637545.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3637545.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2724590.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2724590.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030458.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030458.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4667749.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4667749.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4774417.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4774417.exe6⤵
- Executes dropped EXE
PID:4348
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2271866.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2271866.exe5⤵
- Executes dropped EXE
PID:4396
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
933KB
MD57ccc7820c5eccaa4d9ea8650a16f5acf
SHA1d0c0340560242e50db1370fe3f6252caafaa76c5
SHA2563dfeb3844ddac8fe984a4330dd86ad65c8ca0b40c5e973f5c043dc98e1aa950b
SHA5125d7d4d2d10e447af3499e26cfe41b54709a2a132f68321ea460b59ea6982524ab1d288f080ef60187b65eb0f91aee0f79fa06d8e42d75daea86b4584eda254f9
-
Filesize
933KB
MD57ccc7820c5eccaa4d9ea8650a16f5acf
SHA1d0c0340560242e50db1370fe3f6252caafaa76c5
SHA2563dfeb3844ddac8fe984a4330dd86ad65c8ca0b40c5e973f5c043dc98e1aa950b
SHA5125d7d4d2d10e447af3499e26cfe41b54709a2a132f68321ea460b59ea6982524ab1d288f080ef60187b65eb0f91aee0f79fa06d8e42d75daea86b4584eda254f9
-
Filesize
707KB
MD5743522f8c141cf2bf38dddcde74c8346
SHA1fa497735772d859319188ec0169a81015b2d8892
SHA256ed0f0676c56cb0d49e1b4407c7474e5223ed166955d2c6363e7e7163b3c8e0f0
SHA5128cc67047a6e7936cd4e10bf4593c73445c6d195425023c188084afc17ff071f4df99b06df3469930431a8c89fe28a0f8041c26b36c6ed8284844ba877b8dc7d3
-
Filesize
707KB
MD5743522f8c141cf2bf38dddcde74c8346
SHA1fa497735772d859319188ec0169a81015b2d8892
SHA256ed0f0676c56cb0d49e1b4407c7474e5223ed166955d2c6363e7e7163b3c8e0f0
SHA5128cc67047a6e7936cd4e10bf4593c73445c6d195425023c188084afc17ff071f4df99b06df3469930431a8c89fe28a0f8041c26b36c6ed8284844ba877b8dc7d3
-
Filesize
481KB
MD54ea6679e8756c2a41bfbd6f9f594605b
SHA16d163b9f4abfe784b4a47fc9d4f4b369ffdd17bc
SHA25612f863f9ea73ed7bbf4dca9f9377833b969280eba281e1248ea3fd2913f07658
SHA51204939708c60c4208e2b76230ecb4939fbfa4b1e26e33a72b43485d930e4481542e468d5866232724090fc76f4baad8c390aab37e0bf9188e44d18bddfb453d76
-
Filesize
481KB
MD54ea6679e8756c2a41bfbd6f9f594605b
SHA16d163b9f4abfe784b4a47fc9d4f4b369ffdd17bc
SHA25612f863f9ea73ed7bbf4dca9f9377833b969280eba281e1248ea3fd2913f07658
SHA51204939708c60c4208e2b76230ecb4939fbfa4b1e26e33a72b43485d930e4481542e468d5866232724090fc76f4baad8c390aab37e0bf9188e44d18bddfb453d76
-
Filesize
174KB
MD533a260f0c24572e6c3641769be62defe
SHA1921d54aabe73fa807109c11e08ced08d9a342479
SHA2564497b76011c9e083164792791c27d7eb993b23a15292bdec359535ad018ed1cc
SHA51238e8ba5ee2d1b1bef0600e30e1f3172ad3cb55741d7e68e50689b7eb0506bbc95837d7048447f64ee00252f640741d17904abaf9f81635162258f6df66374d72
-
Filesize
174KB
MD533a260f0c24572e6c3641769be62defe
SHA1921d54aabe73fa807109c11e08ced08d9a342479
SHA2564497b76011c9e083164792791c27d7eb993b23a15292bdec359535ad018ed1cc
SHA51238e8ba5ee2d1b1bef0600e30e1f3172ad3cb55741d7e68e50689b7eb0506bbc95837d7048447f64ee00252f640741d17904abaf9f81635162258f6df66374d72
-
Filesize
325KB
MD54f937918b99f66ebc055e353a1dfa7b0
SHA12519013bbceebf8b818ae54475c324bdb027f7b4
SHA2562d4b4ce52512cd2b1601fe4bbbf0efb70e49db7ee132a0684218a727d5dad823
SHA512eafd03a0b08e779c9cf8215a9c72d723fa51658f9551bfd39cb7a0408b68c671c132513e47f932aded611586305358544e2cbd895d840d300d0072228f413a7c
-
Filesize
325KB
MD54f937918b99f66ebc055e353a1dfa7b0
SHA12519013bbceebf8b818ae54475c324bdb027f7b4
SHA2562d4b4ce52512cd2b1601fe4bbbf0efb70e49db7ee132a0684218a727d5dad823
SHA512eafd03a0b08e779c9cf8215a9c72d723fa51658f9551bfd39cb7a0408b68c671c132513e47f932aded611586305358544e2cbd895d840d300d0072228f413a7c
-
Filesize
184KB
MD5393eaf507da66accaee3287a692cb486
SHA198c4ba0f2bb3083e3e135fac4f58c944dacacd08
SHA256046293b6edc1ff51afca5d2444a6d1f6d7145e21aced1557ef5316c5b21e3625
SHA5121363b04b614e050f480a017268ec79d4b2a6006291f3239aef1cde7788979d9b47c8902b105190a5e2300656a8c9404b153d3139546810d175d3ec66e8b71e04
-
Filesize
184KB
MD5393eaf507da66accaee3287a692cb486
SHA198c4ba0f2bb3083e3e135fac4f58c944dacacd08
SHA256046293b6edc1ff51afca5d2444a6d1f6d7145e21aced1557ef5316c5b21e3625
SHA5121363b04b614e050f480a017268ec79d4b2a6006291f3239aef1cde7788979d9b47c8902b105190a5e2300656a8c9404b153d3139546810d175d3ec66e8b71e04
-
Filesize
141KB
MD5960cc2d1dd5faaabd1f7b6acdff0070a
SHA18c32a3ad20db00d9b72111ab502b237a817ae84a
SHA256703cabd7710308678c504a8749d8fefafdd70207284db96551629d06997863bc
SHA5129b25e1d2e389f923013fb297087540c8af0dce64645f857042705879be30ea3f4355ce8868d9becc13973efa8810c4597b09897fa559b24401ef30bf6eebc720
-
Filesize
141KB
MD5960cc2d1dd5faaabd1f7b6acdff0070a
SHA18c32a3ad20db00d9b72111ab502b237a817ae84a
SHA256703cabd7710308678c504a8749d8fefafdd70207284db96551629d06997863bc
SHA5129b25e1d2e389f923013fb297087540c8af0dce64645f857042705879be30ea3f4355ce8868d9becc13973efa8810c4597b09897fa559b24401ef30bf6eebc720