Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/10/2022, 04:32
221018-e51g6seeb8 1018/10/2022, 04:06
221018-epj59aedd6 718/10/2022, 03:34
221018-d417mseefj 10Analysis
-
max time kernel
271s -
max time network
302s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
18/10/2022, 03:34
Static task
static1
Behavioral task
behavioral1
Sample
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
Resource
win10-20220901-en
General
-
Target
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
-
Size
521KB
-
MD5
c0318aa61a314fed79c87be28f0db3ba
-
SHA1
361e5206d2e0aeb88174c524e6c7cfb90c94670d
-
SHA256
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
-
SHA512
619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586
-
SSDEEP
12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe
Malware Config
Extracted
redline
BirjRo1
79.137.197.136:23532
-
auth_value
278e5c62cf6a9bb4e0ab732b17b0368e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000300000001ac07-962.dat family_redline behavioral2/files/0x000300000001ac07-971.dat family_redline behavioral2/memory/5076-998-0x0000000000DF0000-0x0000000000E18000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4556 svcmgr.exe 5076 extra.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Windows\\SvcManager\\svcnetwork.dll" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\WgaUtilAcc = "0" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\SvcManager\svcnetwork.dll be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\svcnetwork.dat be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File opened for modification C:\Windows\SvcManager\tempimport.inf powershell.exe File opened for modification C:\Windows\SvcManager\secedit.jfm powershell.exe File created C:\Windows\SvcManager\svcmgr.exe be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\las.ps1 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\tempexport.inf SecEdit.exe File opened for modification C:\Windows\SvcManager\tempexport.inf SecEdit.exe File opened for modification C:\Windows\SvcManager\secedit.sdb powershell.exe File opened for modification C:\Windows\SvcManager\tempexport.inf powershell.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svcmgr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svcmgr.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4528 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1324 powershell.exe 1324 powershell.exe 1324 powershell.exe 376 powershell.exe 376 powershell.exe 376 powershell.exe 4536 powershell.exe 4536 powershell.exe 4536 powershell.exe 5076 extra.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 4556 svcmgr.exe Token: SeDebugPrivilege 5076 extra.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3500 wrote to memory of 4424 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 67 PID 3500 wrote to memory of 4424 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 67 PID 3500 wrote to memory of 4424 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 67 PID 4424 wrote to memory of 4464 4424 cmd.exe 68 PID 4424 wrote to memory of 4464 4424 cmd.exe 68 PID 4424 wrote to memory of 4464 4424 cmd.exe 68 PID 4464 wrote to memory of 3064 4464 net.exe 69 PID 4464 wrote to memory of 3064 4464 net.exe 69 PID 4464 wrote to memory of 3064 4464 net.exe 69 PID 3500 wrote to memory of 5044 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 70 PID 3500 wrote to memory of 5044 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 70 PID 3500 wrote to memory of 5044 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 70 PID 5044 wrote to memory of 1324 5044 cmd.exe 71 PID 5044 wrote to memory of 1324 5044 cmd.exe 71 PID 5044 wrote to memory of 1324 5044 cmd.exe 71 PID 3500 wrote to memory of 4940 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 72 PID 3500 wrote to memory of 4940 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 72 PID 3500 wrote to memory of 4940 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 72 PID 4940 wrote to memory of 376 4940 cmd.exe 73 PID 4940 wrote to memory of 376 4940 cmd.exe 73 PID 4940 wrote to memory of 376 4940 cmd.exe 73 PID 3500 wrote to memory of 3624 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 74 PID 3500 wrote to memory of 3624 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 74 PID 3500 wrote to memory of 3624 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 74 PID 3624 wrote to memory of 4536 3624 cmd.exe 75 PID 3624 wrote to memory of 4536 3624 cmd.exe 75 PID 3624 wrote to memory of 4536 3624 cmd.exe 75 PID 4536 wrote to memory of 2372 4536 powershell.exe 76 PID 4536 wrote to memory of 2372 4536 powershell.exe 76 PID 4536 wrote to memory of 2372 4536 powershell.exe 76 PID 4536 wrote to memory of 200 4536 powershell.exe 77 PID 4536 wrote to memory of 200 4536 powershell.exe 77 PID 4536 wrote to memory of 200 4536 powershell.exe 77 PID 4536 wrote to memory of 3952 4536 powershell.exe 78 PID 4536 wrote to memory of 3952 4536 powershell.exe 78 PID 4536 wrote to memory of 3952 4536 powershell.exe 78 PID 4536 wrote to memory of 2592 4536 powershell.exe 79 PID 4536 wrote to memory of 2592 4536 powershell.exe 79 PID 4536 wrote to memory of 2592 4536 powershell.exe 79 PID 3500 wrote to memory of 4328 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 80 PID 3500 wrote to memory of 4328 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 80 PID 3500 wrote to memory of 4328 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 80 PID 3500 wrote to memory of 4448 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 81 PID 3500 wrote to memory of 4448 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 81 PID 3500 wrote to memory of 4448 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 81 PID 3500 wrote to memory of 4568 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 83 PID 3500 wrote to memory of 4568 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 83 PID 3500 wrote to memory of 4568 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 83 PID 4568 wrote to memory of 5076 4568 cmd.exe 84 PID 4568 wrote to memory of 5076 4568 cmd.exe 84 PID 4568 wrote to memory of 5076 4568 cmd.exe 84 PID 3500 wrote to memory of 4172 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 86 PID 3500 wrote to memory of 4172 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 86 PID 3500 wrote to memory of 4172 3500 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 86 PID 4172 wrote to memory of 4528 4172 cmd.exe 88 PID 4172 wrote to memory of 4528 4172 cmd.exe 88 PID 4172 wrote to memory of 4528 4172 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"1⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net user %username%2⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\net.exenet user Admin3⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin4⤵PID:3064
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force2⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-ExecutionPolicy bypass -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe C:\Windows\SvcManager\las.ps12⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe C:\Windows\SvcManager\las.ps13⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /export /cfg tempexport.inf4⤵
- Drops file in Windows directory
PID:2372
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /import /db secedit.sdb /cfg .\tempimport.inf4⤵PID:200
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb4⤵PID:3952
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force4⤵PID:2592
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /f C:\Windows\SvcManager\las.ps12⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\extra.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\extra.exeC:\Users\Admin\AppData\Local\Temp\\extra.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:4528
-
-
-
C:\Windows\SvcManager\svcmgr.exeC:\Windows\SvcManager\svcmgr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD513151583954f0def829054cc3eae25ec
SHA12a2b013e8d4201ddc8a80f9680931873702d0213
SHA256eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7
SHA5123f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf
-
Filesize
15KB
MD507e0286ec094f7ea7802603d650838b6
SHA1703980e0096c728ab501342b8bac81273d9c4fb8
SHA256b2dcb659787376d41c30464131eedbaed0a1c878dc311a37c99ee986a69f0d80
SHA512d747f78d87389f2f6baa6644da243f25050742ef1941310bd60dd7ea7bb70dd43e49e7532e4cab66ad16f2b9c5da0e17449a087334309f35955337f5cfe773fd
-
Filesize
18KB
MD5e5b17df920cb41523868f12d6ff1039b
SHA1cac1060f88373aa12007d63458327c221d0f628e
SHA25636c25723288815020afee9366ce44ec87a1bad2b8fcfa6691dd0d6633ad39253
SHA5129aaa8bbaf49e1aceb5638d0ad29ac4dec2e5f563ef79376cddf5ce85843eb4789be42038e8f8de9b8235aeab575e4de308101d36568f5ed7489c071e52e195c1
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
1KB
MD59a6fbc01aa4147aa5aa91fca92ef6dfd
SHA1f8b47020022626abef69f2032d22e89b95b994a8
SHA256f63923ddc20574ca230a3b51bf7a6bf158a53f84494e2081071c3469abb068ca
SHA512a80c89c1daa41d8c1f5c71ec06db7eaf6f686f4726ef5cce8d8854371fec4dfa88b4649ee7f78c59ff4f1f00a7296a917696a760228ce59206c09d3d7e954990
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
16KB
MD512521efd8145d438a53ae40ea56dca29
SHA1cdf74522965a8d0b8ee74e1f49698fc334251a66
SHA256621c13968a16a9280f14cea9e2577678af7129f6899615defebc08782eb8b756
SHA51223086f47ce9cafcbe035d69a2bb3c86bed17029226e0b2a8ec33823d0515287f52a989cbc6aa6dd8fb7425dd6ddf0cd819c248a18d76de587839fb44404c2206