Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/10/2022, 04:32
221018-e51g6seeb8 1018/10/2022, 04:06
221018-epj59aedd6 718/10/2022, 03:34
221018-d417mseefj 10Analysis
-
max time kernel
1616s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
18/10/2022, 04:32
General
-
Target
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
-
Size
521KB
-
MD5
c0318aa61a314fed79c87be28f0db3ba
-
SHA1
361e5206d2e0aeb88174c524e6c7cfb90c94670d
-
SHA256
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
-
SHA512
619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586
-
SSDEEP
12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe
Malware Config
Extracted
redline
BirjRo1
79.137.197.136:23532
-
auth_value
278e5c62cf6a9bb4e0ab732b17b0368e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies WinLogon 2 TTPs 4 IoCs
-
Drops file in Windows directory 10 IoCs
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"1⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net user %username%2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Admin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-ExecutionPolicy bypass -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe C:\Windows\SvcManager\las.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe C:\Windows\SvcManager\las.ps13⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /export /cfg tempexport.inf4⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /import /db secedit.sdb /cfg .\tempimport.inf4⤵
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb4⤵
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /f C:\Windows\SvcManager\las.ps12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\extra.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\extra.exeC:\Users\Admin\AppData\Local\Temp\\extra.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8082⤵
- Program crash
-
-
C:\Windows\SvcManager\svcmgr.exeC:\Windows\SvcManager\svcmgr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3216 -ip 32161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD574beabd4347b1ecc24fdc6cd9bb2ec64
SHA1b793909bd2bf91d40eafb71194cc3eeb0c057110
SHA25680d19c23e407ccffe9f5b43087c752b2157294a1e42d887705b9924ceb9e6af9
SHA512f36be6d71e6ae79ffa79e9bc8d57e79cc14ace932fcc2106ab4df8f4ba99506dac3c007d986dfe3bf8884977a411ba1faa713489dc27b25c23bec49d42abd802
-
Filesize
16KB
MD5af7e6457f23e3e3c1282029c05277211
SHA11e7dc23cb34061e5fc499d67a5f5ad2be08d53f4
SHA2564ec09c21644a4c8fe75dd16cde4ba26ef87a4d0e8c35c0427d452f2797e4d43d
SHA5127a1bfd35e88bf444eaa5a196fdd36b5e90d1fd3b2709bcc36da5cf8fac7dc4bc505122256012c31fc0b6b9cd55987c2c4c5b038ed9c2665d393c03b5c8da8e21
-
Filesize
18KB
MD580e90054166c4a2905901ce7a11647be
SHA1299e86309714bb8e8acd7b53aee4d72a188bfc12
SHA256e9eb8cb8a32d04afc7f68f2885df93993dafef52d69f8fed2e37a689510977bd
SHA5120ad7596d2fb1404151b40d550171d215dcaf14bd703d1f5df2bcad4888fd7887040abc6201f3a12f4e3db17b929472fa6c626e3228827aea958af7bf33e764f6
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
1KB
MD59a6fbc01aa4147aa5aa91fca92ef6dfd
SHA1f8b47020022626abef69f2032d22e89b95b994a8
SHA256f63923ddc20574ca230a3b51bf7a6bf158a53f84494e2081071c3469abb068ca
SHA512a80c89c1daa41d8c1f5c71ec06db7eaf6f686f4726ef5cce8d8854371fec4dfa88b4649ee7f78c59ff4f1f00a7296a917696a760228ce59206c09d3d7e954990
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
16KB
MD512521efd8145d438a53ae40ea56dca29
SHA1cdf74522965a8d0b8ee74e1f49698fc334251a66
SHA256621c13968a16a9280f14cea9e2577678af7129f6899615defebc08782eb8b756
SHA51223086f47ce9cafcbe035d69a2bb3c86bed17029226e0b2a8ec33823d0515287f52a989cbc6aa6dd8fb7425dd6ddf0cd819c248a18d76de587839fb44404c2206
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
160KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
816KB
-
Filesize
1.9MB
-
Filesize
644KB
-
Filesize
368KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
368KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB