Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/10/2022, 04:32
221018-e51g6seeb8 1018/10/2022, 04:06
221018-epj59aedd6 718/10/2022, 03:34
221018-d417mseefj 10Analysis
-
max time kernel
1616s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
Resource
win10v2004-20220812-en
General
-
Target
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
-
Size
521KB
-
MD5
c0318aa61a314fed79c87be28f0db3ba
-
SHA1
361e5206d2e0aeb88174c524e6c7cfb90c94670d
-
SHA256
be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b
-
SHA512
619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586
-
SSDEEP
12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe
Malware Config
Extracted
redline
BirjRo1
79.137.197.136:23532
-
auth_value
278e5c62cf6a9bb4e0ab732b17b0368e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000022e17-184.dat family_redline behavioral2/files/0x0007000000022e17-183.dat family_redline behavioral2/memory/2396-185-0x0000000000900000-0x0000000000928000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2696 svcmgr.exe 2396 extra.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Windows\\SvcManager\\svcnetwork.dll" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\WgaUtilAcc = "0" be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SvcManager\tempimport.inf powershell.exe File opened for modification C:\Windows\SvcManager\tempexport.inf powershell.exe File created C:\Windows\SvcManager\svcnetwork.dll be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\svcnetwork.dat be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\las.ps1 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe File created C:\Windows\SvcManager\tempexport.inf SecEdit.exe File opened for modification C:\Windows\SvcManager\tempexport.inf SecEdit.exe File opened for modification C:\Windows\SvcManager\secedit.sdb powershell.exe File opened for modification C:\Windows\SvcManager\secedit.jfm powershell.exe File created C:\Windows\SvcManager\svcmgr.exe be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 708 3216 WerFault.exe 81 -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svcmgr.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3092 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4936 powershell.exe 4936 powershell.exe 2096 powershell.exe 2096 powershell.exe 4264 powershell.exe 4264 powershell.exe 2396 extra.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 2696 svcmgr.exe Token: SeDebugPrivilege 2396 extra.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3216 wrote to memory of 2100 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 84 PID 3216 wrote to memory of 2100 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 84 PID 3216 wrote to memory of 2100 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 84 PID 2100 wrote to memory of 4964 2100 cmd.exe 85 PID 2100 wrote to memory of 4964 2100 cmd.exe 85 PID 2100 wrote to memory of 4964 2100 cmd.exe 85 PID 4964 wrote to memory of 4876 4964 net.exe 86 PID 4964 wrote to memory of 4876 4964 net.exe 86 PID 4964 wrote to memory of 4876 4964 net.exe 86 PID 3216 wrote to memory of 4924 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 87 PID 3216 wrote to memory of 4924 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 87 PID 3216 wrote to memory of 4924 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 87 PID 4924 wrote to memory of 4936 4924 cmd.exe 88 PID 4924 wrote to memory of 4936 4924 cmd.exe 88 PID 4924 wrote to memory of 4936 4924 cmd.exe 88 PID 3216 wrote to memory of 1140 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 92 PID 3216 wrote to memory of 1140 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 92 PID 3216 wrote to memory of 1140 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 92 PID 1140 wrote to memory of 2096 1140 cmd.exe 93 PID 1140 wrote to memory of 2096 1140 cmd.exe 93 PID 1140 wrote to memory of 2096 1140 cmd.exe 93 PID 3216 wrote to memory of 4168 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 97 PID 3216 wrote to memory of 4168 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 97 PID 3216 wrote to memory of 4168 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 97 PID 4168 wrote to memory of 4264 4168 cmd.exe 98 PID 4168 wrote to memory of 4264 4168 cmd.exe 98 PID 4168 wrote to memory of 4264 4168 cmd.exe 98 PID 4264 wrote to memory of 5108 4264 powershell.exe 99 PID 4264 wrote to memory of 5108 4264 powershell.exe 99 PID 4264 wrote to memory of 5108 4264 powershell.exe 99 PID 4264 wrote to memory of 4976 4264 powershell.exe 100 PID 4264 wrote to memory of 4976 4264 powershell.exe 100 PID 4264 wrote to memory of 4976 4264 powershell.exe 100 PID 4264 wrote to memory of 1584 4264 powershell.exe 101 PID 4264 wrote to memory of 1584 4264 powershell.exe 101 PID 4264 wrote to memory of 1584 4264 powershell.exe 101 PID 4264 wrote to memory of 1156 4264 powershell.exe 102 PID 4264 wrote to memory of 1156 4264 powershell.exe 102 PID 4264 wrote to memory of 1156 4264 powershell.exe 102 PID 3216 wrote to memory of 4600 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 103 PID 3216 wrote to memory of 4600 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 103 PID 3216 wrote to memory of 4600 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 103 PID 3216 wrote to memory of 3240 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 104 PID 3216 wrote to memory of 3240 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 104 PID 3216 wrote to memory of 3240 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 104 PID 3216 wrote to memory of 5112 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 106 PID 3216 wrote to memory of 5112 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 106 PID 3216 wrote to memory of 5112 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 106 PID 5112 wrote to memory of 2396 5112 cmd.exe 107 PID 5112 wrote to memory of 2396 5112 cmd.exe 107 PID 5112 wrote to memory of 2396 5112 cmd.exe 107 PID 3216 wrote to memory of 3788 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 109 PID 3216 wrote to memory of 3788 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 109 PID 3216 wrote to memory of 3788 3216 be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe 109 PID 3788 wrote to memory of 3092 3788 cmd.exe 112 PID 3788 wrote to memory of 3092 3788 cmd.exe 112 PID 3788 wrote to memory of 3092 3788 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"1⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net user %username%2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\net.exenet user Admin3⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin4⤵PID:4876
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-ExecutionPolicy bypass -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe C:\Windows\SvcManager\las.ps12⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe C:\Windows\SvcManager\las.ps13⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /export /cfg tempexport.inf4⤵
- Drops file in Windows directory
PID:5108
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /import /db secedit.sdb /cfg .\tempimport.inf4⤵PID:4976
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb4⤵PID:1584
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force4⤵PID:1156
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /f C:\Windows\SvcManager\las.ps12⤵PID:4600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\extra.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\extra.exeC:\Users\Admin\AppData\Local\Temp\\extra.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:3092
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8082⤵
- Program crash
PID:708
-
-
C:\Windows\SvcManager\svcmgr.exeC:\Windows\SvcManager\svcmgr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3216 -ip 32161⤵PID:4944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD574beabd4347b1ecc24fdc6cd9bb2ec64
SHA1b793909bd2bf91d40eafb71194cc3eeb0c057110
SHA25680d19c23e407ccffe9f5b43087c752b2157294a1e42d887705b9924ceb9e6af9
SHA512f36be6d71e6ae79ffa79e9bc8d57e79cc14ace932fcc2106ab4df8f4ba99506dac3c007d986dfe3bf8884977a411ba1faa713489dc27b25c23bec49d42abd802
-
Filesize
16KB
MD5af7e6457f23e3e3c1282029c05277211
SHA11e7dc23cb34061e5fc499d67a5f5ad2be08d53f4
SHA2564ec09c21644a4c8fe75dd16cde4ba26ef87a4d0e8c35c0427d452f2797e4d43d
SHA5127a1bfd35e88bf444eaa5a196fdd36b5e90d1fd3b2709bcc36da5cf8fac7dc4bc505122256012c31fc0b6b9cd55987c2c4c5b038ed9c2665d393c03b5c8da8e21
-
Filesize
18KB
MD580e90054166c4a2905901ce7a11647be
SHA1299e86309714bb8e8acd7b53aee4d72a188bfc12
SHA256e9eb8cb8a32d04afc7f68f2885df93993dafef52d69f8fed2e37a689510977bd
SHA5120ad7596d2fb1404151b40d550171d215dcaf14bd703d1f5df2bcad4888fd7887040abc6201f3a12f4e3db17b929472fa6c626e3228827aea958af7bf33e764f6
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
137KB
MD50072395e192397b4f98bbb6852d1d495
SHA18246494746644b90380a4458e9248e7f3341ad8f
SHA256f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c
SHA5121c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d
-
Filesize
1KB
MD59a6fbc01aa4147aa5aa91fca92ef6dfd
SHA1f8b47020022626abef69f2032d22e89b95b994a8
SHA256f63923ddc20574ca230a3b51bf7a6bf158a53f84494e2081071c3469abb068ca
SHA512a80c89c1daa41d8c1f5c71ec06db7eaf6f686f4726ef5cce8d8854371fec4dfa88b4649ee7f78c59ff4f1f00a7296a917696a760228ce59206c09d3d7e954990
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
788KB
MD5621074969d8ccca5585201b6268e2faf
SHA1252f556025ec03884edfd793da95179e31b055e5
SHA256e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe
SHA5120806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a
-
Filesize
16KB
MD512521efd8145d438a53ae40ea56dca29
SHA1cdf74522965a8d0b8ee74e1f49698fc334251a66
SHA256621c13968a16a9280f14cea9e2577678af7129f6899615defebc08782eb8b756
SHA51223086f47ce9cafcbe035d69a2bb3c86bed17029226e0b2a8ec33823d0515287f52a989cbc6aa6dd8fb7425dd6ddf0cd819c248a18d76de587839fb44404c2206