Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
09/03/2023, 19:51
Static task
static1
Behavioral task
behavioral1
Sample
f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe
Resource
win10-20230220-en
General
-
Target
f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe
-
Size
551KB
-
MD5
7391ea3ac365085ed45a94b6c801abe1
-
SHA1
b3088b6b3c622a42b482bd360184e28a67495f27
-
SHA256
f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4
-
SHA512
3f21991e2128f193e501ff69bd85d6000412e5269b77329475617b9cf82d9c8d09f0be90fefa8410288531e5ed058b5587e88aca2e8bc38fbfa5e42279c60fef
-
SSDEEP
12288:xMrWy90hGyVQD6asU+ejCWMJPWFAy7hiIz5D7:ny4V0N+KPMJOFZii
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
dezik
193.56.146.220:4174
-
auth_value
d39f21dca8edc10800b036ab83f4d75e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1269oT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1269oT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1269oT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1269oT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1269oT.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4888-139-0x0000000002480000-0x00000000024C6000-memory.dmp family_redline behavioral1/memory/4888-143-0x0000000004A40000-0x0000000004A84000-memory.dmp family_redline behavioral1/memory/4888-144-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-145-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-147-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-149-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-151-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-153-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-155-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-157-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-159-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-161-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-163-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-165-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-167-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-169-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-171-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-173-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-175-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-177-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-179-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-181-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-183-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-185-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-189-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-191-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-193-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-195-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-197-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-199-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-201-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-203-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-205-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-207-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline behavioral1/memory/4888-209-0x0000000004A40000-0x0000000004A7E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4152 nice5932.exe 4456 b1269oT.exe 4888 c16LC26.exe 1340 dgiPP10.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1269oT.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce nice5932.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nice5932.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4456 b1269oT.exe 4456 b1269oT.exe 4888 c16LC26.exe 4888 c16LC26.exe 1340 dgiPP10.exe 1340 dgiPP10.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4456 b1269oT.exe Token: SeDebugPrivilege 4888 c16LC26.exe Token: SeDebugPrivilege 1340 dgiPP10.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4108 wrote to memory of 4152 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 66 PID 4108 wrote to memory of 4152 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 66 PID 4108 wrote to memory of 4152 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 66 PID 4152 wrote to memory of 4456 4152 nice5932.exe 67 PID 4152 wrote to memory of 4456 4152 nice5932.exe 67 PID 4152 wrote to memory of 4888 4152 nice5932.exe 68 PID 4152 wrote to memory of 4888 4152 nice5932.exe 68 PID 4152 wrote to memory of 4888 4152 nice5932.exe 68 PID 4108 wrote to memory of 1340 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 70 PID 4108 wrote to memory of 1340 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 70 PID 4108 wrote to memory of 1340 4108 f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe"C:\Users\Admin\AppData\Local\Temp\f5cf9b7173241a9f75856f387ac243f5c344bc903ca339fc096cfebeaf6b84f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5932.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1269oT.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c16LC26.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgiPP10.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD592f2a148b8f701e50e2f838f73d4d7b7
SHA1324d8546e35d4f4285cac15b21620299ba5cb023
SHA2569ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04
SHA5123300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c
-
Filesize
175KB
MD592f2a148b8f701e50e2f838f73d4d7b7
SHA1324d8546e35d4f4285cac15b21620299ba5cb023
SHA2569ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04
SHA5123300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c
-
Filesize
406KB
MD5ed0de9d0e92b75f4b14c960c5b126a49
SHA12f68ba84568177708dd1458fd6ee9eedd4ff09fb
SHA2563bec89b47244e60281dbd65b68e7a58ada9f9cd5d94bd0e2747cd626d54a3f6c
SHA512d6845ba188ff3936cc1fff25137f8d3b37d388e16e9cc90b41bce7de53b146acd7da430919434c00d37e1ac2c1f3e75136918890fd52cc1f65fceb869ec547e5
-
Filesize
406KB
MD5ed0de9d0e92b75f4b14c960c5b126a49
SHA12f68ba84568177708dd1458fd6ee9eedd4ff09fb
SHA2563bec89b47244e60281dbd65b68e7a58ada9f9cd5d94bd0e2747cd626d54a3f6c
SHA512d6845ba188ff3936cc1fff25137f8d3b37d388e16e9cc90b41bce7de53b146acd7da430919434c00d37e1ac2c1f3e75136918890fd52cc1f65fceb869ec547e5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
373KB
MD509d802dae8cc774b0aa7fea0c9a271bd
SHA1e2e71100eefc6a88da7016a6d21f5187b9119a7e
SHA2566ddd461d8d914589cae721431b01c29540771dc1becc5092af70e1c18308e7a3
SHA5122fb75630e1d70955afe05500ef846e2b60c98e13799b7d1db2b753b2a7a5e72edcef54bfdbde0e984d41efda571969c044cb1d4a007e18f053b18fcb9f119b88
-
Filesize
373KB
MD509d802dae8cc774b0aa7fea0c9a271bd
SHA1e2e71100eefc6a88da7016a6d21f5187b9119a7e
SHA2566ddd461d8d914589cae721431b01c29540771dc1becc5092af70e1c18308e7a3
SHA5122fb75630e1d70955afe05500ef846e2b60c98e13799b7d1db2b753b2a7a5e72edcef54bfdbde0e984d41efda571969c044cb1d4a007e18f053b18fcb9f119b88