Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe
Resource
win10v2004-20230220-en
General
-
Target
8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe
-
Size
787KB
-
MD5
a7359e466be8cef4169a936ccecffd3d
-
SHA1
843430866afc9b0a11b277e297875c61169941b8
-
SHA256
8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2
-
SHA512
45a46c89b0728ba151628ed15af8b5dab00c1dab59fb34f7273f96ea5ceaf9a1e64b615bdb3ca2da20c4cc95d8f6e260113ae6bc31beac82fd81962e4d92d8ec
-
SSDEEP
24576:gyTHXl1+EOomgMvgjH4WA5Y5P7xZ1q84:nT3lBvjkH5YJH1q
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
rita
193.233.20.28:4125
-
auth_value
5cf1bcf41b0a2f3710619223451dfd3a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b3703eP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b3703eP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b3703eP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c41Np16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c41Np16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c41Np16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c41Np16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c41Np16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b3703eP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b3703eP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b3703eP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c41Np16.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2352-202-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-203-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-205-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-207-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-209-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-211-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-213-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-215-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-217-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-219-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-221-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-223-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-225-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-227-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-229-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-231-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-233-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-235-0x0000000002620000-0x000000000265E000-memory.dmp family_redline behavioral1/memory/2352-1122-0x0000000004C40000-0x0000000004C50000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1868 tice5474.exe 3016 tice4646.exe 4444 b3703eP.exe 1276 c41Np16.exe 2352 dXrsi77.exe 4352 e49Bx82.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b3703eP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c41Np16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c41Np16.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice5474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice5474.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice4646.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice4646.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3972 1276 WerFault.exe 95 1548 2352 WerFault.exe 100 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4444 b3703eP.exe 4444 b3703eP.exe 1276 c41Np16.exe 1276 c41Np16.exe 2352 dXrsi77.exe 2352 dXrsi77.exe 4352 e49Bx82.exe 4352 e49Bx82.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4444 b3703eP.exe Token: SeDebugPrivilege 1276 c41Np16.exe Token: SeDebugPrivilege 2352 dXrsi77.exe Token: SeDebugPrivilege 4352 e49Bx82.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 324 wrote to memory of 1868 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 85 PID 324 wrote to memory of 1868 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 85 PID 324 wrote to memory of 1868 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 85 PID 1868 wrote to memory of 3016 1868 tice5474.exe 86 PID 1868 wrote to memory of 3016 1868 tice5474.exe 86 PID 1868 wrote to memory of 3016 1868 tice5474.exe 86 PID 3016 wrote to memory of 4444 3016 tice4646.exe 87 PID 3016 wrote to memory of 4444 3016 tice4646.exe 87 PID 3016 wrote to memory of 1276 3016 tice4646.exe 95 PID 3016 wrote to memory of 1276 3016 tice4646.exe 95 PID 3016 wrote to memory of 1276 3016 tice4646.exe 95 PID 1868 wrote to memory of 2352 1868 tice5474.exe 100 PID 1868 wrote to memory of 2352 1868 tice5474.exe 100 PID 1868 wrote to memory of 2352 1868 tice5474.exe 100 PID 324 wrote to memory of 4352 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 105 PID 324 wrote to memory of 4352 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 105 PID 324 wrote to memory of 4352 324 8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe"C:\Users\Admin\AppData\Local\Temp\8f598c5341193ab80453174f0a1749b3f073374883e62d471d7499c49d3791f2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5474.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice5474.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4646.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4646.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3703eP.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3703eP.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c41Np16.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c41Np16.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 10885⤵
- Program crash
PID:3972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dXrsi77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dXrsi77.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 13524⤵
- Program crash
PID:1548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e49Bx82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e49Bx82.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1276 -ip 12761⤵PID:3268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2352 -ip 23521⤵PID:2128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
642KB
MD51d1a81ae2721b6dceab239d8f6c6fc0e
SHA1b0da356af4e3aae054bab0792050a64fb14ef456
SHA2568c479fd1b5bed9b9f9ff180dc4fb0b2a6e740d53d076e1e2e28737bed708c706
SHA512c5f03b6c424c0ffb0aa96de7c56e103ed7eab314530a778c623e643d0aa00f7f167fbf606ac37854441ebad8616b54aaeb94a91527aa8bd787060db1617881ee
-
Filesize
642KB
MD51d1a81ae2721b6dceab239d8f6c6fc0e
SHA1b0da356af4e3aae054bab0792050a64fb14ef456
SHA2568c479fd1b5bed9b9f9ff180dc4fb0b2a6e740d53d076e1e2e28737bed708c706
SHA512c5f03b6c424c0ffb0aa96de7c56e103ed7eab314530a778c623e643d0aa00f7f167fbf606ac37854441ebad8616b54aaeb94a91527aa8bd787060db1617881ee
-
Filesize
295KB
MD5f4f78125cd6f7cb89fc62e74825eaab8
SHA125211af46468ac10a07817a23fc428182c10b6db
SHA256ae34b4624d6ee62c29afee8deadf008c242e5844b82923a2b385a991ddd3653a
SHA5128df9f50fc87af9abc68ce6f7ecd355d14ae41cebf1e84cd29bc5f89d3cc40456da82e673c9d585cf8a292c5897d95170c9aaa7a9929f1a3e774585383c94323f
-
Filesize
295KB
MD5f4f78125cd6f7cb89fc62e74825eaab8
SHA125211af46468ac10a07817a23fc428182c10b6db
SHA256ae34b4624d6ee62c29afee8deadf008c242e5844b82923a2b385a991ddd3653a
SHA5128df9f50fc87af9abc68ce6f7ecd355d14ae41cebf1e84cd29bc5f89d3cc40456da82e673c9d585cf8a292c5897d95170c9aaa7a9929f1a3e774585383c94323f
-
Filesize
322KB
MD5808368c0cd15c5530afff18d24a90476
SHA1f201eb6cbe8db9410a84d130be4639a6ca577864
SHA256694377ad55c97196968b2a3bf4635802c8bff81df8db8c25341c09176d21581a
SHA5126fefc562e6c0a1831825137aa1d4cafdda713b635ac221d62720874565518d1c59d965b8df17115bd56f77ef868bdaa64d52c124de70fb975e0bd59b9f57fd4a
-
Filesize
322KB
MD5808368c0cd15c5530afff18d24a90476
SHA1f201eb6cbe8db9410a84d130be4639a6ca577864
SHA256694377ad55c97196968b2a3bf4635802c8bff81df8db8c25341c09176d21581a
SHA5126fefc562e6c0a1831825137aa1d4cafdda713b635ac221d62720874565518d1c59d965b8df17115bd56f77ef868bdaa64d52c124de70fb975e0bd59b9f57fd4a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
237KB
MD5efdca8a51c45c9415d4e9dcd757bb5fd
SHA1b2dd65fadfe979758fcfaa8468fd75c61ddff214
SHA256b442cd7aeddd99f2f8cdc0a634f93f91768b7972da10d0e0d51364f7f6870857
SHA5128983890203a4331402a179ae753d938e0b4a5908b7036ad07d60daeb7e8ef83195619356b5c8d0d448ea3580d11c90533a1d72f5e52c51b799184183444d74da
-
Filesize
237KB
MD5efdca8a51c45c9415d4e9dcd757bb5fd
SHA1b2dd65fadfe979758fcfaa8468fd75c61ddff214
SHA256b442cd7aeddd99f2f8cdc0a634f93f91768b7972da10d0e0d51364f7f6870857
SHA5128983890203a4331402a179ae753d938e0b4a5908b7036ad07d60daeb7e8ef83195619356b5c8d0d448ea3580d11c90533a1d72f5e52c51b799184183444d74da