Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe
Resource
win10v2004-20230220-en
General
-
Target
3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe
-
Size
787KB
-
MD5
42c4cb41b837bcf9079663ff73839192
-
SHA1
70fa42bd81ac2f6bb1bfe719e706426fb335f47a
-
SHA256
3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a
-
SHA512
cf2e69f43e6161e70ab6a9d4734a4b1d0a3c8188297f7b03f3997d604d4b06d496617b449840d6e743fc4966a683558cc4656f3e772f51110ca49032cdde99da
-
SSDEEP
24576:xyHdJJPbSCmD8btsjF1uJVo+1Y7ufTvOUU:kHdJJPbmSt+uL51YM
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
rita
193.233.20.28:4125
-
auth_value
5cf1bcf41b0a2f3710619223451dfd3a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c45dH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c45dH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c45dH44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b1519XH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1519XH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1519XH.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c45dH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c45dH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1519XH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1519XH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1519XH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c45dH44.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4212-202-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-205-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-203-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-207-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-209-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-215-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-211-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-218-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-220-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-222-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-224-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-226-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-228-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-230-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-232-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-234-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-236-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/4212-238-0x0000000005030000-0x000000000506E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2268 tice1229.exe 4776 tice2656.exe 3644 b1519XH.exe 4916 c45dH44.exe 4212 dOOrn30.exe 3860 e27tZ74.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1519XH.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c45dH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c45dH44.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice1229.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice1229.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice2656.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice2656.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3880 4916 WerFault.exe 90 216 4212 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3644 b1519XH.exe 3644 b1519XH.exe 4916 c45dH44.exe 4916 c45dH44.exe 4212 dOOrn30.exe 4212 dOOrn30.exe 3860 e27tZ74.exe 3860 e27tZ74.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3644 b1519XH.exe Token: SeDebugPrivilege 4916 c45dH44.exe Token: SeDebugPrivilege 4212 dOOrn30.exe Token: SeDebugPrivilege 3860 e27tZ74.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2268 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 83 PID 5116 wrote to memory of 2268 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 83 PID 5116 wrote to memory of 2268 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 83 PID 2268 wrote to memory of 4776 2268 tice1229.exe 84 PID 2268 wrote to memory of 4776 2268 tice1229.exe 84 PID 2268 wrote to memory of 4776 2268 tice1229.exe 84 PID 4776 wrote to memory of 3644 4776 tice2656.exe 85 PID 4776 wrote to memory of 3644 4776 tice2656.exe 85 PID 4776 wrote to memory of 4916 4776 tice2656.exe 90 PID 4776 wrote to memory of 4916 4776 tice2656.exe 90 PID 4776 wrote to memory of 4916 4776 tice2656.exe 90 PID 2268 wrote to memory of 4212 2268 tice1229.exe 97 PID 2268 wrote to memory of 4212 2268 tice1229.exe 97 PID 2268 wrote to memory of 4212 2268 tice1229.exe 97 PID 5116 wrote to memory of 3860 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 104 PID 5116 wrote to memory of 3860 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 104 PID 5116 wrote to memory of 3860 5116 3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe"C:\Users\Admin\AppData\Local\Temp\3358b3ee0b994726e0708b3299c4dfa110d03ebf30c863dd5375646d3c54840a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1229.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1229.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2656.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2656.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1519XH.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1519XH.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c45dH44.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c45dH44.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10845⤵
- Program crash
PID:3880
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dOOrn30.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dOOrn30.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 13444⤵
- Program crash
PID:216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e27tZ74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e27tZ74.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4916 -ip 49161⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4212 -ip 42121⤵PID:2788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
642KB
MD56aa4a2dcdf05d3f60e845fa277e8d8a0
SHA137db6abde2cb971e2d1bf10d44b713801b2655f7
SHA2565d238dc0c50e568b71ca9a37fe35d5c087eeb69f0961395cf3faabc5249bd507
SHA512e9398fbfd7971878c12cc24892974d8b4aa79e4ef784b8fc3ab7ccb45eb03459cebc6d2556922f0f06b60d56763b8a88518e3b7cf2afa7f0e309af6af20ca371
-
Filesize
642KB
MD56aa4a2dcdf05d3f60e845fa277e8d8a0
SHA137db6abde2cb971e2d1bf10d44b713801b2655f7
SHA2565d238dc0c50e568b71ca9a37fe35d5c087eeb69f0961395cf3faabc5249bd507
SHA512e9398fbfd7971878c12cc24892974d8b4aa79e4ef784b8fc3ab7ccb45eb03459cebc6d2556922f0f06b60d56763b8a88518e3b7cf2afa7f0e309af6af20ca371
-
Filesize
295KB
MD5a9dabbbb012260a8c2380a633e868d19
SHA19666667f9a91b379082c6101aeddfad866fc37de
SHA256889f5ede9a7556fb60ea77bea78cdc7d651b3565a821f24dc0c78cd00a006561
SHA51292b2de0256030eba98c48a2f1bed3159e7fc1cca23f128e0d97dd9d3970111ac851b1ee9e7b46978acd7da1870e59d3778a2f47e09caa904cda8fb6c87d0d016
-
Filesize
295KB
MD5a9dabbbb012260a8c2380a633e868d19
SHA19666667f9a91b379082c6101aeddfad866fc37de
SHA256889f5ede9a7556fb60ea77bea78cdc7d651b3565a821f24dc0c78cd00a006561
SHA51292b2de0256030eba98c48a2f1bed3159e7fc1cca23f128e0d97dd9d3970111ac851b1ee9e7b46978acd7da1870e59d3778a2f47e09caa904cda8fb6c87d0d016
-
Filesize
322KB
MD5ee638f83ee96498f9c16acf36a2a6a48
SHA1d5bb7bef6a3dbfefcc6d1968511f4f985ee44502
SHA256ac7844881ca55bc8b7eab9de9de8b8313b8ee871cde1b62752c1dc156bfbde30
SHA512a939459677431db58902df5f1f6579ce626cf338888381beb45e9309249a089605ee00f5ed82c4cdd78a83e5a31d3f0071cf1d564c062b56e6fe80f6f93f2a67
-
Filesize
322KB
MD5ee638f83ee96498f9c16acf36a2a6a48
SHA1d5bb7bef6a3dbfefcc6d1968511f4f985ee44502
SHA256ac7844881ca55bc8b7eab9de9de8b8313b8ee871cde1b62752c1dc156bfbde30
SHA512a939459677431db58902df5f1f6579ce626cf338888381beb45e9309249a089605ee00f5ed82c4cdd78a83e5a31d3f0071cf1d564c062b56e6fe80f6f93f2a67
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
237KB
MD5373245e8a1dc9e0df818ed7fba30f59e
SHA12000c98300732605cea709696a588606a3567ecb
SHA2566c490149d6f66a76791bdc124b0b000bd14bf2b210775e8162d19932d80cf643
SHA512c6ea72cd6f2cc152c798dbfb8487b2e711741c51e0b64e809afedbb474397308af4197555097dc395df6d5ac86f54cd1380f42099fc77784d4d6f1543c0767c3
-
Filesize
237KB
MD5373245e8a1dc9e0df818ed7fba30f59e
SHA12000c98300732605cea709696a588606a3567ecb
SHA2566c490149d6f66a76791bdc124b0b000bd14bf2b210775e8162d19932d80cf643
SHA512c6ea72cd6f2cc152c798dbfb8487b2e711741c51e0b64e809afedbb474397308af4197555097dc395df6d5ac86f54cd1380f42099fc77784d4d6f1543c0767c3