Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 05:52
Static task
static1
Behavioral task
behavioral1
Sample
19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe
Resource
win10v2004-20230220-en
General
-
Target
19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe
-
Size
876KB
-
MD5
8f0be4a12412e6edf65769c7f4f53ff8
-
SHA1
26d4ddaafbd3baf4bfee2dd14610bd677073e93f
-
SHA256
19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e
-
SHA512
42faf7688abd85aaef2c7a081b1d1d4d76cb1e554ddcdf0b973192e834ee90fb14c802a4849ca45846b6f97572ae509fc046747f91b34d2e75ef8da8571242ef
-
SSDEEP
12288:tMr5y90pZW7vjIlELjsHFHGfVW8SubBxr3DfSzPdF2PahGSzxbjDHpzt6wAhv:gyyxlELI48ubBZzEPd0PPS1J5E
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
rita
193.233.20.28:4125
-
auth_value
5cf1bcf41b0a2f3710619223451dfd3a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b5190iQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b5190iQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b5190iQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b5190iQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b5190iQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b5190iQ.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3956-203-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-202-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-205-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-207-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-209-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-211-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-213-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-215-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-217-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-219-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-221-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-223-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-225-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-229-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-227-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-231-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-233-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-235-0x00000000076E0000-0x000000000771E000-memory.dmp family_redline behavioral1/memory/3956-243-0x00000000070E0000-0x00000000070F0000-memory.dmp family_redline behavioral1/memory/3956-1121-0x00000000070E0000-0x00000000070F0000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1328 tice3314.exe 244 tice0781.exe 1936 b5190iQ.exe 2584 c13Cj92.exe 3956 dEcIv03.exe 220 e42Dx86.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b5190iQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c13Cj92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c13Cj92.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice0781.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice0781.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice3314.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice3314.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4864 2584 WerFault.exe 95 4032 3956 WerFault.exe 101 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1936 b5190iQ.exe 1936 b5190iQ.exe 2584 c13Cj92.exe 2584 c13Cj92.exe 3956 dEcIv03.exe 3956 dEcIv03.exe 220 e42Dx86.exe 220 e42Dx86.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1936 b5190iQ.exe Token: SeDebugPrivilege 2584 c13Cj92.exe Token: SeDebugPrivilege 3956 dEcIv03.exe Token: SeDebugPrivilege 220 e42Dx86.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1328 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 88 PID 2788 wrote to memory of 1328 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 88 PID 2788 wrote to memory of 1328 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 88 PID 1328 wrote to memory of 244 1328 tice3314.exe 89 PID 1328 wrote to memory of 244 1328 tice3314.exe 89 PID 1328 wrote to memory of 244 1328 tice3314.exe 89 PID 244 wrote to memory of 1936 244 tice0781.exe 90 PID 244 wrote to memory of 1936 244 tice0781.exe 90 PID 244 wrote to memory of 2584 244 tice0781.exe 95 PID 244 wrote to memory of 2584 244 tice0781.exe 95 PID 244 wrote to memory of 2584 244 tice0781.exe 95 PID 1328 wrote to memory of 3956 1328 tice3314.exe 101 PID 1328 wrote to memory of 3956 1328 tice3314.exe 101 PID 1328 wrote to memory of 3956 1328 tice3314.exe 101 PID 2788 wrote to memory of 220 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 110 PID 2788 wrote to memory of 220 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 110 PID 2788 wrote to memory of 220 2788 19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe"C:\Users\Admin\AppData\Local\Temp\19a2b5206d6f14bc9afb567e60280f48868162e86f7648178354206ddcdc1c0e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3314.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3314.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0781.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0781.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5190iQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5190iQ.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c13Cj92.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c13Cj92.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 10845⤵
- Program crash
PID:4864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dEcIv03.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dEcIv03.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 13364⤵
- Program crash
PID:4032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e42Dx86.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e42Dx86.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2584 -ip 25841⤵PID:1232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3956 -ip 39561⤵PID:3272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
731KB
MD5ebe2ce8ca5a60777c3014101a34c718f
SHA1bfda1e2a8fa30d0621187a31756c13ce6d44d1bf
SHA2562c0fa10677ef393d4bb3063de42593341187854408a03fad5e05134114e30665
SHA5129537eb70d68e1d6940a8ce42b386c05ac2689df48f1a2f54d8cced8a360907fd275dc59daa4fd26e7fa692ca6ccf08fbe41a29eae1823015d18b663d72b44a13
-
Filesize
731KB
MD5ebe2ce8ca5a60777c3014101a34c718f
SHA1bfda1e2a8fa30d0621187a31756c13ce6d44d1bf
SHA2562c0fa10677ef393d4bb3063de42593341187854408a03fad5e05134114e30665
SHA5129537eb70d68e1d6940a8ce42b386c05ac2689df48f1a2f54d8cced8a360907fd275dc59daa4fd26e7fa692ca6ccf08fbe41a29eae1823015d18b663d72b44a13
-
Filesize
409KB
MD59962d3bc434bcb2af89b22dce2a77dec
SHA16ab0e937a4a2b0938ebd6748e324244f8cc8e704
SHA2561375c0782594e5276340504d9939c738f6256c9b3ec8cbcc4cd6e3b50a0665bf
SHA512481aaa70ba734e97b16bbeb234f8664f3f51a1f23a06a3e05d668f33957d6abda2d57fb24416c6828095d490f1eb97fab03a0f9fed43bd21e54a476e4d06d936
-
Filesize
409KB
MD59962d3bc434bcb2af89b22dce2a77dec
SHA16ab0e937a4a2b0938ebd6748e324244f8cc8e704
SHA2561375c0782594e5276340504d9939c738f6256c9b3ec8cbcc4cd6e3b50a0665bf
SHA512481aaa70ba734e97b16bbeb234f8664f3f51a1f23a06a3e05d668f33957d6abda2d57fb24416c6828095d490f1eb97fab03a0f9fed43bd21e54a476e4d06d936
-
Filesize
366KB
MD5a19034aa5bc3f394e2b16c2fb887fceb
SHA1ee120463365fabcc01f46234fabc81dd813e9cd6
SHA2565785fc51607264efc37a6d1fd63a86c8a4396af9c825d4ff666aa56b9391bf02
SHA512904fa94725f2a1dd98a869fef6125a692348902754c38ec81754eebb1cd2a7b95607cfd0d7a12ca423f701a96231c5e4247f53a2fb394b14f92f70da5f5d2cba
-
Filesize
366KB
MD5a19034aa5bc3f394e2b16c2fb887fceb
SHA1ee120463365fabcc01f46234fabc81dd813e9cd6
SHA2565785fc51607264efc37a6d1fd63a86c8a4396af9c825d4ff666aa56b9391bf02
SHA512904fa94725f2a1dd98a869fef6125a692348902754c38ec81754eebb1cd2a7b95607cfd0d7a12ca423f701a96231c5e4247f53a2fb394b14f92f70da5f5d2cba
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
351KB
MD5fd43259b07f5156f4cc266b5ba0fc63f
SHA1da4ebd94a6ac2faf6d8cbdd696ecee6828b0b436
SHA25636e65629dbe427f1995332c4f91fb0ce3f2b62991b1ab800cfe3e485af97cf72
SHA5120dd0d3f4019ec1d18e525cbd1460036485a29ca3068ca096956d1637612aae70e50bbe9d80f2068fb23e08052e0715f0f85de8ccd4055a9979a193beabfa4a34
-
Filesize
351KB
MD5fd43259b07f5156f4cc266b5ba0fc63f
SHA1da4ebd94a6ac2faf6d8cbdd696ecee6828b0b436
SHA25636e65629dbe427f1995332c4f91fb0ce3f2b62991b1ab800cfe3e485af97cf72
SHA5120dd0d3f4019ec1d18e525cbd1460036485a29ca3068ca096956d1637612aae70e50bbe9d80f2068fb23e08052e0715f0f85de8ccd4055a9979a193beabfa4a34