Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
63s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/03/2023, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe
Resource
win10-20230220-en
General
-
Target
bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe
-
Size
875KB
-
MD5
6d62ea84592417f19a7b6e7fd76e4833
-
SHA1
18ed26fb8621d4c9e08775bd989beed77c7a6145
-
SHA256
bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84
-
SHA512
ade02194816a0efcfd1b209c54ab68b2d7fbbe2f0d5474f98c897c644cdb5fdacb804509d3d40c0347ad3b1a54ff821c5d1228dae711eb5200eb88ea25cd126e
-
SSDEEP
24576:Cyme7XJq9CTiKrBIuKpUK2IxJuvI1IfE3hucO47YX1:pm4Xk8nBmUmxJujcNO9
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
rita
193.233.20.28:4125
-
auth_value
5cf1bcf41b0a2f3710619223451dfd3a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b2951DU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b2951DU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b2951DU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c68oJ66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c68oJ66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c68oJ66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b2951DU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b2951DU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c68oJ66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c68oJ66.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2216-191-0x0000000004BE0000-0x0000000004C26000-memory.dmp family_redline behavioral1/memory/2216-192-0x0000000004C60000-0x0000000004CA4000-memory.dmp family_redline behavioral1/memory/2216-196-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-198-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-200-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-194-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-204-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-202-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-206-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-193-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-208-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-210-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-212-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-216-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-214-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-218-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-220-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-222-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-226-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/2216-224-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3488 tice0709.exe 1728 tice0587.exe 3972 b2951DU.exe 1660 c68oJ66.exe 2216 dtsAS36.exe 4492 e54YR26.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b2951DU.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c68oJ66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c68oJ66.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice0709.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice0709.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice0587.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice0587.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3972 b2951DU.exe 3972 b2951DU.exe 1660 c68oJ66.exe 1660 c68oJ66.exe 2216 dtsAS36.exe 2216 dtsAS36.exe 4492 e54YR26.exe 4492 e54YR26.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3972 b2951DU.exe Token: SeDebugPrivilege 1660 c68oJ66.exe Token: SeDebugPrivilege 2216 dtsAS36.exe Token: SeDebugPrivilege 4492 e54YR26.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4024 wrote to memory of 3488 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 66 PID 4024 wrote to memory of 3488 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 66 PID 4024 wrote to memory of 3488 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 66 PID 3488 wrote to memory of 1728 3488 tice0709.exe 67 PID 3488 wrote to memory of 1728 3488 tice0709.exe 67 PID 3488 wrote to memory of 1728 3488 tice0709.exe 67 PID 1728 wrote to memory of 3972 1728 tice0587.exe 68 PID 1728 wrote to memory of 3972 1728 tice0587.exe 68 PID 1728 wrote to memory of 1660 1728 tice0587.exe 69 PID 1728 wrote to memory of 1660 1728 tice0587.exe 69 PID 1728 wrote to memory of 1660 1728 tice0587.exe 69 PID 3488 wrote to memory of 2216 3488 tice0709.exe 70 PID 3488 wrote to memory of 2216 3488 tice0709.exe 70 PID 3488 wrote to memory of 2216 3488 tice0709.exe 70 PID 4024 wrote to memory of 4492 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 72 PID 4024 wrote to memory of 4492 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 72 PID 4024 wrote to memory of 4492 4024 bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe"C:\Users\Admin\AppData\Local\Temp\bca13b2c82150434f079278f2eb90054625c5271f6056710de1fbd031bf6bb84.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0709.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0709.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0587.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0587.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2951DU.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2951DU.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c68oJ66.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c68oJ66.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtsAS36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtsAS36.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e54YR26.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e54YR26.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
730KB
MD5e05f3a1deab5da5745d241c74e317087
SHA1d0c33a708b11131b56c1769c2dee889824ace4ab
SHA256aac681137f5da0d681f6b3ec3ee9f1836893810213164427d938d69b33b49bce
SHA512bd6c8373f7f91a87704a9a9c76f7d6eef72f8ba2b0a4348ce52c1478afed986a9e80c8fc06e9ff0af702639ff21079525863bb3181eec562e6a54f10df606928
-
Filesize
730KB
MD5e05f3a1deab5da5745d241c74e317087
SHA1d0c33a708b11131b56c1769c2dee889824ace4ab
SHA256aac681137f5da0d681f6b3ec3ee9f1836893810213164427d938d69b33b49bce
SHA512bd6c8373f7f91a87704a9a9c76f7d6eef72f8ba2b0a4348ce52c1478afed986a9e80c8fc06e9ff0af702639ff21079525863bb3181eec562e6a54f10df606928
-
Filesize
408KB
MD5e21d4d7fa3a2dacbf05843b7eaa7ad8a
SHA1dc487b9be33f3a6a48efc9027dc3abd04b40e356
SHA256c3c96c212708c88961289cd56c1271e93c38e6f5d800aed2d92e81c08d5b165b
SHA51285f6b1b99507d40ebff0aea896d637cc725bda8f962955b7e3093454959be04dc298ccf2998c9b47897140a72b4b374cf99ba6a09ffa8c0f2e0036a3ba43d8a8
-
Filesize
408KB
MD5e21d4d7fa3a2dacbf05843b7eaa7ad8a
SHA1dc487b9be33f3a6a48efc9027dc3abd04b40e356
SHA256c3c96c212708c88961289cd56c1271e93c38e6f5d800aed2d92e81c08d5b165b
SHA51285f6b1b99507d40ebff0aea896d637cc725bda8f962955b7e3093454959be04dc298ccf2998c9b47897140a72b4b374cf99ba6a09ffa8c0f2e0036a3ba43d8a8
-
Filesize
364KB
MD54859c9633d21af6fed8a45d5845f7cdf
SHA136acf5ee5174619276071e1371b2b2eb78b20471
SHA256176b134876cdf70e116197349f4b234c6d20e7b61feb384d4625d1ee37250147
SHA512232229044ea670c0ea86fdf0f3fdb718d456e9685a48843e446d6829a379eb6733f97ef8ed37e560b57f3bd2f509784a48fed09da26486fb3d91c54bd7e341cf
-
Filesize
364KB
MD54859c9633d21af6fed8a45d5845f7cdf
SHA136acf5ee5174619276071e1371b2b2eb78b20471
SHA256176b134876cdf70e116197349f4b234c6d20e7b61feb384d4625d1ee37250147
SHA512232229044ea670c0ea86fdf0f3fdb718d456e9685a48843e446d6829a379eb6733f97ef8ed37e560b57f3bd2f509784a48fed09da26486fb3d91c54bd7e341cf
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
350KB
MD562b5fc3d100412f30e67b4dfd359b07b
SHA14048fd68470fa5b2f5451e4b058773defacc124d
SHA2562ee59ec2a73fc837206e8eb3a742f9111994b7b17e068662f402aa16397beafa
SHA512a296e9000319e60f9848939fe379bdf56101a3f288fb6d910704a6913fdeaba1996c95914ef0334fced1f7ba1250b19c137f7d87f094bf9032547b1475f993c6
-
Filesize
350KB
MD562b5fc3d100412f30e67b4dfd359b07b
SHA14048fd68470fa5b2f5451e4b058773defacc124d
SHA2562ee59ec2a73fc837206e8eb3a742f9111994b7b17e068662f402aa16397beafa
SHA512a296e9000319e60f9848939fe379bdf56101a3f288fb6d910704a6913fdeaba1996c95914ef0334fced1f7ba1250b19c137f7d87f094bf9032547b1475f993c6