Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe
Resource
win10v2004-20230220-en
General
-
Target
539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe
-
Size
874KB
-
MD5
c239f30fa4d7fddb404481f909d411b6
-
SHA1
589c8078ae07d99f08c2b1f99009840a48d90a0b
-
SHA256
539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43
-
SHA512
23f709991350fe86dc7481acbbca91e2e138d460b866a63746305a9b21c2ea9094dd7386446a7051392a2edaa9ce54c1b652e7619059ddcbdd89c4c090e3e97d
-
SSDEEP
24576:EyJjyIsg5YP660BgN38ZoMy0CgMWozhBccgeQhzAm64:TIYSruoIZXUavh
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
rita
193.233.20.28:4125
-
auth_value
5cf1bcf41b0a2f3710619223451dfd3a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c60mp56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c60mp56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b3300nj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b3300nj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b3300nj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b3300nj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b3300nj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b3300nj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c60mp56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c60mp56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c60mp56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c60mp56.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/488-203-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-204-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-206-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-208-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-210-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-212-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-214-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-216-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-218-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-220-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-222-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-224-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-226-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-228-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-230-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-232-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-234-0x0000000007700000-0x000000000773E000-memory.dmp family_redline behavioral1/memory/488-236-0x0000000007700000-0x000000000773E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1888 tice6933.exe 452 tice6909.exe 1804 b3300nj.exe 4672 c60mp56.exe 488 dUzXx92.exe 3864 e71eI34.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b3300nj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c60mp56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c60mp56.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice6933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice6933.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice6909.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice6909.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1256 4672 WerFault.exe 91 1060 488 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1804 b3300nj.exe 1804 b3300nj.exe 4672 c60mp56.exe 4672 c60mp56.exe 488 dUzXx92.exe 488 dUzXx92.exe 3864 e71eI34.exe 3864 e71eI34.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1804 b3300nj.exe Token: SeDebugPrivilege 4672 c60mp56.exe Token: SeDebugPrivilege 488 dUzXx92.exe Token: SeDebugPrivilege 3864 e71eI34.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4516 wrote to memory of 1888 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 86 PID 4516 wrote to memory of 1888 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 86 PID 4516 wrote to memory of 1888 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 86 PID 1888 wrote to memory of 452 1888 tice6933.exe 87 PID 1888 wrote to memory of 452 1888 tice6933.exe 87 PID 1888 wrote to memory of 452 1888 tice6933.exe 87 PID 452 wrote to memory of 1804 452 tice6909.exe 88 PID 452 wrote to memory of 1804 452 tice6909.exe 88 PID 452 wrote to memory of 4672 452 tice6909.exe 91 PID 452 wrote to memory of 4672 452 tice6909.exe 91 PID 452 wrote to memory of 4672 452 tice6909.exe 91 PID 1888 wrote to memory of 488 1888 tice6933.exe 94 PID 1888 wrote to memory of 488 1888 tice6933.exe 94 PID 1888 wrote to memory of 488 1888 tice6933.exe 94 PID 4516 wrote to memory of 3864 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 104 PID 4516 wrote to memory of 3864 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 104 PID 4516 wrote to memory of 3864 4516 539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe"C:\Users\Admin\AppData\Local\Temp\539e77293a4c9fc02114c6f194c9e0af20198b66975a12c61b8d7550536bdb43.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6933.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6933.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6909.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6909.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3300nj.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3300nj.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c60mp56.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c60mp56.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 10805⤵
- Program crash
PID:1256
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dUzXx92.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dUzXx92.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 13564⤵
- Program crash
PID:1060
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e71eI34.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e71eI34.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4672 -ip 46721⤵PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 488 -ip 4881⤵PID:2300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
175KB
MD58b0ea3120d3d291045b26bcea5ccef54
SHA107ed9587057ae936ca0610051142a4add4f7b6aa
SHA2566659717ddb5d87d6dc4e3c9e1d582bc58778c633eb50c61e3bdc57b5d3be7690
SHA5126d112c8621488b8ec6373ec6ab87b20cd07d33ea945d67a6aaa9ca043d9556b735b3c7b9d33c562e29c8e875c3a947a203a33ad27c2d2afe75e2f75873768244
-
Filesize
729KB
MD56ab711472e8c0ff9d249d849016b2d73
SHA1c1418e7368902d56d7c21cbed72cf6723e515252
SHA2569499c81b6e201557dbec8fe5c889c6821917da26a9d8566a73f9f9ee90ec7382
SHA512c2ed286b50d5db43f22d2cf364ec18c6bb8c894fb1900255e8252029d4dd3e9e3f772c98ff75032c91194ce8319a1ee77b0b8bfdb667baa8b33698a6cc1245fc
-
Filesize
729KB
MD56ab711472e8c0ff9d249d849016b2d73
SHA1c1418e7368902d56d7c21cbed72cf6723e515252
SHA2569499c81b6e201557dbec8fe5c889c6821917da26a9d8566a73f9f9ee90ec7382
SHA512c2ed286b50d5db43f22d2cf364ec18c6bb8c894fb1900255e8252029d4dd3e9e3f772c98ff75032c91194ce8319a1ee77b0b8bfdb667baa8b33698a6cc1245fc
-
Filesize
408KB
MD5389be22dc4ed4ab3b5b8ea2809b3d918
SHA1620bec19d1012e087e7dd58a5e8b6d4a4447007e
SHA25675762f36d9180c0bbc663903e15839dc77bb292484b00c8a78e609dbbfb631b2
SHA512ae6d629e3c28cf15ceeecf27d5d504e2d20545f43804492b3c169923bc291b1337d1ef76dfe2c568a3048acbacf56f04ef318f97638efd4830d801564f6df360
-
Filesize
408KB
MD5389be22dc4ed4ab3b5b8ea2809b3d918
SHA1620bec19d1012e087e7dd58a5e8b6d4a4447007e
SHA25675762f36d9180c0bbc663903e15839dc77bb292484b00c8a78e609dbbfb631b2
SHA512ae6d629e3c28cf15ceeecf27d5d504e2d20545f43804492b3c169923bc291b1337d1ef76dfe2c568a3048acbacf56f04ef318f97638efd4830d801564f6df360
-
Filesize
364KB
MD51ac5519d4b063d2f1e217cff16a77673
SHA18fb6c1acd0cc6d15b5c707bc5e694026d9215176
SHA256dd2d06e1040ca444b2decd5d77539a4d024dd36b6639b599b6c1c49d2af8b1cc
SHA512a9cacf38d98b69136e69ecd73091cf64c4b9d46ae937649a59e821b447b66af33cc4b4708dfbecd17298deb48ee27a2810c5847bc0e54f3e400f9bd206c671bc
-
Filesize
364KB
MD51ac5519d4b063d2f1e217cff16a77673
SHA18fb6c1acd0cc6d15b5c707bc5e694026d9215176
SHA256dd2d06e1040ca444b2decd5d77539a4d024dd36b6639b599b6c1c49d2af8b1cc
SHA512a9cacf38d98b69136e69ecd73091cf64c4b9d46ae937649a59e821b447b66af33cc4b4708dfbecd17298deb48ee27a2810c5847bc0e54f3e400f9bd206c671bc
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
350KB
MD5524a61984c0ee31b78d28023e04f8e05
SHA146bd3697882dc118101334509b791f1dd20d857e
SHA25636a3a6cc3c8b0de2665eddcb4d087f28a9dbca48f17d06a1d50195f259f44d1f
SHA512548896be026019a2a41c955a53d3b0df0afdf9faeac6e6d441f3f2065b93664d44b991fd728ea175acd2d60a62b99ce26c9019bbf099000efca02273fdcc389e
-
Filesize
350KB
MD5524a61984c0ee31b78d28023e04f8e05
SHA146bd3697882dc118101334509b791f1dd20d857e
SHA25636a3a6cc3c8b0de2665eddcb4d087f28a9dbca48f17d06a1d50195f259f44d1f
SHA512548896be026019a2a41c955a53d3b0df0afdf9faeac6e6d441f3f2065b93664d44b991fd728ea175acd2d60a62b99ce26c9019bbf099000efca02273fdcc389e