Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
61s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/03/2023, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe
Resource
win10-20230220-en
General
-
Target
6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe
-
Size
864KB
-
MD5
6a7079138184b175d99864c9a200c8be
-
SHA1
45db38541f22f3af9c34d7361a431881f27906e2
-
SHA256
6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20
-
SHA512
78cab2f5b172144dbf13fc4e576476e41240734f8cddd3a071442993807d1b0cf17c10690133cf6e804746b609c1dbc178df503f6e05543b9ebddfc3d01479e2
-
SSDEEP
24576:NyLpDdERiLtVEhmy8VkhIJPYGKS2J682JQ:oLX2iLIhGHKSw6dJ
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
sito
193.233.20.28:4125
-
auth_value
030f94d8e396dbe51ce339b815cdad17
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c15eV22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c15eV22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c15eV22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b7633Vb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b7633Vb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b7633Vb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b7633Vb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c15eV22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b7633Vb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c15eV22.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3032-187-0x0000000004890000-0x00000000048D6000-memory.dmp family_redline behavioral1/memory/3032-190-0x0000000004C50000-0x0000000004C94000-memory.dmp family_redline behavioral1/memory/3032-193-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-194-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-196-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-198-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-200-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-202-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-204-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-206-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-208-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-210-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-212-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-214-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-216-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-218-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-220-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-222-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-224-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3032-226-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2504 tice6447.exe 3060 tice8942.exe 4540 b7633Vb.exe 8 c15eV22.exe 3032 dJaBY04.exe 4124 e83wa09.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b7633Vb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c15eV22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c15eV22.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice6447.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice6447.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice8942.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice8942.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4540 b7633Vb.exe 4540 b7633Vb.exe 8 c15eV22.exe 8 c15eV22.exe 3032 dJaBY04.exe 3032 dJaBY04.exe 4124 e83wa09.exe 4124 e83wa09.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4540 b7633Vb.exe Token: SeDebugPrivilege 8 c15eV22.exe Token: SeDebugPrivilege 3032 dJaBY04.exe Token: SeDebugPrivilege 4124 e83wa09.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2504 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 66 PID 2444 wrote to memory of 2504 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 66 PID 2444 wrote to memory of 2504 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 66 PID 2504 wrote to memory of 3060 2504 tice6447.exe 67 PID 2504 wrote to memory of 3060 2504 tice6447.exe 67 PID 2504 wrote to memory of 3060 2504 tice6447.exe 67 PID 3060 wrote to memory of 4540 3060 tice8942.exe 68 PID 3060 wrote to memory of 4540 3060 tice8942.exe 68 PID 3060 wrote to memory of 8 3060 tice8942.exe 69 PID 3060 wrote to memory of 8 3060 tice8942.exe 69 PID 3060 wrote to memory of 8 3060 tice8942.exe 69 PID 2504 wrote to memory of 3032 2504 tice6447.exe 70 PID 2504 wrote to memory of 3032 2504 tice6447.exe 70 PID 2504 wrote to memory of 3032 2504 tice6447.exe 70 PID 2444 wrote to memory of 4124 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 72 PID 2444 wrote to memory of 4124 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 72 PID 2444 wrote to memory of 4124 2444 6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe"C:\Users\Admin\AppData\Local\Temp\6226c1211403cf11636ae7c37524879c0695f3cf9dbc523c13413f4763cb6f20.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6447.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice6447.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8942.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8942.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7633Vb.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7633Vb.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c15eV22.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c15eV22.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJaBY04.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJaBY04.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e83wa09.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e83wa09.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5795f3fe5687db9b19853eaf6acdc389a
SHA1cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130
-
Filesize
175KB
MD5795f3fe5687db9b19853eaf6acdc389a
SHA1cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130
-
Filesize
719KB
MD5772ae3fbdbfa806853dfc8af921dc521
SHA1eb7af2d00d2c3f5f25535c7be62ca400c32d3740
SHA25682b00e6e000e84bfe41a3be942b58ad6b4ae544612b7f724946b344950fa6eac
SHA51299a1ef20079aa84b77eddf3730835c202bcfd501f0585daaae433105134d420b3aab62e36e67b34e0253c80c8d6582693e91113f0e6428c7c2cf8a7e9503903e
-
Filesize
719KB
MD5772ae3fbdbfa806853dfc8af921dc521
SHA1eb7af2d00d2c3f5f25535c7be62ca400c32d3740
SHA25682b00e6e000e84bfe41a3be942b58ad6b4ae544612b7f724946b344950fa6eac
SHA51299a1ef20079aa84b77eddf3730835c202bcfd501f0585daaae433105134d420b3aab62e36e67b34e0253c80c8d6582693e91113f0e6428c7c2cf8a7e9503903e
-
Filesize
401KB
MD5fdd21762a328ff98e5939da9a8f496ee
SHA1c94ceb01edd61859c81af6bf73e8b5f3b7e9e9a6
SHA25671b4baa1b9c216d1bc707616e9fd19d884c86c47e0adde8f931faadf01ff7d0d
SHA512090028a074f308c9bd12c71a961ececf4b5b1ad2524b7faca818bbb3789d911842a6f6861f28d39b8515b1d88bbc5060c09d3a47ef594278ab6ed8e89a28e420
-
Filesize
401KB
MD5fdd21762a328ff98e5939da9a8f496ee
SHA1c94ceb01edd61859c81af6bf73e8b5f3b7e9e9a6
SHA25671b4baa1b9c216d1bc707616e9fd19d884c86c47e0adde8f931faadf01ff7d0d
SHA512090028a074f308c9bd12c71a961ececf4b5b1ad2524b7faca818bbb3789d911842a6f6861f28d39b8515b1d88bbc5060c09d3a47ef594278ab6ed8e89a28e420
-
Filesize
360KB
MD57f9d099743134cb3f283a9966be27ce2
SHA159eb40e8df9bf8fc54d8d71a8029b32d92c346cb
SHA2569a1c631815ed76f87e3d2ad0bf08ee84fb207b0ef1ce65355d142f05c0ca77fd
SHA5127e93ace3e40b4ba89f5eaac0ee52b7cc8fa98db11808cc8949e68f9e1cdbffd6324410d10b03045f98f5c413b18962fc0178d702db4734af02d5e5459be3dea8
-
Filesize
360KB
MD57f9d099743134cb3f283a9966be27ce2
SHA159eb40e8df9bf8fc54d8d71a8029b32d92c346cb
SHA2569a1c631815ed76f87e3d2ad0bf08ee84fb207b0ef1ce65355d142f05c0ca77fd
SHA5127e93ace3e40b4ba89f5eaac0ee52b7cc8fa98db11808cc8949e68f9e1cdbffd6324410d10b03045f98f5c413b18962fc0178d702db4734af02d5e5459be3dea8
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
343KB
MD571044743fa9b10ae9a037895c6751907
SHA11f92ec6db5d5363c85aaa08842be657804bbf825
SHA2560a201e22f3197b79e60abb326784c6f3644503edf9bfc5e4630e126d30f1cdf7
SHA5123dfea867675e40aae8d631303449d8102982ea5cb92a29e51aeebe24d40c4ffe58814fa49da08fef5eb5a91217da977f45e25b8fd8b3a31824e408510d644712
-
Filesize
343KB
MD571044743fa9b10ae9a037895c6751907
SHA11f92ec6db5d5363c85aaa08842be657804bbf825
SHA2560a201e22f3197b79e60abb326784c6f3644503edf9bfc5e4630e126d30f1cdf7
SHA5123dfea867675e40aae8d631303449d8102982ea5cb92a29e51aeebe24d40c4ffe58814fa49da08fef5eb5a91217da977f45e25b8fd8b3a31824e408510d644712