Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
b93f37b3bfe0b331e15bb3ffac941f04.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b93f37b3bfe0b331e15bb3ffac941f04.exe
Resource
win10v2004-20230220-en
General
-
Target
b93f37b3bfe0b331e15bb3ffac941f04.exe
-
Size
844KB
-
MD5
b93f37b3bfe0b331e15bb3ffac941f04
-
SHA1
ae6968d31bfa137e98f3faf6d16d90ecfb1b23f9
-
SHA256
78c5fa2cb5ac009370a09eb82bbc7ad80e1bf4947e39425dbc64768a00aec564
-
SHA512
c3771a276a757d58302dcdaa6d42d0df34a40b0ae528ca992fe7e0867ec6f89b5953015a842221b21565136cbb127e8f2a86fcecce60cc2a4283c8881d63526b
-
SSDEEP
24576:7yJRiHMmwoDA1WCS6LyTKu3jP63vPS3BVk:uJRi1t+WCS6LoF3jj3BV
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f8281wD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f8281wD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f8281wD.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection g83eH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g83eH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g83eH44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f8281wD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f8281wD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f8281wD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g83eH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g83eH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g83eH44.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral2/memory/2632-205-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-206-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-208-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-210-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-212-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-214-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-216-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-218-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-220-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-222-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-224-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-226-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-228-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-230-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-232-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-234-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-236-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral2/memory/2632-238-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1620 liba7591.exe 1552 liba9663.exe 1784 f8281wD.exe 396 g83eH44.exe 2632 hVWki28.exe 4336 i36tf53.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f8281wD.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features g83eH44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g83eH44.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b93f37b3bfe0b331e15bb3ffac941f04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b93f37b3bfe0b331e15bb3ffac941f04.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce liba7591.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" liba7591.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce liba9663.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" liba9663.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4720 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2064 396 WerFault.exe 91 796 2632 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1784 f8281wD.exe 1784 f8281wD.exe 396 g83eH44.exe 396 g83eH44.exe 2632 hVWki28.exe 2632 hVWki28.exe 4336 i36tf53.exe 4336 i36tf53.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1784 f8281wD.exe Token: SeDebugPrivilege 396 g83eH44.exe Token: SeDebugPrivilege 2632 hVWki28.exe Token: SeDebugPrivilege 4336 i36tf53.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4964 wrote to memory of 1620 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 85 PID 4964 wrote to memory of 1620 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 85 PID 4964 wrote to memory of 1620 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 85 PID 1620 wrote to memory of 1552 1620 liba7591.exe 86 PID 1620 wrote to memory of 1552 1620 liba7591.exe 86 PID 1620 wrote to memory of 1552 1620 liba7591.exe 86 PID 1552 wrote to memory of 1784 1552 liba9663.exe 87 PID 1552 wrote to memory of 1784 1552 liba9663.exe 87 PID 1552 wrote to memory of 396 1552 liba9663.exe 91 PID 1552 wrote to memory of 396 1552 liba9663.exe 91 PID 1552 wrote to memory of 396 1552 liba9663.exe 91 PID 1620 wrote to memory of 2632 1620 liba7591.exe 94 PID 1620 wrote to memory of 2632 1620 liba7591.exe 94 PID 1620 wrote to memory of 2632 1620 liba7591.exe 94 PID 4964 wrote to memory of 4336 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 109 PID 4964 wrote to memory of 4336 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 109 PID 4964 wrote to memory of 4336 4964 b93f37b3bfe0b331e15bb3ffac941f04.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93f37b3bfe0b331e15bb3ffac941f04.exe"C:\Users\Admin\AppData\Local\Temp\b93f37b3bfe0b331e15bb3ffac941f04.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba7591.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\liba7591.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba9663.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\liba9663.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8281wD.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8281wD.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g83eH44.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g83eH44.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 10765⤵
- Program crash
PID:2064
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hVWki28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hVWki28.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 18284⤵
- Program crash
PID:796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36tf53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36tf53.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 396 -ip 3961⤵PID:4820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2632 -ip 26321⤵PID:5092
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
702KB
MD55e3a688efebb4bc088fe9428aa043fab
SHA19b5614c605374a9b4d93d15db36f0766dc118a1b
SHA256311f74a45a3b8e7f88e7af384c1add5c4be488af9c57eaf36056ee6f045e797d
SHA5126ff805cadd094c4e15aa23c768d11f15c26f32229f726097d38469c58e71ce067a62284da0723ea9c7ddb23e2ca10f53b37c7bfee4d9fdd4979ca5cd6001afc7
-
Filesize
702KB
MD55e3a688efebb4bc088fe9428aa043fab
SHA19b5614c605374a9b4d93d15db36f0766dc118a1b
SHA256311f74a45a3b8e7f88e7af384c1add5c4be488af9c57eaf36056ee6f045e797d
SHA5126ff805cadd094c4e15aa23c768d11f15c26f32229f726097d38469c58e71ce067a62284da0723ea9c7ddb23e2ca10f53b37c7bfee4d9fdd4979ca5cd6001afc7
-
Filesize
396KB
MD549618e480e47db51271f67ee4f06c84f
SHA1c6fa22473ccbef482422f958b1abf683e97fd32f
SHA256d521c439c3f9e32d56e88769773350ced847eb299a73f34dfda7289cce842c3e
SHA512246e92c255aee2e836114369cd7156f2c55a710abf7cfa97450e3c75eaf30c1685da0b5fb58783129fba48338c6084397558b4311fd07d4c8e9c42428410d9ed
-
Filesize
396KB
MD549618e480e47db51271f67ee4f06c84f
SHA1c6fa22473ccbef482422f958b1abf683e97fd32f
SHA256d521c439c3f9e32d56e88769773350ced847eb299a73f34dfda7289cce842c3e
SHA512246e92c255aee2e836114369cd7156f2c55a710abf7cfa97450e3c75eaf30c1685da0b5fb58783129fba48338c6084397558b4311fd07d4c8e9c42428410d9ed
-
Filesize
348KB
MD539ffe9287fa1a93b71239ba81d59d4bc
SHA1dc98a45cfa6f7706ce5329a1b0a72ac3fe9b57c0
SHA256c6360451f677d46830066ffd12dd464df148136b0530a1954ca7f0f320751f6f
SHA51249c15739f65348e3c6937b3becd014182652d62097ad578f627acb0d7140287407505cf061a1be1908eb97dc17bb94f04b108d1473032f374af01aeb6cd61d0d
-
Filesize
348KB
MD539ffe9287fa1a93b71239ba81d59d4bc
SHA1dc98a45cfa6f7706ce5329a1b0a72ac3fe9b57c0
SHA256c6360451f677d46830066ffd12dd464df148136b0530a1954ca7f0f320751f6f
SHA51249c15739f65348e3c6937b3becd014182652d62097ad578f627acb0d7140287407505cf061a1be1908eb97dc17bb94f04b108d1473032f374af01aeb6cd61d0d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
338KB
MD5c78f1f662ec2defbfd088cf36b05eff5
SHA196101b0323c96b7ad624847ae0735e7bc070d31a
SHA256cd0e3f92673b71d105164c9b433ca166ba713b735ce15ec446bc938f3d88fbe5
SHA512e9eb0cf5202e41d09dee69a59d233edd176c8dcfe3574affc39f853bd781e63164db2ed19d317bdf69013064279ce653a5b255b2c2fb29a7de17a6e88c6ce353
-
Filesize
338KB
MD5c78f1f662ec2defbfd088cf36b05eff5
SHA196101b0323c96b7ad624847ae0735e7bc070d31a
SHA256cd0e3f92673b71d105164c9b433ca166ba713b735ce15ec446bc938f3d88fbe5
SHA512e9eb0cf5202e41d09dee69a59d233edd176c8dcfe3574affc39f853bd781e63164db2ed19d317bdf69013064279ce653a5b255b2c2fb29a7de17a6e88c6ce353