Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe
Resource
win10v2004-20230220-en
General
-
Target
b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe
-
Size
860KB
-
MD5
8544740f9adb3b9d42687323ee16a6f5
-
SHA1
0ead6ddf91ae890bda39678b492cc64af09720e4
-
SHA256
b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4
-
SHA512
4807401018e88ec19749c7ad899fc4161f20f104a2755d9a4de6ac68754e1c430813bb794c3891b8496f9d864dd5a62325b0f0504423b6c6b0bb65e0b4d264ca
-
SSDEEP
24576:VyOtirLYWeZFVYIDq0WaJyWFSx3z8MFhk34JSrI:wYiZSdNWatcx3zEAS
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
laba
193.233.20.28:4125
-
auth_value
2cf01cffff9092a85ca7e106c547190b
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8394SB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8394SB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8394SB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c56fv13.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8394SB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8394SB.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8394SB.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4464-203-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-204-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-206-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-208-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-211-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-216-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-215-0x0000000007160000-0x0000000007170000-memory.dmp family_redline behavioral1/memory/4464-218-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-220-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-222-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-224-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-226-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-228-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-230-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-232-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-234-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-236-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-238-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-240-0x00000000070C0000-0x00000000070FE000-memory.dmp family_redline behavioral1/memory/4464-1122-0x0000000007160000-0x0000000007170000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1892 tice2580.exe 3504 tice8150.exe 1464 b8394SB.exe 4628 c56fv13.exe 4464 durSO97.exe 4348 e74aY18.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8394SB.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c56fv13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c56fv13.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice2580.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice2580.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice8150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice8150.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2268 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4636 4628 WerFault.exe 91 324 4464 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1464 b8394SB.exe 1464 b8394SB.exe 4628 c56fv13.exe 4628 c56fv13.exe 4464 durSO97.exe 4464 durSO97.exe 4348 e74aY18.exe 4348 e74aY18.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1464 b8394SB.exe Token: SeDebugPrivilege 4628 c56fv13.exe Token: SeDebugPrivilege 4464 durSO97.exe Token: SeDebugPrivilege 4348 e74aY18.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1892 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 85 PID 2392 wrote to memory of 1892 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 85 PID 2392 wrote to memory of 1892 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 85 PID 1892 wrote to memory of 3504 1892 tice2580.exe 86 PID 1892 wrote to memory of 3504 1892 tice2580.exe 86 PID 1892 wrote to memory of 3504 1892 tice2580.exe 86 PID 3504 wrote to memory of 1464 3504 tice8150.exe 87 PID 3504 wrote to memory of 1464 3504 tice8150.exe 87 PID 3504 wrote to memory of 4628 3504 tice8150.exe 91 PID 3504 wrote to memory of 4628 3504 tice8150.exe 91 PID 3504 wrote to memory of 4628 3504 tice8150.exe 91 PID 1892 wrote to memory of 4464 1892 tice2580.exe 94 PID 1892 wrote to memory of 4464 1892 tice2580.exe 94 PID 1892 wrote to memory of 4464 1892 tice2580.exe 94 PID 2392 wrote to memory of 4348 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 103 PID 2392 wrote to memory of 4348 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 103 PID 2392 wrote to memory of 4348 2392 b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe"C:\Users\Admin\AppData\Local\Temp\b7bdc374fdc711fdcf398ec2700c208a7bc5960c23076f3835632acefdbacaa4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2580.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice2580.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8150.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8150.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8394SB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8394SB.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c56fv13.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c56fv13.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 10805⤵
- Program crash
PID:4636
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\durSO97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\durSO97.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 13524⤵
- Program crash
PID:324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e74aY18.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e74aY18.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4628 -ip 46281⤵PID:3620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4464 -ip 44641⤵PID:5032
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5478e884952392c14b85cca1a6a4f3e35
SHA1f3475db1427fec3eedf583f1b7b0f839b27f8d74
SHA256bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413
SHA512b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9
-
Filesize
175KB
MD5478e884952392c14b85cca1a6a4f3e35
SHA1f3475db1427fec3eedf583f1b7b0f839b27f8d74
SHA256bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413
SHA512b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9
-
Filesize
715KB
MD5327bf0a34a2873d129c76003dab1fecd
SHA18a46ae5f37a3099f1dfd5a740e5fd588b5047a62
SHA256c0dd764a2e2cb158652825e6bc53fcd57d8918064daa4997edd4790f04da579f
SHA51291dfda83294d4f9430d12629de27d5c1c7fab34fffbeb5e74a2fa4e6d88095a78aec9fa7f6145986755aa8dd54113ffc5b46a5cbb67ef5da6da6ffb06498d48f
-
Filesize
715KB
MD5327bf0a34a2873d129c76003dab1fecd
SHA18a46ae5f37a3099f1dfd5a740e5fd588b5047a62
SHA256c0dd764a2e2cb158652825e6bc53fcd57d8918064daa4997edd4790f04da579f
SHA51291dfda83294d4f9430d12629de27d5c1c7fab34fffbeb5e74a2fa4e6d88095a78aec9fa7f6145986755aa8dd54113ffc5b46a5cbb67ef5da6da6ffb06498d48f
-
Filesize
396KB
MD5ce2853117c51c2faa654f694525afa1e
SHA132724da1c4813c3fdd140386372d5c9f5dd80f20
SHA256a618ebcbae55846e2b54d04b8f206f9bdeb5cea9003841151a81e7a8c6da399b
SHA512a43013ea6af3eb5493aafdfb983d7c3c5ec6c4ad46c12457749bb1a4cea78132597a4577b4e621922ed3f32c97ff018d92b3b3f6ffa05cc9ad07fa6fe5d61afe
-
Filesize
396KB
MD5ce2853117c51c2faa654f694525afa1e
SHA132724da1c4813c3fdd140386372d5c9f5dd80f20
SHA256a618ebcbae55846e2b54d04b8f206f9bdeb5cea9003841151a81e7a8c6da399b
SHA512a43013ea6af3eb5493aafdfb983d7c3c5ec6c4ad46c12457749bb1a4cea78132597a4577b4e621922ed3f32c97ff018d92b3b3f6ffa05cc9ad07fa6fe5d61afe
-
Filesize
358KB
MD5f7b97c22b945216662cd309a675cff4e
SHA195671acca4d7f366ae620bfa87548f79537a867e
SHA2569b1f98215e10669dae885a444228264c9940465a81e28a65e7c02225df7c7e11
SHA512b02c06a2eac829894daebc2564a0c42469706e8036ba63756beb1685d8ff6a5764d9e33282806471e9e409315fe87f0d7bbe20c05f65acae8a0229b4ca7d9b0b
-
Filesize
358KB
MD5f7b97c22b945216662cd309a675cff4e
SHA195671acca4d7f366ae620bfa87548f79537a867e
SHA2569b1f98215e10669dae885a444228264c9940465a81e28a65e7c02225df7c7e11
SHA512b02c06a2eac829894daebc2564a0c42469706e8036ba63756beb1685d8ff6a5764d9e33282806471e9e409315fe87f0d7bbe20c05f65acae8a0229b4ca7d9b0b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
338KB
MD5a962f820dfe2cb378699191704cfdf32
SHA1e767a9ae1e186bdb91628b2734e42d6357f2c80a
SHA256872d9f819ee2c8ae303b76dc31e2ca5e475b17fc11a105eedc8d8d240c5b6aa6
SHA5129d8219ea5753caf3ff3266d5e0ae6bb2ac2a2fde8e22856be460174af97c38807924a3ec84e3dfdf7589d1cc085a0be815c5f1c75297482acbaa76ff78666a0f
-
Filesize
338KB
MD5a962f820dfe2cb378699191704cfdf32
SHA1e767a9ae1e186bdb91628b2734e42d6357f2c80a
SHA256872d9f819ee2c8ae303b76dc31e2ca5e475b17fc11a105eedc8d8d240c5b6aa6
SHA5129d8219ea5753caf3ff3266d5e0ae6bb2ac2a2fde8e22856be460174af97c38807924a3ec84e3dfdf7589d1cc085a0be815c5f1c75297482acbaa76ff78666a0f