Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    303s
  • max time network
    246s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/10/2023, 22:25

General

  • Target

    c0f594a7b596ae837b66e85288976bfe55077d510d841cdfe41a0e42325f6c6e.exe

  • Size

    316KB

  • MD5

    2ea5f0973fa72e30eee91358042e2ee1

  • SHA1

    444b829ef824a623752343885439dc80274fc43c

  • SHA256

    c0f594a7b596ae837b66e85288976bfe55077d510d841cdfe41a0e42325f6c6e

  • SHA512

    987b30dd3354bc83957b69ba2ad74507b6eca305947c491c4e73d0090ad37cd493935e3fba734127896e26fd475584571bd1e7c20b4ed369d53c3ce5f85f4b4d

  • SSDEEP

    3072:GB6IW25ma0VuPkPZ+yrTdr/1WLhiTa1xisi3AMa6fJxhrJPXTBDBx0xinMJlXZH:/yXFPk5TJALITExisi9JfJPXTN70Qn

Malware Config

Extracted

Family

redline

Botnet

@oleh_ps

C2

185.216.70.238:37515

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Detected potential entity reuse from brand microsoft.
  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0f594a7b596ae837b66e85288976bfe55077d510d841cdfe41a0e42325f6c6e.exe
    "C:\Users\Admin\AppData\Local\Temp\c0f594a7b596ae837b66e85288976bfe55077d510d841cdfe41a0e42325f6c6e.exe"
    1⤵
    • Checks computer location settings
    PID:772
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:700
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2308
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5040
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:3936
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2664
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3912
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:192
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TCMH1DO0\edgecompatviewlist[1].xml

    Filesize

    74KB

    MD5

    d4fc49dc14f63895d997fa4940f24378

    SHA1

    3efb1437a7c5e46034147cbbc8db017c69d02c31

    SHA256

    853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

    SHA512

    cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6UM70MW2\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\H98OOR7S\favicon[1].ico

    Filesize

    16KB

    MD5

    12e3dac858061d088023b2bd48e2fa96

    SHA1

    e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

    SHA256

    90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

    SHA512

    c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\np3bmxs\imagestore.dat

    Filesize

    26KB

    MD5

    f2b463339872e41c0bb0c799c9f961e1

    SHA1

    9a0afba4e0dad4768e56ec8d49d6b8acc73ea62a

    SHA256

    2db99722b54f2dabc71e537d2000e6fa2a13c3905a0298cac056a1447d1d9a40

    SHA512

    8bb131d8bd45ab84827dfb7300d6b9a4a42696c94568398c5ec1782b3392570f635af2b670ac1797e81a49cd05357938c7b6ac9e1b8ab0d387d24278fe7e5355

  • memory/700-184-0x0000017AADBA0000-0x0000017AADBA1000-memory.dmp

    Filesize

    4KB

  • memory/700-5-0x0000017AA7320000-0x0000017AA7330000-memory.dmp

    Filesize

    64KB

  • memory/700-21-0x0000017AA7900000-0x0000017AA7910000-memory.dmp

    Filesize

    64KB

  • memory/700-40-0x0000017AACB40000-0x0000017AACB42000-memory.dmp

    Filesize

    8KB

  • memory/700-185-0x0000017AADBB0000-0x0000017AADBB1000-memory.dmp

    Filesize

    4KB

  • memory/772-1-0x00000000004C0000-0x00000000004FE000-memory.dmp

    Filesize

    248KB

  • memory/772-0-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/3936-53-0x00000169824F0000-0x00000169824F2000-memory.dmp

    Filesize

    8KB

  • memory/3936-165-0x000001699A120000-0x000001699A122000-memory.dmp

    Filesize

    8KB

  • memory/3936-161-0x000001699A0F0000-0x000001699A0F2000-memory.dmp

    Filesize

    8KB

  • memory/3936-158-0x000001699A0E0000-0x000001699A0E2000-memory.dmp

    Filesize

    8KB

  • memory/3936-121-0x0000016994BA0000-0x0000016994BC0000-memory.dmp

    Filesize

    128KB

  • memory/3936-97-0x0000016993130000-0x0000016993150000-memory.dmp

    Filesize

    128KB

  • memory/3936-58-0x0000016982890000-0x0000016982892000-memory.dmp

    Filesize

    8KB

  • memory/3936-56-0x0000016982830000-0x0000016982832000-memory.dmp

    Filesize

    8KB