Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe
Resource
win10v2004-20230220-en
General
-
Target
cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe
-
Size
612KB
-
MD5
612478b7e6630a65dc2944f79ae1ac70
-
SHA1
c9acf440838a19c14fc7cc9146e76743c2b3174f
-
SHA256
cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0
-
SHA512
0d7fb6f06076d518b9169d52f9e9da2555e5e9ada903bd78b1c538e7951396888663e479dc86e2f08e42dbd4893fd55ceedbb620dd742b9030d02cab3230cde1
-
SSDEEP
12288:Jy90EG+an4kf8cewJ2H3F1rsP3MqgShiIisYlKZ9VxU5:JylaD8xwJWG35hHijk/xU5
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4776-950-0x0000000007990000-0x0000000007FA8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 46409418.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 46409418.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 46409418.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 46409418.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 46409418.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 46409418.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4896 st542404.exe 4560 46409418.exe 4776 kp450499.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 46409418.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st542404.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st542404.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4560 46409418.exe 4560 46409418.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4560 46409418.exe Token: SeDebugPrivilege 4776 kp450499.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4896 2784 cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe 85 PID 2784 wrote to memory of 4896 2784 cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe 85 PID 2784 wrote to memory of 4896 2784 cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe 85 PID 4896 wrote to memory of 4560 4896 st542404.exe 86 PID 4896 wrote to memory of 4560 4896 st542404.exe 86 PID 4896 wrote to memory of 4776 4896 st542404.exe 87 PID 4896 wrote to memory of 4776 4896 st542404.exe 87 PID 4896 wrote to memory of 4776 4896 st542404.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe"C:\Users\Admin\AppData\Local\Temp\cdc39c393e568869248dee077808c74a5d4bce8ddf68fce5d31d02e62a903ac0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st542404.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st542404.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\46409418.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\46409418.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp450499.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp450499.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5a0cae377e3a1f01302ef455ceee3f1bc
SHA1afd7e064f121cf7a486242828a3c9b352dfddd5f
SHA256aff3bbfb2cdad14c524bc2edc45c96c3b26d249e63b6a7acf589882634b2c660
SHA5124280d0b7d5269c04710e9d2949f555c699b480aa2e7ff4eea804568f89e9b1d2d4bcbe26602b5d474fc3064c5d2ee5125266cc463cb0c2c2a5735afac3123860
-
Filesize
457KB
MD5a0cae377e3a1f01302ef455ceee3f1bc
SHA1afd7e064f121cf7a486242828a3c9b352dfddd5f
SHA256aff3bbfb2cdad14c524bc2edc45c96c3b26d249e63b6a7acf589882634b2c660
SHA5124280d0b7d5269c04710e9d2949f555c699b480aa2e7ff4eea804568f89e9b1d2d4bcbe26602b5d474fc3064c5d2ee5125266cc463cb0c2c2a5735afac3123860
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
459KB
MD5a7142183c1fc3deaaf30ac4450f0cb56
SHA1bb914446108e0dca8bb6bb8b7057ea27a5ecf931
SHA256e644a8e3af4a5fbbf59475abc7a4c73bd90d11c4422327bd726d45320f603251
SHA51240ef4a59e7c8de72e9f5777ade2751452ff6813682c7999b8bfddf50945af66409688684ff205bcf737a333efb958a6f764d31b159765124a15ef370629bf05f
-
Filesize
459KB
MD5a7142183c1fc3deaaf30ac4450f0cb56
SHA1bb914446108e0dca8bb6bb8b7057ea27a5ecf931
SHA256e644a8e3af4a5fbbf59475abc7a4c73bd90d11c4422327bd726d45320f603251
SHA51240ef4a59e7c8de72e9f5777ade2751452ff6813682c7999b8bfddf50945af66409688684ff205bcf737a333efb958a6f764d31b159765124a15ef370629bf05f