Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe
Resource
win10v2004-20230220-en
General
-
Target
cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe
-
Size
1.5MB
-
MD5
269029049604046a45066714cbba7f2a
-
SHA1
f70ff2dbf1183716796f090f86c479a8e3e97ca7
-
SHA256
cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc
-
SHA512
e0a5959de75af85bbe20095f1024f497a4ba036a53e4a574c8a8ff526f265f0d7ebd76a7aceaa987d5197fe0a39746b88b05295253737905219ee6492a00b2d5
-
SSDEEP
24576:GyP3owDEVPILVh+EyOcc8YA/huIBXYMLaBldu9acvsoMf0iySBWJbUiVbTx0YeMI:VPYw4VgBUvmDKvBoMOloQcvsoykXJbUk
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3508-170-0x000000000AA40000-0x000000000B058000-memory.dmp redline_stealer behavioral2/memory/3508-179-0x000000000B3F0000-0x000000000B456000-memory.dmp redline_stealer behavioral2/memory/3508-181-0x000000000BF50000-0x000000000C112000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 1308 i75715560.exe 684 i54396521.exe 1636 i41031967.exe 1168 i59672888.exe 3508 a73352756.exe 4516 b74863860.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i54396521.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i41031967.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i59672888.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i59672888.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i41031967.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i75715560.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i75715560.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i54396521.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 4540 4516 WerFault.exe 96 4304 4516 WerFault.exe 96 4676 4516 WerFault.exe 96 1804 4516 WerFault.exe 96 804 4516 WerFault.exe 96 1980 4516 WerFault.exe 96 2460 4516 WerFault.exe 96 5108 4516 WerFault.exe 96 4220 4516 WerFault.exe 96 532 4516 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 a73352756.exe 3508 a73352756.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3508 a73352756.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4516 b74863860.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4384 wrote to memory of 1308 4384 cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe 84 PID 4384 wrote to memory of 1308 4384 cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe 84 PID 4384 wrote to memory of 1308 4384 cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe 84 PID 1308 wrote to memory of 684 1308 i75715560.exe 85 PID 1308 wrote to memory of 684 1308 i75715560.exe 85 PID 1308 wrote to memory of 684 1308 i75715560.exe 85 PID 684 wrote to memory of 1636 684 i54396521.exe 86 PID 684 wrote to memory of 1636 684 i54396521.exe 86 PID 684 wrote to memory of 1636 684 i54396521.exe 86 PID 1636 wrote to memory of 1168 1636 i41031967.exe 87 PID 1636 wrote to memory of 1168 1636 i41031967.exe 87 PID 1636 wrote to memory of 1168 1636 i41031967.exe 87 PID 1168 wrote to memory of 3508 1168 i59672888.exe 88 PID 1168 wrote to memory of 3508 1168 i59672888.exe 88 PID 1168 wrote to memory of 3508 1168 i59672888.exe 88 PID 1168 wrote to memory of 4516 1168 i59672888.exe 96 PID 1168 wrote to memory of 4516 1168 i59672888.exe 96 PID 1168 wrote to memory of 4516 1168 i59672888.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe"C:\Users\Admin\AppData\Local\Temp\cec7c79800544354c74bde5f22f8d28a771acd4ea50941b947bae6fa0c060cfc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i75715560.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i75715560.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i54396521.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i54396521.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i41031967.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i41031967.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i59672888.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i59672888.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73352756.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73352756.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b74863860.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b74863860.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 6967⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 7487⤵
- Program crash
PID:4304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 8567⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 8647⤵
- Program crash
PID:1804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 9967⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 9047⤵
- Program crash
PID:1980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 12167⤵
- Program crash
PID:2460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 12407⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 12687⤵
- Program crash
PID:4220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 13447⤵
- Program crash
PID:532
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4516 -ip 45161⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4516 -ip 45161⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4516 -ip 45161⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 45161⤵PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4516 -ip 45161⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4516 -ip 45161⤵PID:4608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4516 -ip 45161⤵PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4516 -ip 45161⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4516 -ip 45161⤵PID:464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4516 -ip 45161⤵PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b2d7411a73c1631c2852111e65be6c79
SHA1c79afc7a544fb9c890e76b2c89a95e1ef8136f2f
SHA256fea6e3e26316aa989540965a9841f2020556e804b952db74bfe566e98821ccca
SHA512ef3b6a1a6efeeae53be51289a607d45271e58d31f318c5a4b7b7974c91b08810ac5fa18d059f04f9e01a64386380f598647135437f2465705c08b6fd9a219f4f
-
Filesize
1.3MB
MD5b2d7411a73c1631c2852111e65be6c79
SHA1c79afc7a544fb9c890e76b2c89a95e1ef8136f2f
SHA256fea6e3e26316aa989540965a9841f2020556e804b952db74bfe566e98821ccca
SHA512ef3b6a1a6efeeae53be51289a607d45271e58d31f318c5a4b7b7974c91b08810ac5fa18d059f04f9e01a64386380f598647135437f2465705c08b6fd9a219f4f
-
Filesize
1016KB
MD5b21bb611d7116a53533b54458bbd3b22
SHA15bad63367f02f851b0e434205176c063dfa173be
SHA256e755c516a9749281d68cdb689bdffd6c569a04d658a7a79c9e58fd0af9166960
SHA5127b4e76b952766cdc51cca6e54c80556d6aefab87c9156c81cb0630b289fcb440d5667a763332da5e800fc6b3d502c289226ad0b89fc64b04818b9574d7bfb4a9
-
Filesize
1016KB
MD5b21bb611d7116a53533b54458bbd3b22
SHA15bad63367f02f851b0e434205176c063dfa173be
SHA256e755c516a9749281d68cdb689bdffd6c569a04d658a7a79c9e58fd0af9166960
SHA5127b4e76b952766cdc51cca6e54c80556d6aefab87c9156c81cb0630b289fcb440d5667a763332da5e800fc6b3d502c289226ad0b89fc64b04818b9574d7bfb4a9
-
Filesize
844KB
MD584976b6b9e1d1ac3ceb02cb1e87d020d
SHA1fbd2563b28d22bb409dc75b43bac65e060658801
SHA25666ca5e387f94ba5be72326ebdfd67ffef14092dd0a563a9dbefc90a75b97ad34
SHA512e3b0ca511ab7043b2c220fe0b12c1f9ed1adb1c39078023b520c4b7dfa0dd8c9fb631d663abb6b9e852857ffde3da6966c44e61eb226132d810863727794b044
-
Filesize
844KB
MD584976b6b9e1d1ac3ceb02cb1e87d020d
SHA1fbd2563b28d22bb409dc75b43bac65e060658801
SHA25666ca5e387f94ba5be72326ebdfd67ffef14092dd0a563a9dbefc90a75b97ad34
SHA512e3b0ca511ab7043b2c220fe0b12c1f9ed1adb1c39078023b520c4b7dfa0dd8c9fb631d663abb6b9e852857ffde3da6966c44e61eb226132d810863727794b044
-
Filesize
371KB
MD58f875afd6d45795592deed95d7df5a42
SHA1beb05532ef90359890eae3ef672b3e8c990901e9
SHA256bb5919ed68967941abbb48da392771c40121b38ab1ca5f0778cb5327a1a168d7
SHA512a1bded274bfb6e623c27a0ca2b993bb263294c73896dbaa9d68baab35e906186cb323bd159893eab5a991e7bd909aa9678b584fe61ebf6ac4715e22c7a485211
-
Filesize
371KB
MD58f875afd6d45795592deed95d7df5a42
SHA1beb05532ef90359890eae3ef672b3e8c990901e9
SHA256bb5919ed68967941abbb48da392771c40121b38ab1ca5f0778cb5327a1a168d7
SHA512a1bded274bfb6e623c27a0ca2b993bb263294c73896dbaa9d68baab35e906186cb323bd159893eab5a991e7bd909aa9678b584fe61ebf6ac4715e22c7a485211
-
Filesize
169KB
MD5938dfcf08cafbd962de85bae2093f403
SHA160c9dc4174632462942d8c4849eb9c16d60bd528
SHA256c976899d878cd3a326428102188998a8986fc64d2462edf68df3538b2fee722b
SHA5122b40b62fe7cce25d915b0fe0528dda213ce3758c0591b65557bc5e8862d1528833682ea0f37d6c5c123c2e1b20382e58317bb8e2825179dd22bc0d8d30b24d73
-
Filesize
169KB
MD5938dfcf08cafbd962de85bae2093f403
SHA160c9dc4174632462942d8c4849eb9c16d60bd528
SHA256c976899d878cd3a326428102188998a8986fc64d2462edf68df3538b2fee722b
SHA5122b40b62fe7cce25d915b0fe0528dda213ce3758c0591b65557bc5e8862d1528833682ea0f37d6c5c123c2e1b20382e58317bb8e2825179dd22bc0d8d30b24d73
-
Filesize
296KB
MD586b3e6b241e48a46055bc4403e881068
SHA11dde12952777ad1964564f3f92e04c21408c7614
SHA256454263883787ccfb00dec16e5bdbe478125d5146f5149f2a3593ffb9794e1ee5
SHA51299b0e87504e70aed844738f12e5a087deb8af25e9fbbf19e4482ac0aa4fdc2a107b2671dce0851beeb79f3c8b1d34dd97a1fbade957c0504d135f7edece32724
-
Filesize
296KB
MD586b3e6b241e48a46055bc4403e881068
SHA11dde12952777ad1964564f3f92e04c21408c7614
SHA256454263883787ccfb00dec16e5bdbe478125d5146f5149f2a3593ffb9794e1ee5
SHA51299b0e87504e70aed844738f12e5a087deb8af25e9fbbf19e4482ac0aa4fdc2a107b2671dce0851beeb79f3c8b1d34dd97a1fbade957c0504d135f7edece32724