Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Resource
win10v2004-20230220-en
General
-
Target
d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
-
Size
707KB
-
MD5
416bdb8e05ee78385956ed39aaace2b5
-
SHA1
17547f35983565f00cd149006563cd6a78179d53
-
SHA256
d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb
-
SHA512
3a2e8078b13733fa8e40a11e2468052b65b04e28376a24e6e1b3e3bd81790815114e42929e215360d73c12af97558aeae721f701763d69a3a2f7ca3c4b2b9d96
-
SSDEEP
12288:Oy90Iz9hP9yGNwto6t/CvF2wjxxcb4wG+ulJWkDGsTdn7Um1pduAeJvGjipl:OyN7P9nA22ojcbCX3i479/qVGwl
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3972-989-0x0000000009D60000-0x000000000A378000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 77211406.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 77211406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 77211406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 77211406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 77211406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 77211406.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4436 un304808.exe 2504 77211406.exe 3972 rk687410.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 77211406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 77211406.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un304808.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un304808.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1504 2504 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2504 77211406.exe 2504 77211406.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2504 77211406.exe Token: SeDebugPrivilege 3972 rk687410.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1472 wrote to memory of 4436 1472 d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe 82 PID 1472 wrote to memory of 4436 1472 d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe 82 PID 1472 wrote to memory of 4436 1472 d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe 82 PID 4436 wrote to memory of 2504 4436 un304808.exe 83 PID 4436 wrote to memory of 2504 4436 un304808.exe 83 PID 4436 wrote to memory of 2504 4436 un304808.exe 83 PID 4436 wrote to memory of 3972 4436 un304808.exe 93 PID 4436 wrote to memory of 3972 4436 un304808.exe 93 PID 4436 wrote to memory of 3972 4436 un304808.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 10764⤵
- Program crash
PID:1504
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2504 -ip 25041⤵PID:4000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD5b5715a8a7dfde31a802387b19321f31b
SHA139f0756bbc2cc322fff969028603b8572981e923
SHA25670d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339
SHA51292ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd
-
Filesize
553KB
MD5b5715a8a7dfde31a802387b19321f31b
SHA139f0756bbc2cc322fff969028603b8572981e923
SHA25670d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339
SHA51292ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd
-
Filesize
258KB
MD524f85c699a19ee5e19fdd82c6e224735
SHA1ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8
SHA256f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58
SHA5129cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b
-
Filesize
258KB
MD524f85c699a19ee5e19fdd82c6e224735
SHA1ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8
SHA256f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58
SHA5129cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b
-
Filesize
353KB
MD58811341d1ea7a75289287e97b6ae3d65
SHA1bc41b1b0187a35dcdfa016c5a1657aff7133c331
SHA256fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea
SHA5124112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1
-
Filesize
353KB
MD58811341d1ea7a75289287e97b6ae3d65
SHA1bc41b1b0187a35dcdfa016c5a1657aff7133c331
SHA256fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea
SHA5124112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1