Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
226s -
max time network
253s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:42
Static task
static1
Behavioral task
behavioral1
Sample
d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe
Resource
win10v2004-20230221-en
General
-
Target
d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe
-
Size
642KB
-
MD5
b46f41f327dbfd079ea39823239f30e9
-
SHA1
dc99e4d11e00d65ee8adb9becae58865673344e0
-
SHA256
d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff
-
SHA512
f22da5298b3de106a503f09d98d3532d425d4a5d7f50eed120a784af8084cbe519560bbcf1ccb44004c79a28836234807916b29aaef1cffc0cc1788ad1710282
-
SSDEEP
12288:py908faSnidphYtt1b3vBP+WW61N1qbRKWA+B6Xp:pyVfaSiZM1DvxO61N1qbRZaXp
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1384-983-0x0000000009CB0000-0x000000000A2C8000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 93151000.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 5104 st377174.exe 1680 93151000.exe 1384 kp846203.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 93151000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 93151000.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st377174.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st377174.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1680 93151000.exe 1680 93151000.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1680 93151000.exe Token: SeDebugPrivilege 1384 kp846203.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1416 wrote to memory of 5104 1416 d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe 80 PID 1416 wrote to memory of 5104 1416 d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe 80 PID 1416 wrote to memory of 5104 1416 d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe 80 PID 5104 wrote to memory of 1680 5104 st377174.exe 81 PID 5104 wrote to memory of 1680 5104 st377174.exe 81 PID 5104 wrote to memory of 1680 5104 st377174.exe 81 PID 5104 wrote to memory of 1384 5104 st377174.exe 82 PID 5104 wrote to memory of 1384 5104 st377174.exe 82 PID 5104 wrote to memory of 1384 5104 st377174.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe"C:\Users\Admin\AppData\Local\Temp\d9dbb5f5765a806905d8b3549fa9cacf1e34df5405b0864fe40d08f437ebdbff.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st377174.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st377174.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93151000.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93151000.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp846203.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp846203.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5a8cfca2e2945ebbf1bb88a2cc7a9a511
SHA188f8b8c324a6fc7e4f218f136526438f0cf58ac0
SHA256cb739dcf65431ed5e3bce36927722f01c197a9407cd18fecfc957189d6f74cdf
SHA512b10fb27ef043678700a60250484fc63699230718bad0874a02cdd3fa32804009d010adbc8cf5d2782acfc00a3b4aea8b6d120b6b1a5bff4961cf69cff52dd5f6
-
Filesize
488KB
MD5a8cfca2e2945ebbf1bb88a2cc7a9a511
SHA188f8b8c324a6fc7e4f218f136526438f0cf58ac0
SHA256cb739dcf65431ed5e3bce36927722f01c197a9407cd18fecfc957189d6f74cdf
SHA512b10fb27ef043678700a60250484fc63699230718bad0874a02cdd3fa32804009d010adbc8cf5d2782acfc00a3b4aea8b6d120b6b1a5bff4961cf69cff52dd5f6
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
340KB
MD56106457395f49a9dc652b2517cf7e7ba
SHA1d0533ced6b98da466c7ed8fc9f9a9f5d0ced7f0e
SHA25696638707890bedb3a5534ff8c37ff79118d193155e618bc2add87c5e4384e581
SHA5126c81a594a5988f8ce30aa2e7008506850e4ba8a7b867df7b9c9401bd4a39e70f12de181549264cd607b9a5c2f201d1867ac2db3f7d6fd7c684c1a89ec3dc9af0
-
Filesize
340KB
MD56106457395f49a9dc652b2517cf7e7ba
SHA1d0533ced6b98da466c7ed8fc9f9a9f5d0ced7f0e
SHA25696638707890bedb3a5534ff8c37ff79118d193155e618bc2add87c5e4384e581
SHA5126c81a594a5988f8ce30aa2e7008506850e4ba8a7b867df7b9c9401bd4a39e70f12de181549264cd607b9a5c2f201d1867ac2db3f7d6fd7c684c1a89ec3dc9af0