Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe
Resource
win10v2004-20230220-en
General
-
Target
fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe
-
Size
696KB
-
MD5
1feca7be483a7ede6047b2021bba9291
-
SHA1
232052904b9db804906180ccf2ba113a90eb89e6
-
SHA256
fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f
-
SHA512
1a32cb9bde9022d2554b276eee3b05bc523d276f4dfd1a40df7b073f6adceb43418fada2ac18228acb13beaa336ce22a149da7f0edf850ab08b7de36133eb8d8
-
SSDEEP
12288:zy90Tq4C00Xa9KJ2A/+tZ9CO3IhMY/NN4MWL6+718buKjA+KQujtlU:zyyqsfKoA/+tXCFneZ6+718bugIbjtlU
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2936-985-0x0000000009C40000-0x000000000A258000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 43383082.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 43383082.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 43383082.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 43383082.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 43383082.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 43383082.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4964 un815342.exe 3900 43383082.exe 2936 rk342776.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 43383082.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 43383082.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un815342.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un815342.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3500 3900 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3900 43383082.exe 3900 43383082.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3900 43383082.exe Token: SeDebugPrivilege 2936 rk342776.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4964 2976 fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe 85 PID 2976 wrote to memory of 4964 2976 fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe 85 PID 2976 wrote to memory of 4964 2976 fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe 85 PID 4964 wrote to memory of 3900 4964 un815342.exe 86 PID 4964 wrote to memory of 3900 4964 un815342.exe 86 PID 4964 wrote to memory of 3900 4964 un815342.exe 86 PID 4964 wrote to memory of 2936 4964 un815342.exe 92 PID 4964 wrote to memory of 2936 4964 un815342.exe 92 PID 4964 wrote to memory of 2936 4964 un815342.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe"C:\Users\Admin\AppData\Local\Temp\fe6450a225302d7f9cab3ee73681548d9bf49e41bb42870ba21d374b04ef7e2f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un815342.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un815342.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43383082.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43383082.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 10804⤵
- Program crash
PID:3500
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk342776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk342776.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3900 -ip 39001⤵PID:2660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5b5ec3f70c6df9edfc2dace7f701f805d
SHA1b3ed76d78cd26c6acd0e32c4b23f4c8bfa238bbc
SHA256138fbb8de2e879362135632a6e5ef689388f0759e3854467a9817bcdb42bdf2c
SHA5125edb7496511bb17330088a57f8a4900443ef7880e9c20ef40113019007b026341f383ab1923a8f409ba40832c45fb0302499309ecc819d20b6cbcb124fc1ee52
-
Filesize
541KB
MD5b5ec3f70c6df9edfc2dace7f701f805d
SHA1b3ed76d78cd26c6acd0e32c4b23f4c8bfa238bbc
SHA256138fbb8de2e879362135632a6e5ef689388f0759e3854467a9817bcdb42bdf2c
SHA5125edb7496511bb17330088a57f8a4900443ef7880e9c20ef40113019007b026341f383ab1923a8f409ba40832c45fb0302499309ecc819d20b6cbcb124fc1ee52
-
Filesize
258KB
MD588fc9da8525f441b05688e184a99a983
SHA116a4d0f6f1a16659897c092d00eb4f79e0f04b88
SHA25623533d104e8a7c6cf358a63f41dc01fbe03cfa6a6db87d898abd295de0f2ca9a
SHA51231311ec3048fa731277370dee537351bd1cf4f07e975f586320d5ea64f70b477f0b32253001d6c2b363935aeafa96953a33343b3571fc989fdce7a67e5541ccb
-
Filesize
258KB
MD588fc9da8525f441b05688e184a99a983
SHA116a4d0f6f1a16659897c092d00eb4f79e0f04b88
SHA25623533d104e8a7c6cf358a63f41dc01fbe03cfa6a6db87d898abd295de0f2ca9a
SHA51231311ec3048fa731277370dee537351bd1cf4f07e975f586320d5ea64f70b477f0b32253001d6c2b363935aeafa96953a33343b3571fc989fdce7a67e5541ccb
-
Filesize
340KB
MD5b16b06fb5c3aa4421d5ce16427673f03
SHA11411c24051963ac29d15f706d2c3140aad48bd06
SHA25602b4a968e81c5cd1d05a161808e1d0ca93eff89dd6cef87d046a3ab18bcc9056
SHA5127d4f4223b8956efec0473e0022fd79eda5d242be33f758e598c0f166bb5c438bead3665fa0dc4cc354a6090870345ad272b2dafbee2190d683e682a14042042f
-
Filesize
340KB
MD5b16b06fb5c3aa4421d5ce16427673f03
SHA11411c24051963ac29d15f706d2c3140aad48bd06
SHA25602b4a968e81c5cd1d05a161808e1d0ca93eff89dd6cef87d046a3ab18bcc9056
SHA5127d4f4223b8956efec0473e0022fd79eda5d242be33f758e598c0f166bb5c438bead3665fa0dc4cc354a6090870345ad272b2dafbee2190d683e682a14042042f