Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
240s -
max time network
259s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe
Resource
win10v2004-20230221-en
General
-
Target
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe
-
Size
1.2MB
-
MD5
59df4066422b0c50649fabcd283c05d3
-
SHA1
07dbcae5a88a1ee48b8fc02a4edc9482b5ee0282
-
SHA256
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c
-
SHA512
0ba84cfad65c6d040fcbaf5c66c6fe99f2d46be91e176bdb508d839d0841c1c53a17ee4cf27474e010bb1e3202f60df948b2ff57362557b17820a37cf1f0bcfc
-
SSDEEP
24576:nyZEnlHUfcT5DV7PR6C/JhnFDXsFsI1uQYK1BRXWyBw++52THDG:yWHU0T5RzRDr5XsFsY1BRX2++SD
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/452-156-0x0000000007C30000-0x0000000008248000-memory.dmp redline_stealer behavioral2/memory/452-161-0x0000000007A70000-0x0000000007AD6000-memory.dmp redline_stealer behavioral2/memory/452-165-0x00000000090D0000-0x0000000009292000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 4764 x6683454.exe 264 x3815054.exe 452 g7265315.exe 3608 h1964081.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x6683454.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6683454.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3815054.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3815054.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 452 g7265315.exe 452 g7265315.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 452 g7265315.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3680 wrote to memory of 4764 3680 4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe 79 PID 3680 wrote to memory of 4764 3680 4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe 79 PID 3680 wrote to memory of 4764 3680 4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe 79 PID 4764 wrote to memory of 264 4764 x6683454.exe 80 PID 4764 wrote to memory of 264 4764 x6683454.exe 80 PID 4764 wrote to memory of 264 4764 x6683454.exe 80 PID 264 wrote to memory of 452 264 x3815054.exe 81 PID 264 wrote to memory of 452 264 x3815054.exe 81 PID 264 wrote to memory of 452 264 x3815054.exe 81 PID 264 wrote to memory of 3608 264 x3815054.exe 86 PID 264 wrote to memory of 3608 264 x3815054.exe 86 PID 264 wrote to memory of 3608 264 x3815054.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe"C:\Users\Admin\AppData\Local\Temp\4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6683454.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6683454.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815054.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815054.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7265315.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7265315.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1964081.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1964081.exe4⤵
- Executes dropped EXE
PID:3608
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914KB
MD5123dd236919782276489c5d5d0153e95
SHA18a6f9cd6f1db639863bbdc6d59c72aa3b5fe313d
SHA25659f203cb545d3f2afeba58fda390b1540839fbd7542463ad590f79e3b151cf1d
SHA512341431f0afb0af639213f34db419bc1af94183d5a3054a1639b9bde7951bd0fdd7cb86ee885845a9fc72b8108ad2edaa768c5b4f64a875cf12e575b22f7d2686
-
Filesize
914KB
MD5123dd236919782276489c5d5d0153e95
SHA18a6f9cd6f1db639863bbdc6d59c72aa3b5fe313d
SHA25659f203cb545d3f2afeba58fda390b1540839fbd7542463ad590f79e3b151cf1d
SHA512341431f0afb0af639213f34db419bc1af94183d5a3054a1639b9bde7951bd0fdd7cb86ee885845a9fc72b8108ad2edaa768c5b4f64a875cf12e575b22f7d2686
-
Filesize
416KB
MD53ba91b7455589cd5621d2e6c5fa9fcd1
SHA10a67e20f04ca132a49da9ddd9c45ce606dc61f49
SHA2560868391c6786c157fbf37af16774e04e7bd3c0121f2ee4a1aa58cbdebb1ae14b
SHA512158db1327816e73d0c04429c3658f29c2b002fa23424bc2a82be7155359d4ff4a901c66f54005ccd83d87f3e116bc6e059fb31550186994643a388d741002b01
-
Filesize
416KB
MD53ba91b7455589cd5621d2e6c5fa9fcd1
SHA10a67e20f04ca132a49da9ddd9c45ce606dc61f49
SHA2560868391c6786c157fbf37af16774e04e7bd3c0121f2ee4a1aa58cbdebb1ae14b
SHA512158db1327816e73d0c04429c3658f29c2b002fa23424bc2a82be7155359d4ff4a901c66f54005ccd83d87f3e116bc6e059fb31550186994643a388d741002b01
-
Filesize
137KB
MD51da35ea199696ab2ae0d3e1fed9d3d31
SHA12cef0c0da8d9fbad5a423a9faad81dba8fdddcff
SHA25689ecb927a2edd64606b47f99c0fbe2f924ea4af755737c702d1dac451484ee93
SHA51241e420d76438cee42c53b114e1ec3464594c93789dbfebb9c11215900a7f507b6645a3d5b599beb9bcac86d1caaae711effdb24c101468479b8b51ddb1f6df5d
-
Filesize
137KB
MD51da35ea199696ab2ae0d3e1fed9d3d31
SHA12cef0c0da8d9fbad5a423a9faad81dba8fdddcff
SHA25689ecb927a2edd64606b47f99c0fbe2f924ea4af755737c702d1dac451484ee93
SHA51241e420d76438cee42c53b114e1ec3464594c93789dbfebb9c11215900a7f507b6645a3d5b599beb9bcac86d1caaae711effdb24c101468479b8b51ddb1f6df5d
-
Filesize
360KB
MD51247141f044c80850cdf6e951e272f3d
SHA1602a51892cf1877b7d976d44a1fea723dd870056
SHA256f7c19fedad1ebdaa9512ec8c37cddad91769360bf947c54b368561fc3d520819
SHA51291375e17c814abbab52acd62229183b138417d88dfe41455a7a2cc27573891692169ebde5c0393e0021a553ca2cad711d1acebf79b72fa2272041955689c002f
-
Filesize
360KB
MD51247141f044c80850cdf6e951e272f3d
SHA1602a51892cf1877b7d976d44a1fea723dd870056
SHA256f7c19fedad1ebdaa9512ec8c37cddad91769360bf947c54b368561fc3d520819
SHA51291375e17c814abbab52acd62229183b138417d88dfe41455a7a2cc27573891692169ebde5c0393e0021a553ca2cad711d1acebf79b72fa2272041955689c002f