Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
182s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe
Resource
win10v2004-20230220-en
General
-
Target
733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe
-
Size
923KB
-
MD5
369dd19e2de592c1ebcf3dfa485d6263
-
SHA1
13b2e7711fa301501b7807d17179a56ee4345ab6
-
SHA256
733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258
-
SHA512
79f86238a2782773f857d34f88dc80ed4654b56b6df66222895b216a7e1c09d3bed85338d1e8c340007679c311818a650f87eea66e36017cda3b07b607df8129
-
SSDEEP
24576:jycUoLYxjH2eD6nPT4prEKoEXtjtIcb8mje4LT:2cr6+nPTErE9ctjXLfL
Malware Config
Extracted
redline
lupa
217.196.96.56:4138
-
auth_value
fcb02fce9bc10c56a9841d56974bd7b8
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4612-212-0x000000000A890000-0x000000000AEA8000-memory.dmp redline_stealer behavioral2/memory/4612-220-0x000000000B0B0000-0x000000000B116000-memory.dmp redline_stealer behavioral2/memory/4612-222-0x000000000BCE0000-0x000000000BEA2000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p8874409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p8874409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p8874409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p8874409.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p8874409.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2664 z6441614.exe 1312 z9957744.exe 1504 z9796849.exe 652 n9855826.exe 4612 o4132079.exe 4888 p8874409.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" n9855826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" p8874409.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z9796849.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z9796849.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z6441614.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6441614.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z9957744.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z9957744.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4296 652 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 652 n9855826.exe 652 n9855826.exe 4612 o4132079.exe 4612 o4132079.exe 4888 p8874409.exe 4888 p8874409.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 652 n9855826.exe Token: SeDebugPrivilege 4612 o4132079.exe Token: SeDebugPrivilege 4888 p8874409.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2664 1676 733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe 80 PID 1676 wrote to memory of 2664 1676 733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe 80 PID 1676 wrote to memory of 2664 1676 733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe 80 PID 2664 wrote to memory of 1312 2664 z6441614.exe 81 PID 2664 wrote to memory of 1312 2664 z6441614.exe 81 PID 2664 wrote to memory of 1312 2664 z6441614.exe 81 PID 1312 wrote to memory of 1504 1312 z9957744.exe 82 PID 1312 wrote to memory of 1504 1312 z9957744.exe 82 PID 1312 wrote to memory of 1504 1312 z9957744.exe 82 PID 1504 wrote to memory of 652 1504 z9796849.exe 83 PID 1504 wrote to memory of 652 1504 z9796849.exe 83 PID 1504 wrote to memory of 652 1504 z9796849.exe 83 PID 1504 wrote to memory of 4612 1504 z9796849.exe 87 PID 1504 wrote to memory of 4612 1504 z9796849.exe 87 PID 1504 wrote to memory of 4612 1504 z9796849.exe 87 PID 1312 wrote to memory of 4888 1312 z9957744.exe 89 PID 1312 wrote to memory of 4888 1312 z9957744.exe 89 PID 1312 wrote to memory of 4888 1312 z9957744.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe"C:\Users\Admin\AppData\Local\Temp\733d8bcb05833b65beb9b763372015e736cbeccb862713d28a1af85133883258.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6441614.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6441614.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9957744.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9957744.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9796849.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9796849.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n9855826.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n9855826.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 10846⤵
- Program crash
PID:4296
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4132079.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4132079.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8874409.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8874409.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 652 -ip 6521⤵PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769KB
MD5413163f4e46dd435d1f17d80f2c58021
SHA1b17e7d086aa1b06b52874399ec01f2f66a048ed0
SHA256b8288ff8eb063f4d2ffc85ce5a1a8c8559c401fbd99a6dbaded188c7aed04bef
SHA5123b069f239dba1b357724358be5faf763cc5b9b25cba4a622afb00e78ae2a76535090ce5cbd1c1f9ae97ec9fcaf368c5a0d7d9f8e3d5d846d1af36fa974253a53
-
Filesize
769KB
MD5413163f4e46dd435d1f17d80f2c58021
SHA1b17e7d086aa1b06b52874399ec01f2f66a048ed0
SHA256b8288ff8eb063f4d2ffc85ce5a1a8c8559c401fbd99a6dbaded188c7aed04bef
SHA5123b069f239dba1b357724358be5faf763cc5b9b25cba4a622afb00e78ae2a76535090ce5cbd1c1f9ae97ec9fcaf368c5a0d7d9f8e3d5d846d1af36fa974253a53
-
Filesize
587KB
MD5792660dbe092c75455a61c6f78e20ebe
SHA1f2f64c68dd980dac2278a56b1c93496e6ad72582
SHA256aa49c51f8a6906c697a1050519157f47ab62a376d0ac78a4933e39776da6e123
SHA5127797d0b5220e94b17e75ed7358bbcb118f8a396a18d15964bc137ac7b641ebf2d828bb6a9ca2349a898bd2505378fff8570513d99b1956fa098837ba11011f2a
-
Filesize
587KB
MD5792660dbe092c75455a61c6f78e20ebe
SHA1f2f64c68dd980dac2278a56b1c93496e6ad72582
SHA256aa49c51f8a6906c697a1050519157f47ab62a376d0ac78a4933e39776da6e123
SHA5127797d0b5220e94b17e75ed7358bbcb118f8a396a18d15964bc137ac7b641ebf2d828bb6a9ca2349a898bd2505378fff8570513d99b1956fa098837ba11011f2a
-
Filesize
176KB
MD5c4db88375027c7c66e95d03dd4526c3e
SHA1ff4aa28fc710e8058c6c06d7d4441bae93a7ce21
SHA25635f4385b990aa71ce19c2a3351d8960fa5023ad5241d9d36049f1a6541acda17
SHA5128ee29defc8f0a609b1debd20c6a331708ecd0f9847e6068fc646b3f99083b54a23c229206360d292a4b06408e028d7c7b5a100a6a8199d7293490716e26333ec
-
Filesize
176KB
MD5c4db88375027c7c66e95d03dd4526c3e
SHA1ff4aa28fc710e8058c6c06d7d4441bae93a7ce21
SHA25635f4385b990aa71ce19c2a3351d8960fa5023ad5241d9d36049f1a6541acda17
SHA5128ee29defc8f0a609b1debd20c6a331708ecd0f9847e6068fc646b3f99083b54a23c229206360d292a4b06408e028d7c7b5a100a6a8199d7293490716e26333ec
-
Filesize
383KB
MD5c134a451fbe206b0b2fa73823c856390
SHA1a6db68b36f600c53e3e5229d63cbc80f5e8604b6
SHA2562bcb88c1ffc4493189cc176c06e179855073dcda0beb7d7ae88125fa5a8f20d4
SHA51257dcc1fbb688d7c0ee149e0cd4260766b144027cc139f7bee6cb1b2c1eaa41a22aa64dbe252bb33201bd529ddc307db2843e8f29dbbf50eac5cd26869f36b625
-
Filesize
383KB
MD5c134a451fbe206b0b2fa73823c856390
SHA1a6db68b36f600c53e3e5229d63cbc80f5e8604b6
SHA2562bcb88c1ffc4493189cc176c06e179855073dcda0beb7d7ae88125fa5a8f20d4
SHA51257dcc1fbb688d7c0ee149e0cd4260766b144027cc139f7bee6cb1b2c1eaa41a22aa64dbe252bb33201bd529ddc307db2843e8f29dbbf50eac5cd26869f36b625
-
Filesize
283KB
MD51f87643424d8b50f39bdcd92dec27b36
SHA136d48898f13e9f6c6e68fd418b193fa2a36270ae
SHA256c47551e49b0b99619830b20320d2af357502d99eb25dfaeabf0f5a1c136eec10
SHA512e72f1e43cf7c12b2fdbdca5093672a98b335c9a50116f13efd414d14ef5979f9c45c7f9604c2b065c8bf984a68e952e7067f06398c124a85602eaee971cc4f59
-
Filesize
283KB
MD51f87643424d8b50f39bdcd92dec27b36
SHA136d48898f13e9f6c6e68fd418b193fa2a36270ae
SHA256c47551e49b0b99619830b20320d2af357502d99eb25dfaeabf0f5a1c136eec10
SHA512e72f1e43cf7c12b2fdbdca5093672a98b335c9a50116f13efd414d14ef5979f9c45c7f9604c2b065c8bf984a68e952e7067f06398c124a85602eaee971cc4f59
-
Filesize
168KB
MD5a62c904d5dfe22a4c9bd971439d88d2c
SHA1fb3475834f9600d476123724a8e31674077d974c
SHA2568395865a2f9f84abeecafc72d7b033c977c5ece997a12bb4576352bf609982c6
SHA512486257a2340ab7b86038dda5bbd0bfdd3eb4b6a0ba1b9125c764e64f5a1c8eaa40bf816b770a6c791b369f8c4a944c90b3f6616690ade6745795f0691c93284a
-
Filesize
168KB
MD5a62c904d5dfe22a4c9bd971439d88d2c
SHA1fb3475834f9600d476123724a8e31674077d974c
SHA2568395865a2f9f84abeecafc72d7b033c977c5ece997a12bb4576352bf609982c6
SHA512486257a2340ab7b86038dda5bbd0bfdd3eb4b6a0ba1b9125c764e64f5a1c8eaa40bf816b770a6c791b369f8c4a944c90b3f6616690ade6745795f0691c93284a
-
Filesize
168KB
MD5a62c904d5dfe22a4c9bd971439d88d2c
SHA1fb3475834f9600d476123724a8e31674077d974c
SHA2568395865a2f9f84abeecafc72d7b033c977c5ece997a12bb4576352bf609982c6
SHA512486257a2340ab7b86038dda5bbd0bfdd3eb4b6a0ba1b9125c764e64f5a1c8eaa40bf816b770a6c791b369f8c4a944c90b3f6616690ade6745795f0691c93284a