Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe
Resource
win10v2004-20230220-en
General
-
Target
c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe
-
Size
695KB
-
MD5
2b33a0ff9afe21bba8070386738dd9a1
-
SHA1
36853c50dc3d9498f2c989f12d11688555e72b29
-
SHA256
c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09
-
SHA512
f3bd20a5bef7984eb95475ceab8c74b4e721026e22cdb5dc93db62c102c4edccafa61bb9fdf22ed97f6d8cc8d24c50bfe8e3f9ac82ff0a70fb191a0be34a1056
-
SSDEEP
12288:ey90tiWyrr2PoTl/Y7TfZdkpD1K4M0QNi8/4PTZdoXfwQ1yiZUDZf7Wg:eyYyPRyfZ2w0Q9QPTzovwQOgg
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1084-989-0x0000000009CE0000-0x000000000A2F8000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 19985000.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1420 un299961.exe 1820 19985000.exe 1084 rk880250.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 19985000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 19985000.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un299961.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un299961.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1560 1820 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1820 19985000.exe 1820 19985000.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1820 19985000.exe Token: SeDebugPrivilege 1084 rk880250.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1420 1900 c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe 84 PID 1900 wrote to memory of 1420 1900 c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe 84 PID 1900 wrote to memory of 1420 1900 c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe 84 PID 1420 wrote to memory of 1820 1420 un299961.exe 85 PID 1420 wrote to memory of 1820 1420 un299961.exe 85 PID 1420 wrote to memory of 1820 1420 un299961.exe 85 PID 1420 wrote to memory of 1084 1420 un299961.exe 89 PID 1420 wrote to memory of 1084 1420 un299961.exe 89 PID 1420 wrote to memory of 1084 1420 un299961.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe"C:\Users\Admin\AppData\Local\Temp\c1632a93dc892ed28ae8861398f25db3b117c843864581eeba25ef29267cee09.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un299961.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un299961.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19985000.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19985000.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 10164⤵
- Program crash
PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk880250.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk880250.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1820 -ip 18201⤵PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5e8bebe50132975fa77d11fabcc4f4526
SHA145f227db2669134d18368a39ad6e0892c17a90f7
SHA2566672ae09ef0ab01d41161d9d792caab248271f5d29c917eb6b28ae31f6c75bbc
SHA512051279fc1b54bf7c92c00b6b9fea259ea16fbf0711b2c37ae13044cbca2dfa0c35a997b0ef344060ef4d6918855f2e663eba43f2d44930351b2a7a02f1c640c7
-
Filesize
541KB
MD5e8bebe50132975fa77d11fabcc4f4526
SHA145f227db2669134d18368a39ad6e0892c17a90f7
SHA2566672ae09ef0ab01d41161d9d792caab248271f5d29c917eb6b28ae31f6c75bbc
SHA512051279fc1b54bf7c92c00b6b9fea259ea16fbf0711b2c37ae13044cbca2dfa0c35a997b0ef344060ef4d6918855f2e663eba43f2d44930351b2a7a02f1c640c7
-
Filesize
258KB
MD50456d29cd856a216de10ea210144af2d
SHA1a6f4933df5d1845ff198ea1e031960d8f37baf22
SHA25678cb54a66a0ad873b22677c5ccfeee4a503da0a8a0fc516d96104ac1de3e027d
SHA512af526de445cc261c74146839212010cb4ffa0eb5a6dac2d6f0b1c633b217304a557c2c1aac3cf1948e00c9e5345b08051c0f65eb57cd7bea471e6d2a31fb4677
-
Filesize
258KB
MD50456d29cd856a216de10ea210144af2d
SHA1a6f4933df5d1845ff198ea1e031960d8f37baf22
SHA25678cb54a66a0ad873b22677c5ccfeee4a503da0a8a0fc516d96104ac1de3e027d
SHA512af526de445cc261c74146839212010cb4ffa0eb5a6dac2d6f0b1c633b217304a557c2c1aac3cf1948e00c9e5345b08051c0f65eb57cd7bea471e6d2a31fb4677
-
Filesize
340KB
MD5798cf522a76e389588fa71cb8d5e0c46
SHA1e221cf88d35b49f6c57a359a239857114289e0f7
SHA256f7e30143393a333d44f09efe1d6c0d224ff8f4b5efedbec30e435901ad39cb9b
SHA512ae000d0bd6b55ad8a1d4e2807c98b9ecfa9da85e6152ef9f57fdce6f77fe1bb525d2a8a1865ab8ee0b76f1f229896d2d00f04ec07ba52d0b90c43374284b4606
-
Filesize
340KB
MD5798cf522a76e389588fa71cb8d5e0c46
SHA1e221cf88d35b49f6c57a359a239857114289e0f7
SHA256f7e30143393a333d44f09efe1d6c0d224ff8f4b5efedbec30e435901ad39cb9b
SHA512ae000d0bd6b55ad8a1d4e2807c98b9ecfa9da85e6152ef9f57fdce6f77fe1bb525d2a8a1865ab8ee0b76f1f229896d2d00f04ec07ba52d0b90c43374284b4606