Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:49
Static task
static1
Behavioral task
behavioral1
Sample
a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
Resource
win10v2004-20230220-en
General
-
Target
a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
-
Size
690KB
-
MD5
a040d30b578d01525062075d5033fa02
-
SHA1
be10a96eb2c1aae00ad4a60863e5d79d4e5901b1
-
SHA256
a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023
-
SHA512
25c8c32ed207af29293727e89dc7335c9b2a59e6161d9632f62b779b03c46d5c6f498d25ba7d18723f0436e91ed61e244f1dbcba9ce0ec66bd7c9c93090ed763
-
SSDEEP
12288:My90OTP01v71oAhaZkIJwTTVYT+urnGuqlb/cd2oB3vlCCiI22kEqke:MyvTP01v71ooaGkwTTV++urGuI7g26x2
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2784-986-0x0000000007500000-0x0000000007B18000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 18002885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 18002885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 18002885.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 18002885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 18002885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 18002885.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2424 un069612.exe 4516 18002885.exe 2784 rk728287.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 18002885.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 18002885.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un069612.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un069612.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4608 4516 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4516 18002885.exe 4516 18002885.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4516 18002885.exe Token: SeDebugPrivilege 2784 rk728287.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2424 2264 a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe 82 PID 2264 wrote to memory of 2424 2264 a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe 82 PID 2264 wrote to memory of 2424 2264 a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe 82 PID 2424 wrote to memory of 4516 2424 un069612.exe 83 PID 2424 wrote to memory of 4516 2424 un069612.exe 83 PID 2424 wrote to memory of 4516 2424 un069612.exe 83 PID 2424 wrote to memory of 2784 2424 un069612.exe 86 PID 2424 wrote to memory of 2784 2424 un069612.exe 86 PID 2424 wrote to memory of 2784 2424 un069612.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe"C:\Users\Admin\AppData\Local\Temp\a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 10924⤵
- Program crash
PID:4608
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4516 -ip 45161⤵PID:2320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD57da427c76aba24f15fba8d6b678c97d8
SHA173ba46b48b11bd84b5d1fb1f31573c7c64176fba
SHA2567d792ec019942bad451253b0a28bb98545c93b3af477d31b8fb57f4e00f3a35a
SHA512030bcaf5ee8ffe98ec9177f11350d137cfacc244c7c22b30e3fc7f4aeb3d6d63a4c2af25c25dbc8799f4cab1b0a431494cb955fbfb8b306fcb8dc42ae453f49e
-
Filesize
536KB
MD57da427c76aba24f15fba8d6b678c97d8
SHA173ba46b48b11bd84b5d1fb1f31573c7c64176fba
SHA2567d792ec019942bad451253b0a28bb98545c93b3af477d31b8fb57f4e00f3a35a
SHA512030bcaf5ee8ffe98ec9177f11350d137cfacc244c7c22b30e3fc7f4aeb3d6d63a4c2af25c25dbc8799f4cab1b0a431494cb955fbfb8b306fcb8dc42ae453f49e
-
Filesize
259KB
MD5f246ab38c4583449f787d6ba90191b11
SHA1b27773ee66a97fe95d03fd6b14a46b2d975cfd9b
SHA25620dce831c494e08fea6a5cba58d40f35baf8a40252d9083c4e23db6f07ac0700
SHA512dfe199d4b367daeddad330d7cd6c06982f4fd66600d5262751647d41816bbb747caa884b8d5f862f32604f70a311b38d2394a6dac29f90dc88d0ebe6e58bfe5f
-
Filesize
259KB
MD5f246ab38c4583449f787d6ba90191b11
SHA1b27773ee66a97fe95d03fd6b14a46b2d975cfd9b
SHA25620dce831c494e08fea6a5cba58d40f35baf8a40252d9083c4e23db6f07ac0700
SHA512dfe199d4b367daeddad330d7cd6c06982f4fd66600d5262751647d41816bbb747caa884b8d5f862f32604f70a311b38d2394a6dac29f90dc88d0ebe6e58bfe5f
-
Filesize
341KB
MD5206c71b72ab08b69c3aa2847f03903aa
SHA11b14f68b225e76bf6ce52f58defdf78ff4433e46
SHA256f0cfd87fcb07e71927cdd2f3886019a5bc5accc251d93c6a1628f03d089d33aa
SHA512c4bbcf02d87183d8b1566299aef88bb93849db5c8928373c15ab253081f6fcfa0858475ff4c1ff429af94156c53d788c93eb6ff551c539689d5a4e5c5620f5f5
-
Filesize
341KB
MD5206c71b72ab08b69c3aa2847f03903aa
SHA11b14f68b225e76bf6ce52f58defdf78ff4433e46
SHA256f0cfd87fcb07e71927cdd2f3886019a5bc5accc251d93c6a1628f03d089d33aa
SHA512c4bbcf02d87183d8b1566299aef88bb93849db5c8928373c15ab253081f6fcfa0858475ff4c1ff429af94156c53d788c93eb6ff551c539689d5a4e5c5620f5f5