Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
211s -
max time network
272s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe
Resource
win10v2004-20230221-en
General
-
Target
b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe
-
Size
480KB
-
MD5
2ed22c263708e87ab098da0373af9419
-
SHA1
73d5f2dac037fbf999eacda30f4420022f461185
-
SHA256
b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f
-
SHA512
d6ddb2d05adc4a65386e2cef1fc73926b04dca70810bd0bca11602ed64c688dd44fec161607f72d606114993adb95c63776540b8a61f1528d0bbc774fbcef12c
-
SSDEEP
12288:NMrly90qs2yl2GFpORQiwAjuFDaFOYgc:0yRnyTFERQiLj+acNc
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3884-187-0x0000000007610000-0x0000000007C28000-memory.dmp redline_stealer behavioral2/memory/3884-193-0x0000000007CE0000-0x0000000007D46000-memory.dmp redline_stealer behavioral2/memory/3884-198-0x0000000008BF0000-0x0000000008DB2000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4113310.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4113310.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4113310.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4113310.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4113310.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4113310.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2648 v7848907.exe 3136 a4113310.exe 3884 b0413473.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4113310.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4113310.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7848907.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7848907.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3136 a4113310.exe 3136 a4113310.exe 3884 b0413473.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3136 a4113310.exe Token: SeDebugPrivilege 3884 b0413473.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2648 1512 b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe 79 PID 1512 wrote to memory of 2648 1512 b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe 79 PID 1512 wrote to memory of 2648 1512 b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe 79 PID 2648 wrote to memory of 3136 2648 v7848907.exe 80 PID 2648 wrote to memory of 3136 2648 v7848907.exe 80 PID 2648 wrote to memory of 3136 2648 v7848907.exe 80 PID 2648 wrote to memory of 3884 2648 v7848907.exe 81 PID 2648 wrote to memory of 3884 2648 v7848907.exe 81 PID 2648 wrote to memory of 3884 2648 v7848907.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe"C:\Users\Admin\AppData\Local\Temp\b71f27d0d52ebc4ab8a591ca482053d55b024c9bd04471c452cfa8aaf5e6914f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7848907.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7848907.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4113310.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4113310.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0413473.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0413473.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5044ba37dccb961700d3432dad2339dc1
SHA14a996a018e905c77e7259d91388e65724679ae1a
SHA256aac8d020cee178815af487aaa84bab6859750fd780484b26c58ebe0e50db2fe6
SHA512fb9308520c5c63ff8c55cc0daf814f40a1beb8cf7f256777224cfe513eaff7d014f33ffe0545d1c4b90bb745b3cabe30877b2804aa090b1ca6d398a69374e8e0
-
Filesize
308KB
MD5044ba37dccb961700d3432dad2339dc1
SHA14a996a018e905c77e7259d91388e65724679ae1a
SHA256aac8d020cee178815af487aaa84bab6859750fd780484b26c58ebe0e50db2fe6
SHA512fb9308520c5c63ff8c55cc0daf814f40a1beb8cf7f256777224cfe513eaff7d014f33ffe0545d1c4b90bb745b3cabe30877b2804aa090b1ca6d398a69374e8e0
-
Filesize
176KB
MD554d7144705c4cc7fc62aa7eff4658f07
SHA1104029a24e480adf7cf3603137448a1893ae5bbf
SHA25691b9701b0cfacb782dacd2ed87a91a230cf934c2d7e6af6fab728301e8d5a583
SHA5121399468c8f54e57345cc83d7803ff2f5059051675fb25954ef12fa85dc7b633e71c8605e7653dc7bb09c260cee3c86c0ef2507264706ef79547a25e64938f95a
-
Filesize
176KB
MD554d7144705c4cc7fc62aa7eff4658f07
SHA1104029a24e480adf7cf3603137448a1893ae5bbf
SHA25691b9701b0cfacb782dacd2ed87a91a230cf934c2d7e6af6fab728301e8d5a583
SHA5121399468c8f54e57345cc83d7803ff2f5059051675fb25954ef12fa85dc7b633e71c8605e7653dc7bb09c260cee3c86c0ef2507264706ef79547a25e64938f95a
-
Filesize
136KB
MD5846aec6f1281bfdaaa504fa81f93aac8
SHA111ace8cd08e165c4c76d92f7c46d13f8363164b0
SHA25684e84d7bb12c81aab3090430280e01f0ad105d751fced11c41be4d590c21df27
SHA51254feddee3661aa0458257c20f5b425c907c4e980bf082788863d67c4ad1fffd777e6f45588546d09e82cfea029fbe0cfe50b5c4a68af79b93ceff13569a6177f
-
Filesize
136KB
MD5846aec6f1281bfdaaa504fa81f93aac8
SHA111ace8cd08e165c4c76d92f7c46d13f8363164b0
SHA25684e84d7bb12c81aab3090430280e01f0ad105d751fced11c41be4d590c21df27
SHA51254feddee3661aa0458257c20f5b425c907c4e980bf082788863d67c4ad1fffd777e6f45588546d09e82cfea029fbe0cfe50b5c4a68af79b93ceff13569a6177f