Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe
Resource
win10v2004-20230220-en
General
-
Target
bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe
-
Size
694KB
-
MD5
82d4e596aeb90063fe45024690da3016
-
SHA1
06001ca0047925ff3936b0156c0ffe9555ce17f1
-
SHA256
bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3
-
SHA512
78a512b43ab4e47778023767eb4bc098283b83b3e1d542d2a758064b1055925ba1c9ed4381c68617f6e12247e2a25496fcb942320f34ccde6f27b98261223fde
-
SSDEEP
12288:ey90Yhw6TP/IZ33DlblZV/VOIAwpFT6ETU4U/uvxWb6Fn18b2KQA+LNDLBCE:eyVCo4ZnDtVdOIAoF7TJu6Fn18b2LvcE
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1448-988-0x0000000009C90000-0x000000000A2A8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 01297549.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 01297549.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 01297549.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 01297549.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 01297549.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 01297549.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4600 un958203.exe 4116 01297549.exe 1448 rk696020.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 01297549.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 01297549.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un958203.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un958203.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4420 4116 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4116 01297549.exe 4116 01297549.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4116 01297549.exe Token: SeDebugPrivilege 1448 rk696020.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4600 4772 bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe 82 PID 4772 wrote to memory of 4600 4772 bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe 82 PID 4772 wrote to memory of 4600 4772 bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe 82 PID 4600 wrote to memory of 4116 4600 un958203.exe 83 PID 4600 wrote to memory of 4116 4600 un958203.exe 83 PID 4600 wrote to memory of 4116 4600 un958203.exe 83 PID 4600 wrote to memory of 1448 4600 un958203.exe 86 PID 4600 wrote to memory of 1448 4600 un958203.exe 86 PID 4600 wrote to memory of 1448 4600 un958203.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe"C:\Users\Admin\AppData\Local\Temp\bad970a5bf84591bff5372c741cb5feefe0da9d6f593963ac87e6ca062cd42e3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958203.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958203.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01297549.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01297549.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 10804⤵
- Program crash
PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk696020.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk696020.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4116 -ip 41161⤵PID:4916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD511fdda31ff49e411ea64be8553fcd892
SHA1f4c5dec4fd247eda13725410efd43a1df0d5237b
SHA25608af21716858e92c3775bfc368569bde3f996cb6fb5544314e68f1a947063f75
SHA5120a97aa3ccd1b31964ad95267a9128f3c949d30e5a7d4690bc88c5a46ec66fb41dbdb367927d7050565428abe15c6eb36962fcabb4a0dde84c96c05a2c702183a
-
Filesize
540KB
MD511fdda31ff49e411ea64be8553fcd892
SHA1f4c5dec4fd247eda13725410efd43a1df0d5237b
SHA25608af21716858e92c3775bfc368569bde3f996cb6fb5544314e68f1a947063f75
SHA5120a97aa3ccd1b31964ad95267a9128f3c949d30e5a7d4690bc88c5a46ec66fb41dbdb367927d7050565428abe15c6eb36962fcabb4a0dde84c96c05a2c702183a
-
Filesize
258KB
MD57c18c5ea3d01ba3f69f25cb118a93d46
SHA1d15321882c82bea966e6ba370d611f81c9f4fcea
SHA2565b311eefd8120f48210231bd346197109dd80cf17210bbb083ba0087a9203da0
SHA5127719bfc858c4cacd6e442d983a28bf5477cd1bbbbac22b9dbbb6de7d16fce98a47dc3afdeac456311af4af780ddc17e10dc6c1cd9128a6ac80a628190ce2d4d0
-
Filesize
258KB
MD57c18c5ea3d01ba3f69f25cb118a93d46
SHA1d15321882c82bea966e6ba370d611f81c9f4fcea
SHA2565b311eefd8120f48210231bd346197109dd80cf17210bbb083ba0087a9203da0
SHA5127719bfc858c4cacd6e442d983a28bf5477cd1bbbbac22b9dbbb6de7d16fce98a47dc3afdeac456311af4af780ddc17e10dc6c1cd9128a6ac80a628190ce2d4d0
-
Filesize
340KB
MD5cf4fbbd5a2c9d18eb213c9235fca5488
SHA13b6c02caf775dcedf1b9cdf2586d5bf6871b5f6b
SHA2561d15597e7aa6e4e46abc33b2f9e689b8a812d0365e28faaa653c2fbb84c2d5b4
SHA512fa626bd7cabec3c486288b01da738d6c30fc40d6aa200498fa09f3e1e8fceb45edfb8465bb036c336614641fdcc3e59806a01c89003fde29e2549dd7fce8fff5
-
Filesize
340KB
MD5cf4fbbd5a2c9d18eb213c9235fca5488
SHA13b6c02caf775dcedf1b9cdf2586d5bf6871b5f6b
SHA2561d15597e7aa6e4e46abc33b2f9e689b8a812d0365e28faaa653c2fbb84c2d5b4
SHA512fa626bd7cabec3c486288b01da738d6c30fc40d6aa200498fa09f3e1e8fceb45edfb8465bb036c336614641fdcc3e59806a01c89003fde29e2549dd7fce8fff5