Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
240s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe
Resource
win10v2004-20230221-en
General
-
Target
d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe
-
Size
707KB
-
MD5
7942df7c711f153b096e16f2b5358552
-
SHA1
04d08b5ac2b32e95a0667e07e92714e1f1801d80
-
SHA256
d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5
-
SHA512
3766c0b59c99941c8630addec60f87087dd80cdccc0c5eef0ff7f05256aa51e7c815ab4ff46033bd81741251872afa7a97a835ba485934fa83d5fcea58f79010
-
SSDEEP
12288:3Mr/y90CR9ShuaUzHMpye91c/pYhy0cBOvMccLoZY/AQKMGDg5x2PX2qGWp:8yfR9ShTCsj91YyhyZE6oqoF5MOv2qd
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3492-148-0x0000000007A90000-0x00000000080A8000-memory.dmp redline_stealer behavioral2/memory/3492-154-0x0000000008170000-0x00000000081D6000-memory.dmp redline_stealer behavioral2/memory/3492-159-0x0000000008F40000-0x0000000009102000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h8572679.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h8572679.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h8572679.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h8572679.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h8572679.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h8572679.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 644 x4091549.exe 3492 g0235717.exe 5016 h8572679.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h8572679.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h8572679.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x4091549.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4091549.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3492 g0235717.exe 3492 g0235717.exe 5016 h8572679.exe 5016 h8572679.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3492 g0235717.exe Token: SeDebugPrivilege 5016 h8572679.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 380 wrote to memory of 644 380 d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe 80 PID 380 wrote to memory of 644 380 d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe 80 PID 380 wrote to memory of 644 380 d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe 80 PID 644 wrote to memory of 3492 644 x4091549.exe 81 PID 644 wrote to memory of 3492 644 x4091549.exe 81 PID 644 wrote to memory of 3492 644 x4091549.exe 81 PID 644 wrote to memory of 5016 644 x4091549.exe 87 PID 644 wrote to memory of 5016 644 x4091549.exe 87 PID 644 wrote to memory of 5016 644 x4091549.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe"C:\Users\Admin\AppData\Local\Temp\d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5016 -ip 50161⤵PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD55d3f96f0be9f0535fee85d9679ee00ca
SHA1ff72cc355106ff01129d8b265e93d6f8b4245df3
SHA256349e0a96f6a8615e2d258175f5addd2f17d1ea96a1d87168377f1ed2c0a2398c
SHA51226aad1edd88c1879bdf888d4879bfce3979d000456916fdd5715f8f3925c5635562cc8c4d77a725b08dc5b656cf5333ddc80cb3e89ab2dc3eb45384787f59bcf
-
Filesize
416KB
MD55d3f96f0be9f0535fee85d9679ee00ca
SHA1ff72cc355106ff01129d8b265e93d6f8b4245df3
SHA256349e0a96f6a8615e2d258175f5addd2f17d1ea96a1d87168377f1ed2c0a2398c
SHA51226aad1edd88c1879bdf888d4879bfce3979d000456916fdd5715f8f3925c5635562cc8c4d77a725b08dc5b656cf5333ddc80cb3e89ab2dc3eb45384787f59bcf
-
Filesize
136KB
MD535187463a61673cc4f7689871992ae51
SHA15a6eaaa11088b32dbd707462d783e179ccedeb2e
SHA256516073795d58dfeb04728f4ccf2edd9acea3c4dd9f054cce3c710abcc29e9f38
SHA5125aca38e17edf859a677f815646e6b9a2dad2777343453addbd3fa741c915d37a374ad294569bb8a885db7e383248da69d42d9af0219f4048325bb88e6719ed15
-
Filesize
136KB
MD535187463a61673cc4f7689871992ae51
SHA15a6eaaa11088b32dbd707462d783e179ccedeb2e
SHA256516073795d58dfeb04728f4ccf2edd9acea3c4dd9f054cce3c710abcc29e9f38
SHA5125aca38e17edf859a677f815646e6b9a2dad2777343453addbd3fa741c915d37a374ad294569bb8a885db7e383248da69d42d9af0219f4048325bb88e6719ed15
-
Filesize
360KB
MD51a76f7446c8b18fb99103eeea8013807
SHA142dd43ddc7f85fa03c9ed9d592e0a0fad0c88769
SHA25637a94fb471dc4a3c0edbb5cd83f73bc2f07c1acaafe920e130716d7ab6337866
SHA5125aa8898b9a5bbe874c3df6817f4cb12b484a5cb3c5416135c08d317ea6908b091eaf437053b315c137410c122e984fd137d5188186d44a8f1b4ba7b3325f450b
-
Filesize
360KB
MD51a76f7446c8b18fb99103eeea8013807
SHA142dd43ddc7f85fa03c9ed9d592e0a0fad0c88769
SHA25637a94fb471dc4a3c0edbb5cd83f73bc2f07c1acaafe920e130716d7ab6337866
SHA5125aa8898b9a5bbe874c3df6817f4cb12b484a5cb3c5416135c08d317ea6908b091eaf437053b315c137410c122e984fd137d5188186d44a8f1b4ba7b3325f450b