Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Resource
win10v2004-20230220-en
General
-
Target
e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
-
Size
694KB
-
MD5
323bf2284b64ea6435a12f51e09d57ea
-
SHA1
944ffac2f8a682ea209d3d4f48e6a7379cf36fc9
-
SHA256
e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38
-
SHA512
f08b599e19aabc4f6c47f6e860866b36136ce4a4bab291a178794b52ef36bd2c384d34073a8b6dcfbba1b4a660ecec129b505d992384d79bab78e80d8a4127b5
-
SSDEEP
12288:Uy90diNrF0XOt6eRlanHwpFT4WcIePBy+DPuWA6Fl18byKrA+FB1:Uy5NrFccjCHoFRcIeJk6Fl18byUf
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4252-989-0x0000000009C60000-0x000000000A278000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 04247859.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 04247859.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 04247859.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 04247859.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 04247859.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 04247859.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 544 un354758.exe 4908 04247859.exe 4252 rk790284.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 04247859.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 04247859.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un354758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un354758.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2124 4908 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4908 04247859.exe 4908 04247859.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4908 04247859.exe Token: SeDebugPrivilege 4252 rk790284.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4208 wrote to memory of 544 4208 e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe 79 PID 4208 wrote to memory of 544 4208 e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe 79 PID 4208 wrote to memory of 544 4208 e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe 79 PID 544 wrote to memory of 4908 544 un354758.exe 80 PID 544 wrote to memory of 4908 544 un354758.exe 80 PID 544 wrote to memory of 4908 544 un354758.exe 80 PID 544 wrote to memory of 4252 544 un354758.exe 85 PID 544 wrote to memory of 4252 544 un354758.exe 85 PID 544 wrote to memory of 4252 544 un354758.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe"C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 11004⤵
- Program crash
PID:2124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4908 -ip 49081⤵PID:512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5a627f1e8e57fcb834b80cb818ee3008a
SHA17d773a11c79a61fa0bc09bc2e61f00d5f0dd89db
SHA25667216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1
SHA51277937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2
-
Filesize
540KB
MD5a627f1e8e57fcb834b80cb818ee3008a
SHA17d773a11c79a61fa0bc09bc2e61f00d5f0dd89db
SHA25667216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1
SHA51277937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2
-
Filesize
258KB
MD51940d4e23854773dbee39b5035f61ee8
SHA14282c5693d94af778957d248b9b82d8d04aa5562
SHA256650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80
SHA512f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644
-
Filesize
258KB
MD51940d4e23854773dbee39b5035f61ee8
SHA14282c5693d94af778957d248b9b82d8d04aa5562
SHA256650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80
SHA512f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644
-
Filesize
340KB
MD59bca28fffc025863f67bd84429986c45
SHA1caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7
SHA25652463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc
SHA512f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1
-
Filesize
340KB
MD59bca28fffc025863f67bd84429986c45
SHA1caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7
SHA25652463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc
SHA512f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1