Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
212s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Resource
win10v2004-20230220-en
General
-
Target
65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
-
Size
599KB
-
MD5
9fcf210a9e62502d2332c6cf658b50d5
-
SHA1
91ed85654df42d0f41c02cc344bac9f11c858f34
-
SHA256
65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9
-
SHA512
ebbb43549280464616956cfa60d1755deeaf0918c46f1023f7c8c0105b1362b267b9190cb49eabadf9f04618d14d8a21cdb2810ffedbadfb33ecdf916146774c
-
SSDEEP
12288:sMrSy90mYT6rZjgyo7HoX1Id3CWyEh62U2+6cWCLxCs88Zpg2FaUOZ/t:OymTmJyHgasPv2RwK2bO7
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3476-148-0x0000000008280000-0x0000000008898000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 3028 y4520007.exe 3476 k9594817.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y4520007.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4520007.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4488 wrote to memory of 3028 4488 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe 81 PID 4488 wrote to memory of 3028 4488 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe 81 PID 4488 wrote to memory of 3028 4488 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe 81 PID 3028 wrote to memory of 3476 3028 y4520007.exe 82 PID 3028 wrote to memory of 3476 3028 y4520007.exe 82 PID 3028 wrote to memory of 3476 3028 y4520007.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe"C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe3⤵
- Executes dropped EXE
PID:3476
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e4d1ae8baed68e4158c2a0e0271241ae
SHA1ab5d03a6d558323053b181e2934d841e594f9080
SHA256b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb
SHA5127e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a
-
Filesize
307KB
MD5e4d1ae8baed68e4158c2a0e0271241ae
SHA1ab5d03a6d558323053b181e2934d841e594f9080
SHA256b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb
SHA5127e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a
-
Filesize
137KB
MD53c86b66f6b7eb077a276399f63928dfb
SHA1df370706189600c6e338fc5801dfa3e9dbe24ed4
SHA25640d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367
SHA5125d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805
-
Filesize
137KB
MD53c86b66f6b7eb077a276399f63928dfb
SHA1df370706189600c6e338fc5801dfa3e9dbe24ed4
SHA25640d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367
SHA5125d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805