Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
Resource
win10v2004-20230220-en
General
-
Target
4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
-
Size
480KB
-
MD5
aa4d92d7e29127412ab7b815c9e188d5
-
SHA1
5c85d479e8fa55843246b294eb4133b28645b8f8
-
SHA256
4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42
-
SHA512
a203fa76fad8291b056bad6a8d3b2cdf8995d339e570a5eeb4865b167975a83a73e8fa09ecdf5bf1e1513f7d3be6a1c2dc54115328ee694750b1a8cfb9513958
-
SSDEEP
12288:CMr5y90gX2BLOJxHnV64GvdrtYTq9pGtfGCiy+Nl+B:TyLeODnlEdh7u3iuB
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/396-187-0x0000000007C40000-0x0000000008258000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8253627.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1688 v4829590.exe 4596 a8253627.exe 396 b0246952.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8253627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8253627.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4829590.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4829590.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4596 a8253627.exe 4596 a8253627.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4596 a8253627.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1688 4180 4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe 84 PID 4180 wrote to memory of 1688 4180 4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe 84 PID 4180 wrote to memory of 1688 4180 4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe 84 PID 1688 wrote to memory of 4596 1688 v4829590.exe 85 PID 1688 wrote to memory of 4596 1688 v4829590.exe 85 PID 1688 wrote to memory of 4596 1688 v4829590.exe 85 PID 1688 wrote to memory of 396 1688 v4829590.exe 87 PID 1688 wrote to memory of 396 1688 v4829590.exe 87 PID 1688 wrote to memory of 396 1688 v4829590.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe"C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe3⤵
- Executes dropped EXE
PID:396
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD508dbcc9196cde1876eb96e92e9573fee
SHA18e271b455722fef13e63b2b24e8ef8d5fc2edd92
SHA256f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605
SHA5127459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963
-
Filesize
308KB
MD508dbcc9196cde1876eb96e92e9573fee
SHA18e271b455722fef13e63b2b24e8ef8d5fc2edd92
SHA256f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605
SHA5127459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963
-
Filesize
176KB
MD5767489e8edf5f9f601cee1211e4914be
SHA15cf597ac8311b8e2e8c5137a929f73e960297cfa
SHA2563b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8
SHA51246e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6
-
Filesize
176KB
MD5767489e8edf5f9f601cee1211e4914be
SHA15cf597ac8311b8e2e8c5137a929f73e960297cfa
SHA2563b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8
SHA51246e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6
-
Filesize
136KB
MD57dfc4202db1c9a6ea03e10c58eadd6df
SHA162a1aedd2daf734e121222129a190d40b4dbb2b3
SHA256d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6
SHA512daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8
-
Filesize
136KB
MD57dfc4202db1c9a6ea03e10c58eadd6df
SHA162a1aedd2daf734e121222129a190d40b4dbb2b3
SHA256d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6
SHA512daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8