Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Resource
win10v2004-20230220-en
General
-
Target
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
-
Size
1.5MB
-
MD5
83f88944f53ffb95730512cc5807b178
-
SHA1
c06b03f02a8827688ab4c0d568a8fa15a24ad456
-
SHA256
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d
-
SHA512
1c631d254cea6adb1f859df89e5334adc4563fc1ecdff84417884cc45bba5a6f9e13aacbae053ac6ca9c2a987d9cf948f1ec0ed73f14df4eae97a435fb79a6ba
-
SSDEEP
24576:EyU0fZjCxu/Jrug01HTJ7QYDtRK7DPkbjfV0xO3Ov+LP2evzWavPGCEzJIL/D6B:TU7Y/01HNBKUfV0xAOv+b5x6Ir
Malware Config
Extracted
redline
maxi
217.196.96.56:4138
-
auth_value
6e90da232d4c2e35c1a36c250f5f8904
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2296-212-0x000000000A8B0000-0x000000000AEC8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1693777.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1693777.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 3068 v8198418.exe 4840 v9233574.exe 4352 v7560470.exe 1748 v9130807.exe 1424 a1693777.exe 2296 b6970603.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1693777.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8198418.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8198418.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9233574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9233574.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7560470.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9130807.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7560470.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v9130807.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1572 1424 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1424 a1693777.exe 1424 a1693777.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1424 a1693777.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4176 wrote to memory of 3068 4176 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 84 PID 4176 wrote to memory of 3068 4176 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 84 PID 4176 wrote to memory of 3068 4176 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 84 PID 3068 wrote to memory of 4840 3068 v8198418.exe 85 PID 3068 wrote to memory of 4840 3068 v8198418.exe 85 PID 3068 wrote to memory of 4840 3068 v8198418.exe 85 PID 4840 wrote to memory of 4352 4840 v9233574.exe 86 PID 4840 wrote to memory of 4352 4840 v9233574.exe 86 PID 4840 wrote to memory of 4352 4840 v9233574.exe 86 PID 4352 wrote to memory of 1748 4352 v7560470.exe 87 PID 4352 wrote to memory of 1748 4352 v7560470.exe 87 PID 4352 wrote to memory of 1748 4352 v7560470.exe 87 PID 1748 wrote to memory of 1424 1748 v9130807.exe 88 PID 1748 wrote to memory of 1424 1748 v9130807.exe 88 PID 1748 wrote to memory of 1424 1748 v9130807.exe 88 PID 1748 wrote to memory of 2296 1748 v9130807.exe 92 PID 1748 wrote to memory of 2296 1748 v9130807.exe 92 PID 1748 wrote to memory of 2296 1748 v9130807.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe"C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 10927⤵
- Program crash
PID:1572
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe6⤵
- Executes dropped EXE
PID:2296
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 14241⤵PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cf2a9aec502b51eb0ec7b67af93edd02
SHA18625ef4c4bed8d41ddb7b9a9d7da9c9e403783be
SHA256b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59
SHA512c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5
-
Filesize
1.3MB
MD5cf2a9aec502b51eb0ec7b67af93edd02
SHA18625ef4c4bed8d41ddb7b9a9d7da9c9e403783be
SHA256b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59
SHA512c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5
-
Filesize
846KB
MD58a291cbebbbce5b33fd6780d08e1d0e3
SHA13dd00b1eba8f64b52a9c95a19c946b1c09cb752c
SHA25668728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8
SHA512d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a
-
Filesize
846KB
MD58a291cbebbbce5b33fd6780d08e1d0e3
SHA13dd00b1eba8f64b52a9c95a19c946b1c09cb752c
SHA25668728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8
SHA512d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a
-
Filesize
642KB
MD50a2e60d3355b86bb63d3d145f92db5f1
SHA1f403e0ccd869c075c8a90dfa815b3b2e34aae9e4
SHA256c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495
SHA5123246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd
-
Filesize
642KB
MD50a2e60d3355b86bb63d3d145f92db5f1
SHA1f403e0ccd869c075c8a90dfa815b3b2e34aae9e4
SHA256c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495
SHA5123246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd
-
Filesize
384KB
MD54054193c90f257e51b7828d3ab9b3d07
SHA1e8293bcda8110a48213ff76449e4ac2532aca984
SHA256e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958
SHA51220ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d
-
Filesize
384KB
MD54054193c90f257e51b7828d3ab9b3d07
SHA1e8293bcda8110a48213ff76449e4ac2532aca984
SHA256e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958
SHA51220ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d
-
Filesize
286KB
MD57fad45faee013485b07dbe2df48b77e5
SHA10f4748c48d0820dbccd6bcd121bde9e22a7e789f
SHA256ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae
SHA512446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241
-
Filesize
286KB
MD57fad45faee013485b07dbe2df48b77e5
SHA10f4748c48d0820dbccd6bcd121bde9e22a7e789f
SHA256ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae
SHA512446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241
-
Filesize
169KB
MD5d33dca7ad0594bebe4b3461b4e0ba79c
SHA1ad1700a0b1ed0f3d99771ee3edd24916afccb652
SHA256f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b
SHA51254cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc
-
Filesize
169KB
MD5d33dca7ad0594bebe4b3461b4e0ba79c
SHA1ad1700a0b1ed0f3d99771ee3edd24916afccb652
SHA256f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b
SHA51254cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc