Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
259s -
max time network
317s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
Resource
win10v2004-20230221-en
General
-
Target
70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
-
Size
643KB
-
MD5
c757fbb6177e19ce4f7d043634d888dd
-
SHA1
16b13ce330435fe2b80fbcd1f4813d29f08b8b6d
-
SHA256
70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6
-
SHA512
e64c2feb1e085777ab2b6c0eae350f4cdab21e97f41e8c2fb8ff9e8c4891f86bf1cb4162901fa1693c1dd2c69de903ae02e6beca4f12cd764c2610ac4adc0eb3
-
SSDEEP
12288:py90chrHstjNIkHHv2LZTrX7jxPV8q3suYkqxE/S+Bc1gJUyb9JWG:pyVHstScHohrBVUurqq/41gxhMG
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1792-984-0x0000000009C50000-0x000000000A268000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 66841873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 66841873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 66841873.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 66841873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 66841873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 66841873.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 872 st180668.exe 224 66841873.exe 1792 kp267984.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 66841873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 66841873.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st180668.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st180668.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 224 66841873.exe 224 66841873.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 224 66841873.exe Token: SeDebugPrivilege 1792 kp267984.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4920 wrote to memory of 872 4920 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe 79 PID 4920 wrote to memory of 872 4920 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe 79 PID 4920 wrote to memory of 872 4920 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe 79 PID 872 wrote to memory of 224 872 st180668.exe 80 PID 872 wrote to memory of 224 872 st180668.exe 80 PID 872 wrote to memory of 224 872 st180668.exe 80 PID 872 wrote to memory of 1792 872 st180668.exe 84 PID 872 wrote to memory of 1792 872 st180668.exe 84 PID 872 wrote to memory of 1792 872 st180668.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe"C:\Users\Admin\AppData\Local\Temp\70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD5e61ec5f867465cb46d83306e6797783d
SHA11e0dc7b4d18a11529fdc334ff0d9e105f9f2ccae
SHA256de8b19bb8800221b83faf86600ce65dc814efd96de5909caed7862a89288c8c9
SHA51245c971931ea20998750bf0d3e76dbc71f657ec38b2473d209b6f258a9cf3938ea6ac25556363564d4151b13d4c260d537d924729cad27d7a7e139d86a0f06f8d
-
Filesize
489KB
MD5e61ec5f867465cb46d83306e6797783d
SHA11e0dc7b4d18a11529fdc334ff0d9e105f9f2ccae
SHA256de8b19bb8800221b83faf86600ce65dc814efd96de5909caed7862a89288c8c9
SHA51245c971931ea20998750bf0d3e76dbc71f657ec38b2473d209b6f258a9cf3938ea6ac25556363564d4151b13d4c260d537d924729cad27d7a7e139d86a0f06f8d
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
332KB
MD57d960538a58918d64d1727e03dfd2fea
SHA1cf8869976030ffa688159808301e8b8506b4df73
SHA256df53fa299e0eabd450144aec19a0ff0af3b6f6000f7250574bedd21e228d7258
SHA512826df6af6379cd450aa988be227e540ae941e5bff452209f4595bee3eae8f4c42ed62953c1ec5b5e8311461c1a6cbaf8605ef35e19067edb9f21dc2dfea358bd
-
Filesize
332KB
MD57d960538a58918d64d1727e03dfd2fea
SHA1cf8869976030ffa688159808301e8b8506b4df73
SHA256df53fa299e0eabd450144aec19a0ff0af3b6f6000f7250574bedd21e228d7258
SHA512826df6af6379cd450aa988be227e540ae941e5bff452209f4595bee3eae8f4c42ed62953c1ec5b5e8311461c1a6cbaf8605ef35e19067edb9f21dc2dfea358bd