Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe
Resource
win10v2004-20230220-en
General
-
Target
030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe
-
Size
694KB
-
MD5
69d4160bbfefda8fd6481b25158fa7f4
-
SHA1
e498f77d023c2ad95c050c1b90dc3026df5a716e
-
SHA256
030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c
-
SHA512
a67d52e85242a3049ff540542725795b8c393d69fb9747eee1bed85f3e6f57687305ebda71ee1c259c1729134f1e7c89b7fe2de824862cc5c19dc5297745f77e
-
SSDEEP
12288:by905RiNpoEioZ6L6J4wpFTUirGfG5eWz6Fp18bSKlA+l+2l0834X:byCR8poey5oFLrGfK6Fp18bSqG2lve
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3484-992-0x0000000009D00000-0x000000000A318000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 85856717.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 85856717.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 85856717.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 85856717.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 85856717.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 85856717.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2084 un054237.exe 1764 85856717.exe 3484 rk812703.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 85856717.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 85856717.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un054237.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un054237.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1160 1764 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1764 85856717.exe 1764 85856717.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1764 85856717.exe Token: SeDebugPrivilege 3484 rk812703.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4088 wrote to memory of 2084 4088 030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe 83 PID 4088 wrote to memory of 2084 4088 030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe 83 PID 4088 wrote to memory of 2084 4088 030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe 83 PID 2084 wrote to memory of 1764 2084 un054237.exe 84 PID 2084 wrote to memory of 1764 2084 un054237.exe 84 PID 2084 wrote to memory of 1764 2084 un054237.exe 84 PID 2084 wrote to memory of 3484 2084 un054237.exe 89 PID 2084 wrote to memory of 3484 2084 un054237.exe 89 PID 2084 wrote to memory of 3484 2084 un054237.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe"C:\Users\Admin\AppData\Local\Temp\030a3047053c0951c877033ae7b8394f8889052aa9564ebb65cbaa0b25e41f5c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un054237.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un054237.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\85856717.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\85856717.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 10884⤵
- Program crash
PID:1160
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk812703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk812703.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1764 -ip 17641⤵PID:3796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5e4fb0a1bc923cce78ad0af1d684f4366
SHA1ba5ed8e805784ae6697fea2b0fb859dbc803bca1
SHA256ccb984c68ffee26a679adf532c80e0721a0e64369dc81689d0073f09f9812b6d
SHA5124259dc63bd6470754fbac868d2e9fe86ec14de9e081a34506e79b10b2526ac1f7ad78cda3fa49e5cb30e2000e81f742d36b018ddfa6370f246a04d8c16066a3b
-
Filesize
540KB
MD5e4fb0a1bc923cce78ad0af1d684f4366
SHA1ba5ed8e805784ae6697fea2b0fb859dbc803bca1
SHA256ccb984c68ffee26a679adf532c80e0721a0e64369dc81689d0073f09f9812b6d
SHA5124259dc63bd6470754fbac868d2e9fe86ec14de9e081a34506e79b10b2526ac1f7ad78cda3fa49e5cb30e2000e81f742d36b018ddfa6370f246a04d8c16066a3b
-
Filesize
258KB
MD5323f8fc86af5cb6da06fbca6600c3ac2
SHA1e420f6d593f5e05ca9528f2d75414f8848d03907
SHA2560cdc9c9660bb8b30bf460a5004f937c197688a397377b133dd1a02334d32da17
SHA512e3fb60971288c7c1fb675a87658781b0ff493fd56a4dda0e9441fe41d19f4b582f8212f80c8b43464809df818152cc80d807a6d6237125fc823ab27b6dbea6ff
-
Filesize
258KB
MD5323f8fc86af5cb6da06fbca6600c3ac2
SHA1e420f6d593f5e05ca9528f2d75414f8848d03907
SHA2560cdc9c9660bb8b30bf460a5004f937c197688a397377b133dd1a02334d32da17
SHA512e3fb60971288c7c1fb675a87658781b0ff493fd56a4dda0e9441fe41d19f4b582f8212f80c8b43464809df818152cc80d807a6d6237125fc823ab27b6dbea6ff
-
Filesize
340KB
MD5e71cf27eca06104a89fbefc4a89fa2b6
SHA1c8d8c67833ebc3007fcec52dcb89297a0ca6621e
SHA256a1d0e2d0640b8fd735b88d26b898a6912f2f62cff3aad35197122950d550eec7
SHA512a18ae4d74663ed0191107e0ec1e6af8eac6480958cbcc26afab665089d13c7a19503f2dca255ee3c2412ad27fcbd132ade157b069750c505ab09b8e4601466d0
-
Filesize
340KB
MD5e71cf27eca06104a89fbefc4a89fa2b6
SHA1c8d8c67833ebc3007fcec52dcb89297a0ca6621e
SHA256a1d0e2d0640b8fd735b88d26b898a6912f2f62cff3aad35197122950d550eec7
SHA512a18ae4d74663ed0191107e0ec1e6af8eac6480958cbcc26afab665089d13c7a19503f2dca255ee3c2412ad27fcbd132ade157b069750c505ab09b8e4601466d0