Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
205s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe
Resource
win10v2004-20230220-en
General
-
Target
0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe
-
Size
651KB
-
MD5
5f866f7cedb5d59148d90bc7d021ea33
-
SHA1
9e7dd5658b0aadca261967806a6994846d7e194b
-
SHA256
0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed
-
SHA512
d12af1f5401d296e858cd089031be0d604b4fd8fa3e8914e3b966d9ff008946b72c86f10806117a6ae74dbd7349fa893671ec686a5604d7cadb92bad64af3caa
-
SSDEEP
12288:ay90rC9LBRwA4RWOoPTtaTgJPObDm0ZMa2VmQ1nzCITh:ayH/VVPTtZIdR2V51nzCIh
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4052-983-0x00000000075A0000-0x0000000007BB8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 21905339.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 21905339.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 21905339.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 21905339.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 21905339.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 21905339.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3380 st888303.exe 4104 21905339.exe 4052 kp276446.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 21905339.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 21905339.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st888303.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st888303.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4104 21905339.exe 4104 21905339.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4104 21905339.exe Token: SeDebugPrivilege 4052 kp276446.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4500 wrote to memory of 3380 4500 0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe 80 PID 4500 wrote to memory of 3380 4500 0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe 80 PID 4500 wrote to memory of 3380 4500 0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe 80 PID 3380 wrote to memory of 4104 3380 st888303.exe 81 PID 3380 wrote to memory of 4104 3380 st888303.exe 81 PID 3380 wrote to memory of 4104 3380 st888303.exe 81 PID 3380 wrote to memory of 4052 3380 st888303.exe 84 PID 3380 wrote to memory of 4052 3380 st888303.exe 84 PID 3380 wrote to memory of 4052 3380 st888303.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe"C:\Users\Admin\AppData\Local\Temp\0681f33b926858d2cd69b6366654687670b6e870fbb6e4ad01078f5c7c4181ed.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st888303.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st888303.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\21905339.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\21905339.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp276446.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp276446.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
497KB
MD5a177a39c050562b6bd9e4611b7002833
SHA14e8b89cf6353b63ceac9d1014c10274554037952
SHA25623357136c5f8fddd5a725f7e97a1971141a603f88a30d8c9baab54ebb7c2a646
SHA51293a42776f6d2bc5b0f1bac821bebc8cb80096c370d5104841f2997a382b709609ba080393edf899127866f2fdb57b3c9de40a017949e15247bb5123993f189ea
-
Filesize
497KB
MD5a177a39c050562b6bd9e4611b7002833
SHA14e8b89cf6353b63ceac9d1014c10274554037952
SHA25623357136c5f8fddd5a725f7e97a1971141a603f88a30d8c9baab54ebb7c2a646
SHA51293a42776f6d2bc5b0f1bac821bebc8cb80096c370d5104841f2997a382b709609ba080393edf899127866f2fdb57b3c9de40a017949e15247bb5123993f189ea
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
341KB
MD55a2df508c7540c1c5426720d710cd528
SHA1e8c1d96809b283b4916cb654a4cda4b7514db175
SHA2561bc0ad1e73b9b7e6170cb98be98196210e4396a36248e2e30916fb7a90a36c3b
SHA51233a09ffc01a63c43527682fc9c62090a5ac6a77516d3f585939a9cb20e2e333c9a6a8345fbd6c41ddde168bc33ee00c0bd91ed4ab3f67439ace45ccfedd2eb27
-
Filesize
341KB
MD55a2df508c7540c1c5426720d710cd528
SHA1e8c1d96809b283b4916cb654a4cda4b7514db175
SHA2561bc0ad1e73b9b7e6170cb98be98196210e4396a36248e2e30916fb7a90a36c3b
SHA51233a09ffc01a63c43527682fc9c62090a5ac6a77516d3f585939a9cb20e2e333c9a6a8345fbd6c41ddde168bc33ee00c0bd91ed4ab3f67439ace45ccfedd2eb27