Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
Resource
win10v2004-20230220-en
General
-
Target
0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
-
Size
1.4MB
-
MD5
5c5c81a650f941f0556c909020d75ea7
-
SHA1
317c7551be7d2f76ffc0a368827a0e9a50ce47c3
-
SHA256
0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3
-
SHA512
0088abf0ed9f8b9310ce1626008552eb7f206bbabf074fb7bb534d2bb91b41ff18034036f24f41225932ed4dd91cade1e5250ff875ab968a501448f48cf6d679
-
SSDEEP
24576:/ymjwlunBYcCZyMcwrGHKCL1LSrAlC4TbzS/Qpi2PDZkNhupi5VM:Kmjwsxf9wKP1LSrMTbOQDaUpG
Malware Config
Extracted
redline
mask
217.196.96.56:4138
-
auth_value
31aef25be0febb8e491794ef7f502c50
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2124-212-0x000000000B200000-0x000000000B818000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1718313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1718313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1718313.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1718313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1718313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1718313.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 1532 v5954638.exe 580 v3854008.exe 800 v3243674.exe 1168 v1416645.exe 3508 a1718313.exe 2124 b2023792.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1718313.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1718313.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v1416645.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5954638.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5954638.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3854008.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3243674.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1416645.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v3854008.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3243674.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5064 3508 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 a1718313.exe 3508 a1718313.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3508 a1718313.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4216 wrote to memory of 1532 4216 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe 83 PID 4216 wrote to memory of 1532 4216 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe 83 PID 4216 wrote to memory of 1532 4216 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe 83 PID 1532 wrote to memory of 580 1532 v5954638.exe 84 PID 1532 wrote to memory of 580 1532 v5954638.exe 84 PID 1532 wrote to memory of 580 1532 v5954638.exe 84 PID 580 wrote to memory of 800 580 v3854008.exe 85 PID 580 wrote to memory of 800 580 v3854008.exe 85 PID 580 wrote to memory of 800 580 v3854008.exe 85 PID 800 wrote to memory of 1168 800 v3243674.exe 86 PID 800 wrote to memory of 1168 800 v3243674.exe 86 PID 800 wrote to memory of 1168 800 v3243674.exe 86 PID 1168 wrote to memory of 3508 1168 v1416645.exe 87 PID 1168 wrote to memory of 3508 1168 v1416645.exe 87 PID 1168 wrote to memory of 3508 1168 v1416645.exe 87 PID 1168 wrote to memory of 2124 1168 v1416645.exe 90 PID 1168 wrote to memory of 2124 1168 v1416645.exe 90 PID 1168 wrote to memory of 2124 1168 v1416645.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe"C:\Users\Admin\AppData\Local\Temp\0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 10847⤵
- Program crash
PID:5064
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exe6⤵
- Executes dropped EXE
PID:2124
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3508 -ip 35081⤵PID:3152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD539f390424af3c834a2fb34df1285f893
SHA1afa8cd1c6e303f61c31fd9cdbad0f41eca083a78
SHA256c0decc379fc0ea4b3cdff24d222db7127538004f7b98e13b4bc33ee2a63f5a44
SHA51293404b77fbe3e1e1d5baf4d6303d64557b7f41d9e86e9a8f7054fe1be8e71c37ea9ed01d9b83bb0984b8d322599c6efd87a77169e6de47e7dfc1e20ce607302b
-
Filesize
1.3MB
MD539f390424af3c834a2fb34df1285f893
SHA1afa8cd1c6e303f61c31fd9cdbad0f41eca083a78
SHA256c0decc379fc0ea4b3cdff24d222db7127538004f7b98e13b4bc33ee2a63f5a44
SHA51293404b77fbe3e1e1d5baf4d6303d64557b7f41d9e86e9a8f7054fe1be8e71c37ea9ed01d9b83bb0984b8d322599c6efd87a77169e6de47e7dfc1e20ce607302b
-
Filesize
846KB
MD54835642a1871bdb58b15c4d634170e54
SHA128ae24516568c58a0c9546388d1c9754514e1c55
SHA2565d3c12499aaeafbd6985415b6adce1955ee4bdc6a09e00cd46f6d91bde666a78
SHA5123463fd927b596017c61c62700e7d2a889c7c1bf378b1d8eddb293755755a733e09d4d2f44273bf349576cf25f3049275d2df4159faba52f80599ad294ea15bbc
-
Filesize
846KB
MD54835642a1871bdb58b15c4d634170e54
SHA128ae24516568c58a0c9546388d1c9754514e1c55
SHA2565d3c12499aaeafbd6985415b6adce1955ee4bdc6a09e00cd46f6d91bde666a78
SHA5123463fd927b596017c61c62700e7d2a889c7c1bf378b1d8eddb293755755a733e09d4d2f44273bf349576cf25f3049275d2df4159faba52f80599ad294ea15bbc
-
Filesize
641KB
MD566a4b4482761e46b6e499e132724ad90
SHA1b99a595cd4147c513c30df1e42ed167d67db3c8b
SHA2564a4dcf4fc6bad026498c56502a7d621e013001432545cf63c88103f1a7d140d3
SHA5123d3f7f65a19029887a85596a76721ae7fbdd5b94fa070f468b8fc4363a5c806ec7cfad56dbe761ed0134fe7a29d66105abb297c1b0be32f5fbd391e179acf1be
-
Filesize
641KB
MD566a4b4482761e46b6e499e132724ad90
SHA1b99a595cd4147c513c30df1e42ed167d67db3c8b
SHA2564a4dcf4fc6bad026498c56502a7d621e013001432545cf63c88103f1a7d140d3
SHA5123d3f7f65a19029887a85596a76721ae7fbdd5b94fa070f468b8fc4363a5c806ec7cfad56dbe761ed0134fe7a29d66105abb297c1b0be32f5fbd391e179acf1be
-
Filesize
383KB
MD5e9fb12c4cef4c40b376d35ee37385a1a
SHA1178ec92941574b2f2d1e9480fd50e100c68f9e1d
SHA256186035ac643913904f9db5b461d2b35a3ee0a5bfb271af3e84608d49daedb6d0
SHA512f91b9c090e0214e72c6f5e9959b5b925c10c52e9e3b3db5188fb0575223e3f2faff8b024b997c111b58958f284ea81cf02926bfcded5eb9e4df50445de19d93f
-
Filesize
383KB
MD5e9fb12c4cef4c40b376d35ee37385a1a
SHA1178ec92941574b2f2d1e9480fd50e100c68f9e1d
SHA256186035ac643913904f9db5b461d2b35a3ee0a5bfb271af3e84608d49daedb6d0
SHA512f91b9c090e0214e72c6f5e9959b5b925c10c52e9e3b3db5188fb0575223e3f2faff8b024b997c111b58958f284ea81cf02926bfcded5eb9e4df50445de19d93f
-
Filesize
289KB
MD53a237a6b7ad93e72b009a2c44c14c215
SHA190901129c255f6c1a0c4391ee8d7d782c4b38734
SHA2561ca6f447d989782f3db7c7f3fa4813ceab3f734d2989b25eb46035338dcb0f01
SHA512f3e7a104a9229e857ad6ff565ece45adbd7c43902e64f4e82e108111bab8ea6b8a2a3f5d89dafa42abbcf7baa5bd6d2685118793a365e213108f69557b62dd09
-
Filesize
289KB
MD53a237a6b7ad93e72b009a2c44c14c215
SHA190901129c255f6c1a0c4391ee8d7d782c4b38734
SHA2561ca6f447d989782f3db7c7f3fa4813ceab3f734d2989b25eb46035338dcb0f01
SHA512f3e7a104a9229e857ad6ff565ece45adbd7c43902e64f4e82e108111bab8ea6b8a2a3f5d89dafa42abbcf7baa5bd6d2685118793a365e213108f69557b62dd09
-
Filesize
168KB
MD590c79ba8c6d6512b08f4c636f77df522
SHA1e3eb640989d37d5c6dfe554a1652f56810c1d13b
SHA2566f443d3e6aa6ccbc6d6b2e98b0948dc448bd8ba19bdc17fcaa4621862f81bdc5
SHA5129344a1f8ec9c0c1793babdb8564bc10699a950298091c3bb0c2e2687b70886770d90fe36aeaa273027b915a6a1928754e022706a7bd74bb36e53c8bf9719ac0a
-
Filesize
168KB
MD590c79ba8c6d6512b08f4c636f77df522
SHA1e3eb640989d37d5c6dfe554a1652f56810c1d13b
SHA2566f443d3e6aa6ccbc6d6b2e98b0948dc448bd8ba19bdc17fcaa4621862f81bdc5
SHA5129344a1f8ec9c0c1793babdb8564bc10699a950298091c3bb0c2e2687b70886770d90fe36aeaa273027b915a6a1928754e022706a7bd74bb36e53c8bf9719ac0a