Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
253s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe
Resource
win10v2004-20230221-en
General
-
Target
098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe
-
Size
782KB
-
MD5
73e991b2b8b54b426d2da6e36af95538
-
SHA1
12666dfe36f0b7b665e1bace1a747ecb739d88b5
-
SHA256
098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44
-
SHA512
52fe79343424f8db5249f10211652a729ae3818c64b3889f58b8c9b23117569574e0dc6491163474017637d78d064cb5722d3772472763afa9052963f13360c0
-
SSDEEP
12288:wy90q1FJ6xMIIadKDZK38vSDDiOt5OWOknOspbgojKNEA+a:wyNM+mahOtkWOsljKmA3
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2812-2322-0x00000000051C0000-0x00000000057D8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation m16107274.exe -
Executes dropped EXE 3 IoCs
pid Process 3928 x47953939.exe 2308 m16107274.exe 2812 1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x47953939.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x47953939.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 632 2308 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2308 m16107274.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2032 wrote to memory of 3928 2032 098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe 80 PID 2032 wrote to memory of 3928 2032 098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe 80 PID 2032 wrote to memory of 3928 2032 098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe 80 PID 3928 wrote to memory of 2308 3928 x47953939.exe 81 PID 3928 wrote to memory of 2308 3928 x47953939.exe 81 PID 3928 wrote to memory of 2308 3928 x47953939.exe 81 PID 2308 wrote to memory of 2812 2308 m16107274.exe 82 PID 2308 wrote to memory of 2812 2308 m16107274.exe 82 PID 2308 wrote to memory of 2812 2308 m16107274.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe"C:\Users\Admin\AppData\Local\Temp\098840a5393d50accb3b43d9d4ea896cf7bc0dbbf5a61aeda67ef3d2e5dbdd44.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x47953939.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x47953939.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m16107274.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m16107274.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 15084⤵
- Program crash
PID:632
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 23081⤵PID:3816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
578KB
MD556b7afbb8e49f621081a36d0f1de6f69
SHA151be8e304f3ca8604663d4585385c32fdeb190e9
SHA256bfc36e040d55c3a1574b710ff58348764e7cbb96aa14353ad662d983b6d05c8e
SHA512132093bbe32ac5c8aeafdce54e8ce1387964849815b8e8833bdda9f3034d929cc6459221f317015db20afeb2b6c8d1e71f49b52e60d9fa76de765fde9d3cdfc8
-
Filesize
578KB
MD556b7afbb8e49f621081a36d0f1de6f69
SHA151be8e304f3ca8604663d4585385c32fdeb190e9
SHA256bfc36e040d55c3a1574b710ff58348764e7cbb96aa14353ad662d983b6d05c8e
SHA512132093bbe32ac5c8aeafdce54e8ce1387964849815b8e8833bdda9f3034d929cc6459221f317015db20afeb2b6c8d1e71f49b52e60d9fa76de765fde9d3cdfc8
-
Filesize
580KB
MD55e9cda579f4bf1b7dec7b6ce98cadc1c
SHA120d21361c4f28fa5a14a2ce1f0e3cfb9e70a0121
SHA25681e3305712ab595b6b2ab2e9d0afba8492a69d74261f2ee0013c01746bdc3643
SHA512483779dddb2045c0bb3962d0ffb0a95ce31a3a55bb204ad2f0f483c43d022887c30f186b23cdc5b08845b2e18dd17850d6ea29d787d3fe8ec7e520536fb9970e
-
Filesize
580KB
MD55e9cda579f4bf1b7dec7b6ce98cadc1c
SHA120d21361c4f28fa5a14a2ce1f0e3cfb9e70a0121
SHA25681e3305712ab595b6b2ab2e9d0afba8492a69d74261f2ee0013c01746bdc3643
SHA512483779dddb2045c0bb3962d0ffb0a95ce31a3a55bb204ad2f0f483c43d022887c30f186b23cdc5b08845b2e18dd17850d6ea29d787d3fe8ec7e520536fb9970e
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf