Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
248s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe
Resource
win10v2004-20230221-en
General
-
Target
03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe
-
Size
653KB
-
MD5
2f92b60f95c45ba90212f753ed335497
-
SHA1
3d7be526c02f302020507522c684dee91a058c65
-
SHA256
03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7
-
SHA512
017e9dac743909dabde6ff834ecfa2dc45b6ada3d2eba7e35512c2fc02ace3d0b6528d5de70866924ef3be4779eb7e7bd94aa4bdf57c3081f137c6f2f9576c62
-
SSDEEP
12288:0y90uZ+wYJAQ+RxMK3LZrZMDgI6RDJm2sbuHepve2PGzU3vNBGZGCRib:0yzZ+wYsyKbZ9nHJJlsqep22VvNyRib
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3016-199-0x0000000007F00000-0x0000000008518000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 78041499.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 78041499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 78041499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 78041499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 78041499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 78041499.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 3860 st096493.exe 116 78041499.exe 3752 kp692677.exe 4600 kp692677.exe 3016 lr803514.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 78041499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 78041499.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st096493.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st096493.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3752 set thread context of 4600 3752 kp692677.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 116 78041499.exe 116 78041499.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 116 78041499.exe Token: SeDebugPrivilege 4600 kp692677.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3768 wrote to memory of 3860 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 80 PID 3768 wrote to memory of 3860 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 80 PID 3768 wrote to memory of 3860 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 80 PID 3860 wrote to memory of 116 3860 st096493.exe 81 PID 3860 wrote to memory of 116 3860 st096493.exe 81 PID 3860 wrote to memory of 116 3860 st096493.exe 81 PID 3860 wrote to memory of 3752 3860 st096493.exe 82 PID 3860 wrote to memory of 3752 3860 st096493.exe 82 PID 3860 wrote to memory of 3752 3860 st096493.exe 82 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3752 wrote to memory of 4600 3752 kp692677.exe 83 PID 3768 wrote to memory of 3016 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 84 PID 3768 wrote to memory of 3016 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 84 PID 3768 wrote to memory of 3016 3768 03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe"C:\Users\Admin\AppData\Local\Temp\03b7f1ec1a594873467211338a87aca1299d543be8e25ae29cea42c37e93e9f7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st096493.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st096493.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78041499.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78041499.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp692677.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp692677.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp692677.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp692677.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr803514.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr803514.exe2⤵
- Executes dropped EXE
PID:3016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
499KB
MD5f14e292dee76533c24e8e81385f93b98
SHA1b6239a7452dd5a4b837aa3ba3ff7666adec12964
SHA2564799bf5cc66cbb158f7b14e7bfa24519bd27f8721c240a0ce373893e59e46398
SHA5123b0e90acbb2c387e6ec684cbd5690dbcffe1fb4bf886047c8d64a2519d9e79de89a3111001c8e1cabf7d2ef1b2556d3b3ede9a931a5e7636bca9ba869e7d7679
-
Filesize
499KB
MD5f14e292dee76533c24e8e81385f93b98
SHA1b6239a7452dd5a4b837aa3ba3ff7666adec12964
SHA2564799bf5cc66cbb158f7b14e7bfa24519bd27f8721c240a0ce373893e59e46398
SHA5123b0e90acbb2c387e6ec684cbd5690dbcffe1fb4bf886047c8d64a2519d9e79de89a3111001c8e1cabf7d2ef1b2556d3b3ede9a931a5e7636bca9ba869e7d7679
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
342KB
MD53550637119b32b565671c90d5a19ba2c
SHA15dc5c8175ebce0f55e30ac474744de299818f3d2
SHA2564c71e0c44580aa82a5a7b3dc9382556ff0760a4c8df6ae6dac9ee8de7774887a
SHA512ac992575f2b94518719ae26ff9dea97228f66315d716896b8afce73908705dc15a48120febb298695c83fd1be840acc32908463613fd88fae540fbcfc096055c
-
Filesize
342KB
MD53550637119b32b565671c90d5a19ba2c
SHA15dc5c8175ebce0f55e30ac474744de299818f3d2
SHA2564c71e0c44580aa82a5a7b3dc9382556ff0760a4c8df6ae6dac9ee8de7774887a
SHA512ac992575f2b94518719ae26ff9dea97228f66315d716896b8afce73908705dc15a48120febb298695c83fd1be840acc32908463613fd88fae540fbcfc096055c
-
Filesize
342KB
MD53550637119b32b565671c90d5a19ba2c
SHA15dc5c8175ebce0f55e30ac474744de299818f3d2
SHA2564c71e0c44580aa82a5a7b3dc9382556ff0760a4c8df6ae6dac9ee8de7774887a
SHA512ac992575f2b94518719ae26ff9dea97228f66315d716896b8afce73908705dc15a48120febb298695c83fd1be840acc32908463613fd88fae540fbcfc096055c