Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
Resource
win10v2004-20230220-en
General
-
Target
1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
-
Size
1.5MB
-
MD5
a9a3d36f1944fd0338a084030f126b1c
-
SHA1
aa2127dcd116cea561395beccac1679cff97b762
-
SHA256
1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0
-
SHA512
00545d15999c6c5dab1616a1279ff5ce7d2481dfecc9a1884d008ee2299ac342ac5cac8a5d7e56d96ee18ddea366f9b96ca3db1d97931c7ada3b88520b87aa76
-
SSDEEP
24576:eyM7bvKR3YqrusDsCJzFKHKv4DWWMMXnuUzgrVyD2NSw4Et/5tSgI8s4ZGKOL7R:tCbiR3fFzRgWWhuCgCYSot//SgHGKOL
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4104-209-0x000000000A9A0000-0x000000000AFB8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2191162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2191162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2191162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2191162.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a2191162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2191162.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2688 v1296116.exe 2176 v1707671.exe 2144 v0279443.exe 1844 v4217318.exe 1768 a2191162.exe 4104 b6088643.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a2191162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a2191162.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0279443.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4217318.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1296116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1707671.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1296116.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1707671.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0279443.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v4217318.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3992 1768 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1768 a2191162.exe 1768 a2191162.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 a2191162.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3128 wrote to memory of 2688 3128 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe 84 PID 3128 wrote to memory of 2688 3128 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe 84 PID 3128 wrote to memory of 2688 3128 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe 84 PID 2688 wrote to memory of 2176 2688 v1296116.exe 85 PID 2688 wrote to memory of 2176 2688 v1296116.exe 85 PID 2688 wrote to memory of 2176 2688 v1296116.exe 85 PID 2176 wrote to memory of 2144 2176 v1707671.exe 86 PID 2176 wrote to memory of 2144 2176 v1707671.exe 86 PID 2176 wrote to memory of 2144 2176 v1707671.exe 86 PID 2144 wrote to memory of 1844 2144 v0279443.exe 87 PID 2144 wrote to memory of 1844 2144 v0279443.exe 87 PID 2144 wrote to memory of 1844 2144 v0279443.exe 87 PID 1844 wrote to memory of 1768 1844 v4217318.exe 88 PID 1844 wrote to memory of 1768 1844 v4217318.exe 88 PID 1844 wrote to memory of 1768 1844 v4217318.exe 88 PID 1844 wrote to memory of 4104 1844 v4217318.exe 94 PID 1844 wrote to memory of 4104 1844 v4217318.exe 94 PID 1844 wrote to memory of 4104 1844 v4217318.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe"C:\Users\Admin\AppData\Local\Temp\1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 10807⤵
- Program crash
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exe6⤵
- Executes dropped EXE
PID:4104
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1768 -ip 17681⤵PID:3068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51c4c3e8549b893bcd059bb831ed37382
SHA1f8a7e31fd186bdaa2097a770247927085ddadff4
SHA256ca77d178b1d292156ff0c451dbc84525f29f53d301af1b72cc93d8a01cd5d38f
SHA5128ebbc9ecbc2074ae7a508b988795fe3ede93bf9bee29429986ffc0ca5a019e082bb5801aa9a1af26e70284712c8d17b783cfec6784e3b0a69926a4485522240f
-
Filesize
1.4MB
MD51c4c3e8549b893bcd059bb831ed37382
SHA1f8a7e31fd186bdaa2097a770247927085ddadff4
SHA256ca77d178b1d292156ff0c451dbc84525f29f53d301af1b72cc93d8a01cd5d38f
SHA5128ebbc9ecbc2074ae7a508b988795fe3ede93bf9bee29429986ffc0ca5a019e082bb5801aa9a1af26e70284712c8d17b783cfec6784e3b0a69926a4485522240f
-
Filesize
916KB
MD5e30b32224037f41ad359719bdc98fdc9
SHA1448661a8dace69a901beb50c8945c5a20f208170
SHA256dcf0e0002ef0d68de08ceb56c09f575434482909da4ca33d48fb69faff19f13d
SHA5124b75e9738550006cde08fd5ea2dfb5f4f29e6311c4e96f6a0a4c979c5893393c0cbc465b162b384d554cf63e53d40ed2b895cb1b4616062aff94f588416f7322
-
Filesize
916KB
MD5e30b32224037f41ad359719bdc98fdc9
SHA1448661a8dace69a901beb50c8945c5a20f208170
SHA256dcf0e0002ef0d68de08ceb56c09f575434482909da4ca33d48fb69faff19f13d
SHA5124b75e9738550006cde08fd5ea2dfb5f4f29e6311c4e96f6a0a4c979c5893393c0cbc465b162b384d554cf63e53d40ed2b895cb1b4616062aff94f588416f7322
-
Filesize
711KB
MD5b47acdf37a719c3ffca5b15a02fd1c1a
SHA1b0badef32052eaf2acd580bd31cb6d154c68d1b5
SHA2567577e4e48d1938fdde13afb488f03a36b9b01b95d9cb648b094da2d4653b2bfd
SHA5122a090bb1ab1720f8d44228410d57112ac304da46ace591b330bf266f73e6e4c638582ca62cc8050425c113d4980eb2a83c58c58bfb9c1c21da89a14748aa19d7
-
Filesize
711KB
MD5b47acdf37a719c3ffca5b15a02fd1c1a
SHA1b0badef32052eaf2acd580bd31cb6d154c68d1b5
SHA2567577e4e48d1938fdde13afb488f03a36b9b01b95d9cb648b094da2d4653b2bfd
SHA5122a090bb1ab1720f8d44228410d57112ac304da46ace591b330bf266f73e6e4c638582ca62cc8050425c113d4980eb2a83c58c58bfb9c1c21da89a14748aa19d7
-
Filesize
416KB
MD5b4eb9c4489ea41fe844a42a0c17f857c
SHA1ade15e1fea0c0d001fefb7fa523e6b26a70b02ba
SHA256263965637013da5de444eede206022c8ab353cb0e0cae98bacac6e2d96386853
SHA512ffe104be4c6a203de29987bc169e7c1ee02d6370f780be8e80ef4baa8fe54f8320614f9c72264b6518e9ada580c41a0bd18449fa282ccd699725863420a6ff5e
-
Filesize
416KB
MD5b4eb9c4489ea41fe844a42a0c17f857c
SHA1ade15e1fea0c0d001fefb7fa523e6b26a70b02ba
SHA256263965637013da5de444eede206022c8ab353cb0e0cae98bacac6e2d96386853
SHA512ffe104be4c6a203de29987bc169e7c1ee02d6370f780be8e80ef4baa8fe54f8320614f9c72264b6518e9ada580c41a0bd18449fa282ccd699725863420a6ff5e
-
Filesize
360KB
MD5003e7969e35bd587d02591ea55e8f552
SHA106f0d129506feb02366717b231202b26028f291c
SHA2569d188a4f10160bfc611cc9495a4627a655ea87acebd322279cc5d1008ce08397
SHA51255a67605e97e85a2336d62017094d4b0ae1a184844922129f00ae883e4a1c2862bd89ca479a3a126c98855ffea91a733105527a1f34d1875613382a4bc4c391c
-
Filesize
360KB
MD5003e7969e35bd587d02591ea55e8f552
SHA106f0d129506feb02366717b231202b26028f291c
SHA2569d188a4f10160bfc611cc9495a4627a655ea87acebd322279cc5d1008ce08397
SHA51255a67605e97e85a2336d62017094d4b0ae1a184844922129f00ae883e4a1c2862bd89ca479a3a126c98855ffea91a733105527a1f34d1875613382a4bc4c391c
-
Filesize
168KB
MD5ff0f79bac5a1b3d02dd224c5da59ee47
SHA1768bcf57bb724c8c6e1cd6d4f1c83f5738312e69
SHA2561ec1375b9e17535df1e1334d62490c9d4c141e75ff2c4a0a2697c46c35fd5c1e
SHA5128bf3ce2ca3b42989281c946bb01926f60103aee3aa17fc708e706342994e97feb1b21f74e176516b1e6c41b5dd44f6ec69ce0278dc25172632b1449e3c7d8c1f
-
Filesize
168KB
MD5ff0f79bac5a1b3d02dd224c5da59ee47
SHA1768bcf57bb724c8c6e1cd6d4f1c83f5738312e69
SHA2561ec1375b9e17535df1e1334d62490c9d4c141e75ff2c4a0a2697c46c35fd5c1e
SHA5128bf3ce2ca3b42989281c946bb01926f60103aee3aa17fc708e706342994e97feb1b21f74e176516b1e6c41b5dd44f6ec69ce0278dc25172632b1449e3c7d8c1f