Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe
Resource
win10v2004-20230220-en
General
-
Target
225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe
-
Size
644KB
-
MD5
082ca37c390cb30aa276101593b490a3
-
SHA1
df5d4ea1b25f1906325cfe1b948750f6f32fac9d
-
SHA256
225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e
-
SHA512
d3793a75f4ca524b50ddc2d7c33abb2057ea5e073297d48e9f9bcd9119716e2745b18cdf1800525b20da3447bd08bbdf9e5a24c26271184248497582a512718c
-
SSDEEP
12288:Ay90tLO46ghtu1HFBA5GvJYcniIVdUNBqIjuBNBfyUmrPjC0:Ayyan1TJJYcTdUPPPvjB
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3188-977-0x0000000009C80000-0x000000000A298000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 97108547.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 97108547.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 97108547.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 97108547.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 97108547.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 97108547.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3528 st242074.exe 2748 97108547.exe 3188 kp013456.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 97108547.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 97108547.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st242074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st242074.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2748 97108547.exe 2748 97108547.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2748 97108547.exe Token: SeDebugPrivilege 3188 kp013456.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3528 4600 225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe 81 PID 4600 wrote to memory of 3528 4600 225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe 81 PID 4600 wrote to memory of 3528 4600 225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe 81 PID 3528 wrote to memory of 2748 3528 st242074.exe 83 PID 3528 wrote to memory of 2748 3528 st242074.exe 83 PID 3528 wrote to memory of 2748 3528 st242074.exe 83 PID 3528 wrote to memory of 3188 3528 st242074.exe 87 PID 3528 wrote to memory of 3188 3528 st242074.exe 87 PID 3528 wrote to memory of 3188 3528 st242074.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe"C:\Users\Admin\AppData\Local\Temp\225db0cc57c434d2e2f5a24f25af3bf4016c517554f850ddb62c7c4bbed1cc8e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st242074.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st242074.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97108547.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97108547.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013456.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp013456.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD511b56499a2b14948ff213f1b877c03bf
SHA1f3a791f4534e9579972ea86aafed76750b800167
SHA2565a9c2047df7002720a01446c7b7afda13ab9aa060d7465814879cb3a6b85dc35
SHA512270053351e95a82d3cd3687f4329106c885cc8355d2a640b4a0cd3a17f6da645ea10e485554b4a93afc65ba5747136397854449db6efbfccbd44da991f9c40fa
-
Filesize
489KB
MD511b56499a2b14948ff213f1b877c03bf
SHA1f3a791f4534e9579972ea86aafed76750b800167
SHA2565a9c2047df7002720a01446c7b7afda13ab9aa060d7465814879cb3a6b85dc35
SHA512270053351e95a82d3cd3687f4329106c885cc8355d2a640b4a0cd3a17f6da645ea10e485554b4a93afc65ba5747136397854449db6efbfccbd44da991f9c40fa
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
341KB
MD5fd79db3ca07572aa803261d6efdc7546
SHA158caded6669990cda9da06ab92f316d0e1f14b1d
SHA2563ac0146ee77970eacf8eba85e5336ea42203e8f91580dd3c05a57d1ec06893a1
SHA5120e912c7142fb1fe934c3cdb8c2e24aef8734cd008609ad9350eb91123096d24988602eb01aff13684e00881527481d23b5956454f61372d9717e3bfe20b9e799
-
Filesize
341KB
MD5fd79db3ca07572aa803261d6efdc7546
SHA158caded6669990cda9da06ab92f316d0e1f14b1d
SHA2563ac0146ee77970eacf8eba85e5336ea42203e8f91580dd3c05a57d1ec06893a1
SHA5120e912c7142fb1fe934c3cdb8c2e24aef8734cd008609ad9350eb91123096d24988602eb01aff13684e00881527481d23b5956454f61372d9717e3bfe20b9e799