Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe
Resource
win10v2004-20230220-en
General
-
Target
2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe
-
Size
786KB
-
MD5
1ee15deeca0a0959a64987350223d0dd
-
SHA1
f9c8c6b75e89869b3644b712b02bee6b78e4f8e7
-
SHA256
2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366
-
SHA512
b823ad29c363cdd73369b17c65a2e0561267bb5c07f89b3bc0a47ba7aa77a6bdbb6a2ca4a55a18de74c91c72be5edceae570b697a2c1fbdd6fe366c19cd68d1b
-
SSDEEP
12288:Zy901FDYRpBmdsCVBjBQeFK4I3ZJRyaskA+1+D6LsH+9TtaqO1G0aTLtCBJFo7p:Zy3BgjiYXIpXnnL/98aTLtCLwp
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3748-2317-0x00000000053D0000-0x00000000059E8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation m69172278.exe -
Executes dropped EXE 4 IoCs
pid Process 2736 x35163478.exe 1656 m69172278.exe 1376 1.exe 3748 n35150203.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x35163478.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x35163478.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1656 m69172278.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4436 wrote to memory of 2736 4436 2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe 83 PID 4436 wrote to memory of 2736 4436 2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe 83 PID 4436 wrote to memory of 2736 4436 2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe 83 PID 2736 wrote to memory of 1656 2736 x35163478.exe 84 PID 2736 wrote to memory of 1656 2736 x35163478.exe 84 PID 2736 wrote to memory of 1656 2736 x35163478.exe 84 PID 1656 wrote to memory of 1376 1656 m69172278.exe 86 PID 1656 wrote to memory of 1376 1656 m69172278.exe 86 PID 1656 wrote to memory of 1376 1656 m69172278.exe 86 PID 2736 wrote to memory of 3748 2736 x35163478.exe 87 PID 2736 wrote to memory of 3748 2736 x35163478.exe 87 PID 2736 wrote to memory of 3748 2736 x35163478.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe"C:\Users\Admin\AppData\Local\Temp\2297d297a48b919c235b9b36a058188dde1d6b45339038b6dc4b59a3ffd9b366.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x35163478.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x35163478.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m69172278.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m69172278.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
PID:1376
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n35150203.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n35150203.exe3⤵
- Executes dropped EXE
PID:3748
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD5db6408f55e6796036cd52fd178e6e85f
SHA170cbdc7479764c0b77bb992c13d90e84204bc90a
SHA256a50f7762225570bb480625137337df93a668004a3f74cbc950224e91b5b93e1a
SHA51234fd13736bfb3e176e930869802411d171ad05225bfe79150908a42f8d7549174c9015c699556ecf97c9d98392e5363960ed38aee0e72011a35c21e01535724f
-
Filesize
582KB
MD5db6408f55e6796036cd52fd178e6e85f
SHA170cbdc7479764c0b77bb992c13d90e84204bc90a
SHA256a50f7762225570bb480625137337df93a668004a3f74cbc950224e91b5b93e1a
SHA51234fd13736bfb3e176e930869802411d171ad05225bfe79150908a42f8d7549174c9015c699556ecf97c9d98392e5363960ed38aee0e72011a35c21e01535724f
-
Filesize
582KB
MD5e6c5571ecd40779b82dd9064ea887f0d
SHA1822fb2a9ad819bcf7824f5d39f158c1f6efd01f5
SHA25608a49f3c0a55d818f778152c45acc1d0227f0872fc912c0daf45a9ad01a4c0d8
SHA512c4fc66ad140fa20116a810da2fa589667795a752fff7436e8bb2a21cc77f96fde80c1b91962d7ad4b2c66f6d734272dd89d4e0624804c677c71bc07aff129993
-
Filesize
582KB
MD5e6c5571ecd40779b82dd9064ea887f0d
SHA1822fb2a9ad819bcf7824f5d39f158c1f6efd01f5
SHA25608a49f3c0a55d818f778152c45acc1d0227f0872fc912c0daf45a9ad01a4c0d8
SHA512c4fc66ad140fa20116a810da2fa589667795a752fff7436e8bb2a21cc77f96fde80c1b91962d7ad4b2c66f6d734272dd89d4e0624804c677c71bc07aff129993
-
Filesize
171KB
MD555a7b8b12f4354cba3a0a2b39d58d4fe
SHA1a87b818c12a9758ac1f52204fc568974aeecef70
SHA256f46945f8bdaa59d21109ccb706f188a4f6bb42222d981eb28c6f6320b4608138
SHA512830843ca6e631fbfaff45089854ef2f16bada746320f44a3403df9cf00ef15f85251e881b3a3cc1c0fd08b0dbd042caf16efad364a0f3e70577bd8260d470a3f
-
Filesize
171KB
MD555a7b8b12f4354cba3a0a2b39d58d4fe
SHA1a87b818c12a9758ac1f52204fc568974aeecef70
SHA256f46945f8bdaa59d21109ccb706f188a4f6bb42222d981eb28c6f6320b4608138
SHA512830843ca6e631fbfaff45089854ef2f16bada746320f44a3403df9cf00ef15f85251e881b3a3cc1c0fd08b0dbd042caf16efad364a0f3e70577bd8260d470a3f
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf