Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
389s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe
Resource
win10v2004-20230221-en
General
-
Target
267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe
-
Size
480KB
-
MD5
cdd49f7c55deb6e3045d8b21f553355e
-
SHA1
1e687544faec4c012890819ec79b40e35c77658d
-
SHA256
267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c
-
SHA512
a97d83197df9c941821f168ef1bfdfc4909d87f354e195244a716caa27e9a3942017697da43d40b97dd6f5d6f8359269e718fb23c6488c3d3693ba8fd9f587df
-
SSDEEP
12288:IMrAy90j4U1KCAedvJJgOU1exiMWe1k7FyluF:IyHMdhxU18DS9
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1044-187-0x0000000007BF0000-0x0000000008208000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0215661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0215661.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a0215661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0215661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0215661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0215661.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2676 v1177721.exe 636 a0215661.exe 1044 b4674213.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a0215661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a0215661.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1177721.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1177721.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 636 a0215661.exe 636 a0215661.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 636 a0215661.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2676 1776 267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe 86 PID 1776 wrote to memory of 2676 1776 267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe 86 PID 1776 wrote to memory of 2676 1776 267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe 86 PID 2676 wrote to memory of 636 2676 v1177721.exe 87 PID 2676 wrote to memory of 636 2676 v1177721.exe 87 PID 2676 wrote to memory of 636 2676 v1177721.exe 87 PID 2676 wrote to memory of 1044 2676 v1177721.exe 91 PID 2676 wrote to memory of 1044 2676 v1177721.exe 91 PID 2676 wrote to memory of 1044 2676 v1177721.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe"C:\Users\Admin\AppData\Local\Temp\267035c3a21b7aae7d7c5195c8a0e98545dc41c9afbef13ddfdcae4ea54d124c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1177721.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1177721.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0215661.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0215661.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4674213.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4674213.exe3⤵
- Executes dropped EXE
PID:1044
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD58408422c6e967fa329a0c0355dd6c281
SHA1c0e61d3a834e7e0cbd675608f92a013685f20d83
SHA25618037bae2eef59e86eda39625710646da62eef0f2e4a10d1ce57f2463711a64a
SHA512de9dd0c28abf1a4b2d44a142d469cc7147959ae13a60d9eb8fb3fd3b2d7411e72eac38e9901acc89b8751c331f694727f6f8ea0c48839910662a48c52e569934
-
Filesize
308KB
MD58408422c6e967fa329a0c0355dd6c281
SHA1c0e61d3a834e7e0cbd675608f92a013685f20d83
SHA25618037bae2eef59e86eda39625710646da62eef0f2e4a10d1ce57f2463711a64a
SHA512de9dd0c28abf1a4b2d44a142d469cc7147959ae13a60d9eb8fb3fd3b2d7411e72eac38e9901acc89b8751c331f694727f6f8ea0c48839910662a48c52e569934
-
Filesize
175KB
MD531ce46ffa8a10aff466b97189df6d559
SHA15f01772794968058796dfa257d9f9c3f0390ef80
SHA256dddcfdd4b4353bc854bd6488214bf7723d1305b4cd35194f8cefde49aa3bc95c
SHA512c46b36751e4752e6e9a90bedf249bd575eb6c3baaa37a65609fe2a6574aecd8d7685979ae67fa25e0173ea4e7c33f8960f2575260379fc4e5beb48574bf17f0f
-
Filesize
175KB
MD531ce46ffa8a10aff466b97189df6d559
SHA15f01772794968058796dfa257d9f9c3f0390ef80
SHA256dddcfdd4b4353bc854bd6488214bf7723d1305b4cd35194f8cefde49aa3bc95c
SHA512c46b36751e4752e6e9a90bedf249bd575eb6c3baaa37a65609fe2a6574aecd8d7685979ae67fa25e0173ea4e7c33f8960f2575260379fc4e5beb48574bf17f0f
-
Filesize
136KB
MD5dd2c2450ef1c54b0633b37e5be04a4e7
SHA1a9c6a104a662bd9d157d9cdead22b523cfb1f860
SHA2565f052fc3823d03342443580df2b894be5a3335b40038e22c077392ca059b4656
SHA512ab6862b7f3fbef9af4e2dc2a71510a8ed6aa90949e345638503f78516f66643d0453b1217a045b8036971c4debd821c1243e4107e5fa0c98a7dcfc1d6deedeab
-
Filesize
136KB
MD5dd2c2450ef1c54b0633b37e5be04a4e7
SHA1a9c6a104a662bd9d157d9cdead22b523cfb1f860
SHA2565f052fc3823d03342443580df2b894be5a3335b40038e22c077392ca059b4656
SHA512ab6862b7f3fbef9af4e2dc2a71510a8ed6aa90949e345638503f78516f66643d0453b1217a045b8036971c4debd821c1243e4107e5fa0c98a7dcfc1d6deedeab