Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe
Resource
win10v2004-20230220-en
General
-
Target
2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe
-
Size
674KB
-
MD5
7f5d213cb5da614bae79dc55c5f7388d
-
SHA1
1ef457921f68ce987eb83a020e594153f4a92873
-
SHA256
2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549
-
SHA512
07caedbc460602331d898619700989ae3219d798196862045bb7ad83c9dd3955bdf31f8d2779ae8691cc320455e95bf4150085cd7de5af4e4f9cef4e39eace28
-
SSDEEP
12288:Ay90G7cQB3i5iTkvy/YFhGxwPsk0gULPL4Kx8cr86oa7lw23qVh8ok:AyB753i5t6/YFIxwPsh/7L4KJxwwMxk
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3964-979-0x0000000007510000-0x0000000007B28000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 53910562.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4800 st565474.exe 4756 53910562.exe 3964 kp314966.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 53910562.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 53910562.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st565474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st565474.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4756 53910562.exe 4756 53910562.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4756 53910562.exe Token: SeDebugPrivilege 3964 kp314966.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 436 wrote to memory of 4800 436 2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe 85 PID 436 wrote to memory of 4800 436 2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe 85 PID 436 wrote to memory of 4800 436 2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe 85 PID 4800 wrote to memory of 4756 4800 st565474.exe 86 PID 4800 wrote to memory of 4756 4800 st565474.exe 86 PID 4800 wrote to memory of 4756 4800 st565474.exe 86 PID 4800 wrote to memory of 3964 4800 st565474.exe 93 PID 4800 wrote to memory of 3964 4800 st565474.exe 93 PID 4800 wrote to memory of 3964 4800 st565474.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe"C:\Users\Admin\AppData\Local\Temp\2b52c099160f823946bb195e662c36a9f0938622d91be40d6d08a021c409b549.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st565474.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st565474.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53910562.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53910562.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp314966.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp314966.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
519KB
MD51f9cdfd808c848a077ea9a3a0ec0c354
SHA188dff21276e5b1e75fa9c72a60e7536b6d60fe74
SHA25683294c15538ef319add50b5ee4a93ea8f096813a395723e181d4fbb9b5828716
SHA5124b6799c4d5bd72d87cce08b4512d77175eb83ec910ba2af8f93fe84dc268da8a8ea9898281fdbeb4f3c7d6aaab417795e58de95473d8967f7443e8337484d00c
-
Filesize
519KB
MD51f9cdfd808c848a077ea9a3a0ec0c354
SHA188dff21276e5b1e75fa9c72a60e7536b6d60fe74
SHA25683294c15538ef319add50b5ee4a93ea8f096813a395723e181d4fbb9b5828716
SHA5124b6799c4d5bd72d87cce08b4512d77175eb83ec910ba2af8f93fe84dc268da8a8ea9898281fdbeb4f3c7d6aaab417795e58de95473d8967f7443e8337484d00c
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
415KB
MD53a35e4da6e1b8b0e5136f9449910bcbb
SHA133c5ac6ee651d1a00c37967c3515bae223a69c67
SHA2569d0229f8a4fb8abee2782cb9696466ad3087fd00be8d343b56c6a24107d146c0
SHA51244db765ad1882a9151ae02080069c06c8fe8ca424e04d3956f882b153f506998a3aa5d73f1e1318e33bf6175fee4e01388b4406fb1da099a0d002a6832a6432b
-
Filesize
415KB
MD53a35e4da6e1b8b0e5136f9449910bcbb
SHA133c5ac6ee651d1a00c37967c3515bae223a69c67
SHA2569d0229f8a4fb8abee2782cb9696466ad3087fd00be8d343b56c6a24107d146c0
SHA51244db765ad1882a9151ae02080069c06c8fe8ca424e04d3956f882b153f506998a3aa5d73f1e1318e33bf6175fee4e01388b4406fb1da099a0d002a6832a6432b