Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/05/2023, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
Resource
win10v2004-20230220-en
General
-
Target
4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
-
Size
480KB
-
MD5
68f1e9940eca94eae5afc7262020ac89
-
SHA1
5bb896f17d17608e9849606e191ade4b254538f4
-
SHA256
4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c
-
SHA512
27db8e0b5074df81034431c2379730085b5cade901449b8c06a176f7381f1ae1df8f86b9b75f1abc348ea6d5c7d33619feecb819573e5521adca78c41930d71a
-
SSDEEP
6144:KHy+bnr+/up0yN90QEKLhxkL4Q5xCW6Rd7HDByt7mne+kMt4+wDri20ET2gDmAbT:tMrIvy90cYJ5xuRdbcOthwy2wgX3
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 1128 y9371405.exe 588 k2589588.exe -
Loads dropped DLL 4 IoCs
pid Process 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 1128 y9371405.exe 1128 y9371405.exe 588 k2589588.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce y9371405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9371405.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 928 wrote to memory of 1128 928 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe 28 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29 PID 1128 wrote to memory of 588 1128 y9371405.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe"C:\Users\Admin\AppData\Local\Temp\4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD563f63bcef9868c18d599e9fbd7461c62
SHA15b5c99dfb002fc3147b5d5ffa0937ebb060deb58
SHA256927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d
SHA512dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8
-
Filesize
308KB
MD563f63bcef9868c18d599e9fbd7461c62
SHA15b5c99dfb002fc3147b5d5ffa0937ebb060deb58
SHA256927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d
SHA512dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8
-
Filesize
168KB
MD55d4af04a4859feafaaffd273b293bb8a
SHA17c1ad03de8609e93757557c5cd332ee21500c181
SHA25660712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180
SHA51206b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7
-
Filesize
168KB
MD55d4af04a4859feafaaffd273b293bb8a
SHA17c1ad03de8609e93757557c5cd332ee21500c181
SHA25660712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180
SHA51206b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7
-
Filesize
308KB
MD563f63bcef9868c18d599e9fbd7461c62
SHA15b5c99dfb002fc3147b5d5ffa0937ebb060deb58
SHA256927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d
SHA512dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8
-
Filesize
308KB
MD563f63bcef9868c18d599e9fbd7461c62
SHA15b5c99dfb002fc3147b5d5ffa0937ebb060deb58
SHA256927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d
SHA512dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8
-
Filesize
168KB
MD55d4af04a4859feafaaffd273b293bb8a
SHA17c1ad03de8609e93757557c5cd332ee21500c181
SHA25660712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180
SHA51206b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7
-
Filesize
168KB
MD55d4af04a4859feafaaffd273b293bb8a
SHA17c1ad03de8609e93757557c5cd332ee21500c181
SHA25660712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180
SHA51206b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7