Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/05/2023, 21:01

General

  • Target

    25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe

  • Size

    588KB

  • MD5

    ed541c1efe2b4b56a7640dab5e08d279

  • SHA1

    dff90d35232bb2d162f870c76cea2c7192889470

  • SHA256

    25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9

  • SHA512

    9b044cb5231a0d968e2e19c0c5cebd28e1eeaabf80b3f9b5c543931a95c0a9c580f58f7ca2cff7cd52df1b60ca678bc5f3ef7ff0a7234ab977d22dfeed5a21f6

  • SSDEEP

    12288:ZMrqy90Bj6d+YHnZ/6fHr4keBUv7VyFoR45XVxw:3yemk6/kH8dBUvAiClxw

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
    "C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

    Filesize

    416KB

    MD5

    36c308570aa115734efc23e27f6c2bb8

    SHA1

    406c299e2b2c970fbb85244e343ac9fe7a82f766

    SHA256

    0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

    SHA512

    4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

    Filesize

    416KB

    MD5

    36c308570aa115734efc23e27f6c2bb8

    SHA1

    406c299e2b2c970fbb85244e343ac9fe7a82f766

    SHA256

    0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

    SHA512

    4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

    Filesize

    168KB

    MD5

    f356295d38d4b6daf3401b4257c2d075

    SHA1

    20492b9807aefe5ba93053c6c2545c8b010f370f

    SHA256

    7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

    SHA512

    fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

    Filesize

    168KB

    MD5

    f356295d38d4b6daf3401b4257c2d075

    SHA1

    20492b9807aefe5ba93053c6c2545c8b010f370f

    SHA256

    7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

    SHA512

    fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

    Filesize

    416KB

    MD5

    36c308570aa115734efc23e27f6c2bb8

    SHA1

    406c299e2b2c970fbb85244e343ac9fe7a82f766

    SHA256

    0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

    SHA512

    4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

    Filesize

    416KB

    MD5

    36c308570aa115734efc23e27f6c2bb8

    SHA1

    406c299e2b2c970fbb85244e343ac9fe7a82f766

    SHA256

    0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

    SHA512

    4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

    Filesize

    168KB

    MD5

    f356295d38d4b6daf3401b4257c2d075

    SHA1

    20492b9807aefe5ba93053c6c2545c8b010f370f

    SHA256

    7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

    SHA512

    fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

    Filesize

    168KB

    MD5

    f356295d38d4b6daf3401b4257c2d075

    SHA1

    20492b9807aefe5ba93053c6c2545c8b010f370f

    SHA256

    7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

    SHA512

    fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

  • memory/1100-74-0x0000000000170000-0x000000000019E000-memory.dmp

    Filesize

    184KB

  • memory/1100-75-0x0000000000250000-0x0000000000256000-memory.dmp

    Filesize

    24KB

  • memory/1100-76-0x0000000004B10000-0x0000000004B50000-memory.dmp

    Filesize

    256KB

  • memory/1100-77-0x0000000004B10000-0x0000000004B50000-memory.dmp

    Filesize

    256KB