Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/05/2023, 21:01
Static task
static1
Behavioral task
behavioral1
Sample
25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
Resource
win10v2004-20230220-en
General
-
Target
25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
-
Size
588KB
-
MD5
ed541c1efe2b4b56a7640dab5e08d279
-
SHA1
dff90d35232bb2d162f870c76cea2c7192889470
-
SHA256
25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9
-
SHA512
9b044cb5231a0d968e2e19c0c5cebd28e1eeaabf80b3f9b5c543931a95c0a9c580f58f7ca2cff7cd52df1b60ca678bc5f3ef7ff0a7234ab977d22dfeed5a21f6
-
SSDEEP
12288:ZMrqy90Bj6d+YHnZ/6fHr4keBUv7VyFoR45XVxw:3yemk6/kH8dBUvAiClxw
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 2004 x9175681.exe 1100 g8798750.exe -
Loads dropped DLL 4 IoCs
pid Process 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 2004 x9175681.exe 2004 x9175681.exe 1100 g8798750.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce x9175681.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9175681.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 1724 wrote to memory of 2004 1724 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe 28 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29 PID 2004 wrote to memory of 1100 2004 x9175681.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe"C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD536c308570aa115734efc23e27f6c2bb8
SHA1406c299e2b2c970fbb85244e343ac9fe7a82f766
SHA2560c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4
SHA5124fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7
-
Filesize
416KB
MD536c308570aa115734efc23e27f6c2bb8
SHA1406c299e2b2c970fbb85244e343ac9fe7a82f766
SHA2560c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4
SHA5124fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7
-
Filesize
168KB
MD5f356295d38d4b6daf3401b4257c2d075
SHA120492b9807aefe5ba93053c6c2545c8b010f370f
SHA2567f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c
SHA512fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c
-
Filesize
168KB
MD5f356295d38d4b6daf3401b4257c2d075
SHA120492b9807aefe5ba93053c6c2545c8b010f370f
SHA2567f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c
SHA512fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c
-
Filesize
416KB
MD536c308570aa115734efc23e27f6c2bb8
SHA1406c299e2b2c970fbb85244e343ac9fe7a82f766
SHA2560c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4
SHA5124fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7
-
Filesize
416KB
MD536c308570aa115734efc23e27f6c2bb8
SHA1406c299e2b2c970fbb85244e343ac9fe7a82f766
SHA2560c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4
SHA5124fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7
-
Filesize
168KB
MD5f356295d38d4b6daf3401b4257c2d075
SHA120492b9807aefe5ba93053c6c2545c8b010f370f
SHA2567f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c
SHA512fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c
-
Filesize
168KB
MD5f356295d38d4b6daf3401b4257c2d075
SHA120492b9807aefe5ba93053c6c2545c8b010f370f
SHA2567f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c
SHA512fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c