Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2023, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
Resource
win10v2004-20230220-en
General
-
Target
b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
-
Size
1.0MB
-
MD5
d81c9d46b46e296dc3588a5dab2b0b6a
-
SHA1
90c289b1dd93d84b40b944dc140533997e40c17e
-
SHA256
b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da
-
SHA512
e35d3d9e62e3155ffeef411e1be2e64f8e8bb98e4f9406b44935fc78875ab780578888f5ff30cc284a6e565b59708e5a91e5dfe8c23c443ad5492d19f263ea3f
-
SSDEEP
24576:7y1052CbEaOWloqv/5W71SXFTgnCjVnQIl/61K9uuasVK16u+XB0:u1052QEaOFqpmSFsnChP8K9X/VKr
Malware Config
Extracted
redline
diza
185.161.248.37:4138
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 372 x8120205.exe 3324 x8876127.exe 1432 f3392090.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8120205.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8120205.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8876127.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8876127.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2128 wrote to memory of 372 2128 b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe 84 PID 2128 wrote to memory of 372 2128 b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe 84 PID 2128 wrote to memory of 372 2128 b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe 84 PID 372 wrote to memory of 3324 372 x8120205.exe 85 PID 372 wrote to memory of 3324 372 x8120205.exe 85 PID 372 wrote to memory of 3324 372 x8120205.exe 85 PID 3324 wrote to memory of 1432 3324 x8876127.exe 86 PID 3324 wrote to memory of 1432 3324 x8876127.exe 86 PID 3324 wrote to memory of 1432 3324 x8876127.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe"C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe4⤵
- Executes dropped EXE
PID:1432
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751KB
MD5a011a31a374ee03b60fbd5d2d23de0d9
SHA1b3c7703a1df73c9ad4001215ec0be98dd7d0cb29
SHA256efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5
SHA5121d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1
-
Filesize
751KB
MD5a011a31a374ee03b60fbd5d2d23de0d9
SHA1b3c7703a1df73c9ad4001215ec0be98dd7d0cb29
SHA256efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5
SHA5121d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1
-
Filesize
306KB
MD5ea18a923b80bcb79834ed198fe659c14
SHA1307e96eba9ef432a88ee0bc01a9f28d71bc81d92
SHA256f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d
SHA5125d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f
-
Filesize
306KB
MD5ea18a923b80bcb79834ed198fe659c14
SHA1307e96eba9ef432a88ee0bc01a9f28d71bc81d92
SHA256f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d
SHA5125d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f
-
Filesize
145KB
MD50d8c942aeb27bb4cd9ecc7703125d3cd
SHA141c00f1972e9f9350c907ddcc2974da78cb965cc
SHA256b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb
SHA512196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d
-
Filesize
145KB
MD50d8c942aeb27bb4cd9ecc7703125d3cd
SHA141c00f1972e9f9350c907ddcc2974da78cb965cc
SHA256b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb
SHA512196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d