Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2023, 03:51

General

  • Target

    b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe

  • Size

    1.0MB

  • MD5

    d81c9d46b46e296dc3588a5dab2b0b6a

  • SHA1

    90c289b1dd93d84b40b944dc140533997e40c17e

  • SHA256

    b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da

  • SHA512

    e35d3d9e62e3155ffeef411e1be2e64f8e8bb98e4f9406b44935fc78875ab780578888f5ff30cc284a6e565b59708e5a91e5dfe8c23c443ad5492d19f263ea3f

  • SSDEEP

    24576:7y1052CbEaOWloqv/5W71SXFTgnCjVnQIl/61K9uuasVK16u+XB0:u1052QEaOFqpmSFsnChP8K9X/VKr

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
    "C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe
          4⤵
          • Executes dropped EXE
          PID:1432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe

    Filesize

    751KB

    MD5

    a011a31a374ee03b60fbd5d2d23de0d9

    SHA1

    b3c7703a1df73c9ad4001215ec0be98dd7d0cb29

    SHA256

    efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5

    SHA512

    1d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe

    Filesize

    751KB

    MD5

    a011a31a374ee03b60fbd5d2d23de0d9

    SHA1

    b3c7703a1df73c9ad4001215ec0be98dd7d0cb29

    SHA256

    efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5

    SHA512

    1d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe

    Filesize

    306KB

    MD5

    ea18a923b80bcb79834ed198fe659c14

    SHA1

    307e96eba9ef432a88ee0bc01a9f28d71bc81d92

    SHA256

    f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d

    SHA512

    5d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe

    Filesize

    306KB

    MD5

    ea18a923b80bcb79834ed198fe659c14

    SHA1

    307e96eba9ef432a88ee0bc01a9f28d71bc81d92

    SHA256

    f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d

    SHA512

    5d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe

    Filesize

    145KB

    MD5

    0d8c942aeb27bb4cd9ecc7703125d3cd

    SHA1

    41c00f1972e9f9350c907ddcc2974da78cb965cc

    SHA256

    b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb

    SHA512

    196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe

    Filesize

    145KB

    MD5

    0d8c942aeb27bb4cd9ecc7703125d3cd

    SHA1

    41c00f1972e9f9350c907ddcc2974da78cb965cc

    SHA256

    b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb

    SHA512

    196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d

  • memory/1432-154-0x0000000000810000-0x000000000083A000-memory.dmp

    Filesize

    168KB

  • memory/1432-155-0x0000000005730000-0x0000000005D48000-memory.dmp

    Filesize

    6.1MB

  • memory/1432-156-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

  • memory/1432-157-0x00000000051E0000-0x00000000051F2000-memory.dmp

    Filesize

    72KB

  • memory/1432-158-0x0000000005240000-0x000000000527C000-memory.dmp

    Filesize

    240KB

  • memory/1432-159-0x0000000005290000-0x00000000052A0000-memory.dmp

    Filesize

    64KB

  • memory/1432-160-0x0000000005290000-0x00000000052A0000-memory.dmp

    Filesize

    64KB