Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04/06/2023, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
05661599.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
05661599.exe
Resource
win10v2004-20230220-en
General
-
Target
05661599.exe
-
Size
581KB
-
MD5
20fe8fbf9b55c637bbb62a34df4886f0
-
SHA1
6cd1fdc64a25e290346280164806d4f7fb8783e2
-
SHA256
d08d7b4165fce25e8099f696e0d600f2e737498add7d71bbe3a1466015eb542b
-
SHA512
4b8bd6a624112e7723e5c4d451512b18dcfbc59e07923150e9e8a772ce72ffae46f978c91672ce27f604cd1da2aa07c36c3ce17aa2843b94be388a1494177942
-
SSDEEP
12288:kMr2y90Nj5xQa0v7+WLGGnO5H60mydcqJ2MPHn/pD8AL:iyCjIvapGnOtdmydnQ4Hn/SAL
Malware Config
Extracted
redline
diza
83.97.73.126:19046
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2040 x7826113.exe 1484 x5763206.exe 304 f8807851.exe -
Loads dropped DLL 6 IoCs
pid Process 1156 05661599.exe 2040 x7826113.exe 2040 x7826113.exe 1484 x5763206.exe 1484 x5763206.exe 304 f8807851.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7826113.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7826113.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce x5763206.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x5763206.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 05661599.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 05661599.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe 304 f8807851.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 304 f8807851.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 1156 wrote to memory of 2040 1156 05661599.exe 28 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 2040 wrote to memory of 1484 2040 x7826113.exe 29 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30 PID 1484 wrote to memory of 304 1484 x5763206.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\05661599.exe"C:\Users\Admin\AppData\Local\Temp\05661599.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7826113.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7826113.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5763206.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5763206.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8807851.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8807851.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD5fefe0521422e7bb2c46021c6cd686fb0
SHA1a0b4f424451806b18e6d40883e65ce30fbabae66
SHA256f10f382f9b0c6f287327b1640bcaf8137c007674597f4745ed2351a6a2591051
SHA512d1bf4452bc73df78b5d92538cd8dde8e797e7ae95b86b1b212ecb81ba94b88776482c04c01c1b44884b7dd1f805fdbf969f4a5639b8c5b22448ee4e0311e6964
-
Filesize
378KB
MD5fefe0521422e7bb2c46021c6cd686fb0
SHA1a0b4f424451806b18e6d40883e65ce30fbabae66
SHA256f10f382f9b0c6f287327b1640bcaf8137c007674597f4745ed2351a6a2591051
SHA512d1bf4452bc73df78b5d92538cd8dde8e797e7ae95b86b1b212ecb81ba94b88776482c04c01c1b44884b7dd1f805fdbf969f4a5639b8c5b22448ee4e0311e6964
-
Filesize
206KB
MD5bf05f97db7f68fe0ad9c134b268e9dc5
SHA11a2381783177e6fbffa4a70c013606f34f5f01c4
SHA2567736e753d618d2f99ea0bbfe76abdb43625a403b45446c5158637e5e5b977c96
SHA51261cdab63ab8480b5bb414072322a882b7502317f0b169da7fa7f11b65bdd21bf8bdd5e605f8cfeea942b733515f9cde4e15bd483204477ca279d452176b74926
-
Filesize
206KB
MD5bf05f97db7f68fe0ad9c134b268e9dc5
SHA11a2381783177e6fbffa4a70c013606f34f5f01c4
SHA2567736e753d618d2f99ea0bbfe76abdb43625a403b45446c5158637e5e5b977c96
SHA51261cdab63ab8480b5bb414072322a882b7502317f0b169da7fa7f11b65bdd21bf8bdd5e605f8cfeea942b733515f9cde4e15bd483204477ca279d452176b74926
-
Filesize
172KB
MD5bf4a17699360beb0552835066f0ff1bd
SHA195df664c6ce7307d846709dd21c21d79b23bbc35
SHA256adc88ce6d0c161220eb531b92254e661472cffc2680161d0264272c2da797882
SHA51228f9c082faced3b4f3c16f1f3cf57205c3dc53ebb18d336d02b567e00a2357811ab9b875aed6e86883eb53594d49f4513ab0b71f00db147bd9e7b899e23c7b8f
-
Filesize
172KB
MD5bf4a17699360beb0552835066f0ff1bd
SHA195df664c6ce7307d846709dd21c21d79b23bbc35
SHA256adc88ce6d0c161220eb531b92254e661472cffc2680161d0264272c2da797882
SHA51228f9c082faced3b4f3c16f1f3cf57205c3dc53ebb18d336d02b567e00a2357811ab9b875aed6e86883eb53594d49f4513ab0b71f00db147bd9e7b899e23c7b8f
-
Filesize
378KB
MD5fefe0521422e7bb2c46021c6cd686fb0
SHA1a0b4f424451806b18e6d40883e65ce30fbabae66
SHA256f10f382f9b0c6f287327b1640bcaf8137c007674597f4745ed2351a6a2591051
SHA512d1bf4452bc73df78b5d92538cd8dde8e797e7ae95b86b1b212ecb81ba94b88776482c04c01c1b44884b7dd1f805fdbf969f4a5639b8c5b22448ee4e0311e6964
-
Filesize
378KB
MD5fefe0521422e7bb2c46021c6cd686fb0
SHA1a0b4f424451806b18e6d40883e65ce30fbabae66
SHA256f10f382f9b0c6f287327b1640bcaf8137c007674597f4745ed2351a6a2591051
SHA512d1bf4452bc73df78b5d92538cd8dde8e797e7ae95b86b1b212ecb81ba94b88776482c04c01c1b44884b7dd1f805fdbf969f4a5639b8c5b22448ee4e0311e6964
-
Filesize
206KB
MD5bf05f97db7f68fe0ad9c134b268e9dc5
SHA11a2381783177e6fbffa4a70c013606f34f5f01c4
SHA2567736e753d618d2f99ea0bbfe76abdb43625a403b45446c5158637e5e5b977c96
SHA51261cdab63ab8480b5bb414072322a882b7502317f0b169da7fa7f11b65bdd21bf8bdd5e605f8cfeea942b733515f9cde4e15bd483204477ca279d452176b74926
-
Filesize
206KB
MD5bf05f97db7f68fe0ad9c134b268e9dc5
SHA11a2381783177e6fbffa4a70c013606f34f5f01c4
SHA2567736e753d618d2f99ea0bbfe76abdb43625a403b45446c5158637e5e5b977c96
SHA51261cdab63ab8480b5bb414072322a882b7502317f0b169da7fa7f11b65bdd21bf8bdd5e605f8cfeea942b733515f9cde4e15bd483204477ca279d452176b74926
-
Filesize
172KB
MD5bf4a17699360beb0552835066f0ff1bd
SHA195df664c6ce7307d846709dd21c21d79b23bbc35
SHA256adc88ce6d0c161220eb531b92254e661472cffc2680161d0264272c2da797882
SHA51228f9c082faced3b4f3c16f1f3cf57205c3dc53ebb18d336d02b567e00a2357811ab9b875aed6e86883eb53594d49f4513ab0b71f00db147bd9e7b899e23c7b8f
-
Filesize
172KB
MD5bf4a17699360beb0552835066f0ff1bd
SHA195df664c6ce7307d846709dd21c21d79b23bbc35
SHA256adc88ce6d0c161220eb531b92254e661472cffc2680161d0264272c2da797882
SHA51228f9c082faced3b4f3c16f1f3cf57205c3dc53ebb18d336d02b567e00a2357811ab9b875aed6e86883eb53594d49f4513ab0b71f00db147bd9e7b899e23c7b8f