Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/06/2023, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
Resource
win10-20230220-en
General
-
Target
126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
-
Size
578KB
-
MD5
0a7e31abb542a4d4a9a2c6533dd4fd97
-
SHA1
1e8918213184f9ba58066a8fd422f06e975e5c68
-
SHA256
126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0
-
SHA512
5da9404585b3b478e162c7a47e4fd75e3665634a9881a0237179b97797cb009cdc45c307920e58785e5ea3f5451a9d6e01370954671257f894afd2c5303da299
-
SSDEEP
12288:aMrdy90P7WK78bz45BHTd1KdKvtjxEEOXUQh:7yG4bz45hdSKvtjxEdr
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3968 x4215179.exe 1420 x6925272.exe 2068 f4532828.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x4215179.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4215179.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x6925272.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6925272.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe 2068 f4532828.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2068 f4532828.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1608 wrote to memory of 3968 1608 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe 66 PID 1608 wrote to memory of 3968 1608 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe 66 PID 1608 wrote to memory of 3968 1608 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe 66 PID 3968 wrote to memory of 1420 3968 x4215179.exe 67 PID 3968 wrote to memory of 1420 3968 x4215179.exe 67 PID 3968 wrote to memory of 1420 3968 x4215179.exe 67 PID 1420 wrote to memory of 2068 1420 x6925272.exe 68 PID 1420 wrote to memory of 2068 1420 x6925272.exe 68 PID 1420 wrote to memory of 2068 1420 x6925272.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe"C:\Users\Admin\AppData\Local\Temp\126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5eaa1f172b8a3810af09b73097f4cbbbb
SHA1b60a9c75cdb14b2c06adf10e452ccb840abd8cdc
SHA2561e840d46762c669e68c73ee846007b32543e8735b136479d4fdc28d18a20d0b4
SHA51247929564be193a7fd22ef4619b6b43da5b11b063b612143e960d52383d69d740f5f620f86ae4d7c88ed7053a853a00396effc223607837e0b1d8cba2d332c3ea
-
Filesize
377KB
MD5eaa1f172b8a3810af09b73097f4cbbbb
SHA1b60a9c75cdb14b2c06adf10e452ccb840abd8cdc
SHA2561e840d46762c669e68c73ee846007b32543e8735b136479d4fdc28d18a20d0b4
SHA51247929564be193a7fd22ef4619b6b43da5b11b063b612143e960d52383d69d740f5f620f86ae4d7c88ed7053a853a00396effc223607837e0b1d8cba2d332c3ea
-
Filesize
206KB
MD50a6991689b2b9703e761297a41e28fac
SHA10f26deb16e8f15f45b28f3c30eea63a9eea96fc1
SHA256f5fcd4c9d36ac16cf3958cd1368c3efd65b2a5b7a126183d28e660b523e3b1ef
SHA512e6315a60495788e55f9b05fc7e23415ced7d7a6eec82ce234c873e177efb83c529b0afb8287be9b17941017ddc6d408f953f2645c05d1ec538507cbcf03d4c44
-
Filesize
206KB
MD50a6991689b2b9703e761297a41e28fac
SHA10f26deb16e8f15f45b28f3c30eea63a9eea96fc1
SHA256f5fcd4c9d36ac16cf3958cd1368c3efd65b2a5b7a126183d28e660b523e3b1ef
SHA512e6315a60495788e55f9b05fc7e23415ced7d7a6eec82ce234c873e177efb83c529b0afb8287be9b17941017ddc6d408f953f2645c05d1ec538507cbcf03d4c44
-
Filesize
173KB
MD5045bbc927eaeb2180a0f1cd8e58ff3ec
SHA1224518aacd4d2ab7a027368cce1208e77b8ae6ab
SHA2568114bf446b10d8df1447ec5bc0d448100c0afc9d40d29b6c5c90256f6e0ed1c4
SHA512744a4d1f33406701795f1bec992c93741ff3cc8d8b6641407e74610e55b77c45a29575797f5c1db222c3010814afed3d33e462f5c617ef15f42fdc6d9cb7585f
-
Filesize
173KB
MD5045bbc927eaeb2180a0f1cd8e58ff3ec
SHA1224518aacd4d2ab7a027368cce1208e77b8ae6ab
SHA2568114bf446b10d8df1447ec5bc0d448100c0afc9d40d29b6c5c90256f6e0ed1c4
SHA512744a4d1f33406701795f1bec992c93741ff3cc8d8b6641407e74610e55b77c45a29575797f5c1db222c3010814afed3d33e462f5c617ef15f42fdc6d9cb7585f