Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/06/2023, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
Resource
win10-20230220-en
General
-
Target
00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
-
Size
583KB
-
MD5
2aa282b29f53377aee548af79998eac9
-
SHA1
3c3aae5a2e4b4c7b7c6329f06c06caad8472afca
-
SHA256
00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3
-
SHA512
31d787f6a24c4d948ff29778d7853547dd48cdf25d0761091083c31764f3aa523a3a90155eb89bae78f480abb5b9a41cff9a9ce4b19d2428f77a3efa2e4155a2
-
SSDEEP
12288:eMrly90zvJvSmFxgYozGaAqqXsd1n3D+XeNT6rHGVX0DLw59:HyChhozGtqDzTyq6rHWXqsP
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4960 x1505090.exe 3000 x3304893.exe 4168 f6300551.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3304893.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3304893.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x1505090.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1505090.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1736 wrote to memory of 4960 1736 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe 66 PID 1736 wrote to memory of 4960 1736 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe 66 PID 1736 wrote to memory of 4960 1736 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe 66 PID 4960 wrote to memory of 3000 4960 x1505090.exe 67 PID 4960 wrote to memory of 3000 4960 x1505090.exe 67 PID 4960 wrote to memory of 3000 4960 x1505090.exe 67 PID 3000 wrote to memory of 4168 3000 x3304893.exe 68 PID 3000 wrote to memory of 4168 3000 x3304893.exe 68 PID 3000 wrote to memory of 4168 3000 x3304893.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe"C:\Users\Admin\AppData\Local\Temp\00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exe4⤵
- Executes dropped EXE
PID:4168
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5e4400ae8e0a041c840c2292bc9993298
SHA126b99d9069477e9f1ec95470369df5d25ea274aa
SHA256b661c182e090619d3f0665ff499d21673a61566fea24c46ce2c7e1cd15abd535
SHA51244621c586a5b967d8dc0217f220889c56c044e81cdecc48acd9dfb5645d9cf59ce7bc547ddfce8e0f1662b29711679b4a4ae5b82c3bbe23cc326ec4c944f509f
-
Filesize
377KB
MD5e4400ae8e0a041c840c2292bc9993298
SHA126b99d9069477e9f1ec95470369df5d25ea274aa
SHA256b661c182e090619d3f0665ff499d21673a61566fea24c46ce2c7e1cd15abd535
SHA51244621c586a5b967d8dc0217f220889c56c044e81cdecc48acd9dfb5645d9cf59ce7bc547ddfce8e0f1662b29711679b4a4ae5b82c3bbe23cc326ec4c944f509f
-
Filesize
206KB
MD5edc1e6fb18249da37538acbff523bcc6
SHA1a097385e8032e5cd633fa2fd9b22f7f5fc3a428d
SHA2568027f4f5758c6326b3764d6f9b3a1fb1ada2bfc2175bb10af3e5ceb90b805bdd
SHA512bf35c31c5272d6ac64d73f8827f3b1db173eb7e70bf8776f333bf1ba9c58aa0edef9adc595304c6e4c04cd0a3d3a3e56324ac280c9403d3c8cc949b95602d1df
-
Filesize
206KB
MD5edc1e6fb18249da37538acbff523bcc6
SHA1a097385e8032e5cd633fa2fd9b22f7f5fc3a428d
SHA2568027f4f5758c6326b3764d6f9b3a1fb1ada2bfc2175bb10af3e5ceb90b805bdd
SHA512bf35c31c5272d6ac64d73f8827f3b1db173eb7e70bf8776f333bf1ba9c58aa0edef9adc595304c6e4c04cd0a3d3a3e56324ac280c9403d3c8cc949b95602d1df
-
Filesize
172KB
MD53f1e199853f8aef1ac01232391fd6cef
SHA1d93e304496a556bed09a531d5ef18731c4a34db9
SHA2564b1f9fedf783d611fb22b251e0528d81f634f2c3e293a6b6c195a5b8fa7ca895
SHA512cf2024dab4442aeeaad02c9b7dc32795d8925295cd6c97124df57a5c3a6e6b49f5a69c7b226151886abe3e42d9fcf97119472da60ab917c0cafab1e21a26f4e1
-
Filesize
172KB
MD53f1e199853f8aef1ac01232391fd6cef
SHA1d93e304496a556bed09a531d5ef18731c4a34db9
SHA2564b1f9fedf783d611fb22b251e0528d81f634f2c3e293a6b6c195a5b8fa7ca895
SHA512cf2024dab4442aeeaad02c9b7dc32795d8925295cd6c97124df57a5c3a6e6b49f5a69c7b226151886abe3e42d9fcf97119472da60ab917c0cafab1e21a26f4e1