Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2023, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
Resource
win10v2004-20230220-en
General
-
Target
da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
-
Size
584KB
-
MD5
238c2fa9eecea15c2ab80f21368b7f3f
-
SHA1
749adcb57c3d5b39d2fb63d27760a90207b65545
-
SHA256
da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768
-
SHA512
e2648ccfc1701470dc320313ba0ab3c45033fa3ff679934872c858e51cba1e0167a47d5b67d389615a48739d1ae5ef662e98c63a14b40ac9e19a33f53cd42cd7
-
SSDEEP
12288:aMray90dNiYf0Mywzr1jLOk7j9z1SMHjz:kyONzSwzNLOsj9Ycjz
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1804 x3008723.exe 3024 x2934050.exe 1008 f1548073.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2934050.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3008723.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3008723.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x2934050.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1596 wrote to memory of 1804 1596 da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe 84 PID 1596 wrote to memory of 1804 1596 da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe 84 PID 1596 wrote to memory of 1804 1596 da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe 84 PID 1804 wrote to memory of 3024 1804 x3008723.exe 85 PID 1804 wrote to memory of 3024 1804 x3008723.exe 85 PID 1804 wrote to memory of 3024 1804 x3008723.exe 85 PID 3024 wrote to memory of 1008 3024 x2934050.exe 86 PID 3024 wrote to memory of 1008 3024 x2934050.exe 86 PID 3024 wrote to memory of 1008 3024 x2934050.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe"C:\Users\Admin\AppData\Local\Temp\da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exe4⤵
- Executes dropped EXE
PID:1008
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD569e4577bbfa3a25a183c9c1d52eed01e
SHA11a23a17cac50652a99b45462e6bc9bd074458624
SHA256471aee376adbb6a5127e268b861a92a7fffcb7d63026a47c48929d956702a118
SHA512bcbc5133c26f6cfa9c5e6432c62af2ea780752febd01f8a382273f662d18d27176e20ca021ea97bcefe6a3bde2e8c790bf3504e4577fe3da9b0b63c0932e8b82
-
Filesize
378KB
MD569e4577bbfa3a25a183c9c1d52eed01e
SHA11a23a17cac50652a99b45462e6bc9bd074458624
SHA256471aee376adbb6a5127e268b861a92a7fffcb7d63026a47c48929d956702a118
SHA512bcbc5133c26f6cfa9c5e6432c62af2ea780752febd01f8a382273f662d18d27176e20ca021ea97bcefe6a3bde2e8c790bf3504e4577fe3da9b0b63c0932e8b82
-
Filesize
206KB
MD5511f687b7dc352d51f052cf2836812bb
SHA109eb1079f09ddd64b2bf08248dab9692868e8dd9
SHA256137208e1a74d3db8fb4731ba9dfb6aeea06b82cc1b4271c9f9180e610ffe2156
SHA512c5d9ab51191022b4974c0d0d345687e1c86180829dc89573d09e864bfa8d8e5389810f6826e57692880128230575aff31223634870518275465a5a812b1f8417
-
Filesize
206KB
MD5511f687b7dc352d51f052cf2836812bb
SHA109eb1079f09ddd64b2bf08248dab9692868e8dd9
SHA256137208e1a74d3db8fb4731ba9dfb6aeea06b82cc1b4271c9f9180e610ffe2156
SHA512c5d9ab51191022b4974c0d0d345687e1c86180829dc89573d09e864bfa8d8e5389810f6826e57692880128230575aff31223634870518275465a5a812b1f8417
-
Filesize
172KB
MD5de631bd7869c9ccdb044f51394f6b5b7
SHA1fc3abe8281c40733c6a095ade3d1643abbf2567d
SHA256174fc039cff0ca212b614b8c0d37d68e7de0c98d9bcada377bb35f37c5525232
SHA5129ab1f1837ab13bba7b8044230efca8379eb9617947eafc17012c004ed3bfb9b1f0a6acb2a311da15bbecda074bc4a68de91ee7fc757664a67d062ea4af251b48
-
Filesize
172KB
MD5de631bd7869c9ccdb044f51394f6b5b7
SHA1fc3abe8281c40733c6a095ade3d1643abbf2567d
SHA256174fc039cff0ca212b614b8c0d37d68e7de0c98d9bcada377bb35f37c5525232
SHA5129ab1f1837ab13bba7b8044230efca8379eb9617947eafc17012c004ed3bfb9b1f0a6acb2a311da15bbecda074bc4a68de91ee7fc757664a67d062ea4af251b48