Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2023, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
647feb7cc1e57303bad08c158.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
647feb7cc1e57303bad08c158.exe
Resource
win10v2004-20230703-en
General
-
Target
647feb7cc1e57303bad08c158.exe
-
Size
517KB
-
MD5
a839b1433c6cf133a9146a84dcf15a88
-
SHA1
278fdc62902264e6f5a759a1779c1282c68436d5
-
SHA256
647feb7cc1e57303bad08c1584526218fa1564b1c56d6edfe999486bddcc90ac
-
SHA512
621961ef07994499787d4c933cbbb0cd9e3b96372923a963a8a3202c720d5eec16d2d0e828227d37c29bec292b3281c0bf60cd256901709ac9e9ec79d87091ca
-
SSDEEP
12288:xf7afvbaRdnQgU+ps4QKrnPQE7mMSNYrHB4VUzSh:xf7wvb82gRu4Q6QEGYVYaSh
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 928 x7236569.exe 2628 f5956729.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 647feb7cc1e57303bad08c158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 647feb7cc1e57303bad08c158.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7236569.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7236569.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 372 wrote to memory of 928 372 647feb7cc1e57303bad08c158.exe 85 PID 372 wrote to memory of 928 372 647feb7cc1e57303bad08c158.exe 85 PID 372 wrote to memory of 928 372 647feb7cc1e57303bad08c158.exe 85 PID 928 wrote to memory of 2628 928 x7236569.exe 86 PID 928 wrote to memory of 2628 928 x7236569.exe 86 PID 928 wrote to memory of 2628 928 x7236569.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\647feb7cc1e57303bad08c158.exe"C:\Users\Admin\AppData\Local\Temp\647feb7cc1e57303bad08c158.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exe3⤵
- Executes dropped EXE
PID:2628
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD504bc97a35c3d7caa1647e9e5179f6cbb
SHA170ede62d1b92c1809c9655f2be4f6bcaead412e3
SHA25657fea13a070a4abb8506d2bdc812e41e0fb6d76eb9e0fa11629c18dd9d764668
SHA512ec1e0b0807adaf3c61c8f923bb899a532188667d9146d710aeb7fc8499bd87501d3745411b7784e0a086db8733c4d4bb0fb2fb171d2265ec57b9592c36c99951
-
Filesize
330KB
MD504bc97a35c3d7caa1647e9e5179f6cbb
SHA170ede62d1b92c1809c9655f2be4f6bcaead412e3
SHA25657fea13a070a4abb8506d2bdc812e41e0fb6d76eb9e0fa11629c18dd9d764668
SHA512ec1e0b0807adaf3c61c8f923bb899a532188667d9146d710aeb7fc8499bd87501d3745411b7784e0a086db8733c4d4bb0fb2fb171d2265ec57b9592c36c99951
-
Filesize
257KB
MD5a333dd015ad952957027816cf2f790fc
SHA1abdfbcfb1ff9fed89418366d7c9ad7dc7a133617
SHA2560b684f20909a64fb375b0960331f6da0494ac50cdcacc72a8c071c6b62f26762
SHA512c80c430397374c84215fd1df7c5ed3df384fcdb3f260eecbd1e7df8e3c519953a1a278fc10bda060199b9d3245c85eb24572b3c5ff58601e22c1e1262c115e03
-
Filesize
257KB
MD5a333dd015ad952957027816cf2f790fc
SHA1abdfbcfb1ff9fed89418366d7c9ad7dc7a133617
SHA2560b684f20909a64fb375b0960331f6da0494ac50cdcacc72a8c071c6b62f26762
SHA512c80c430397374c84215fd1df7c5ed3df384fcdb3f260eecbd1e7df8e3c519953a1a278fc10bda060199b9d3245c85eb24572b3c5ff58601e22c1e1262c115e03