Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
Resource
win10v2004-20230703-en
General
-
Target
26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
-
Size
1.3MB
-
MD5
5461b2ea5f397c9dffba0bf58e4b4a77
-
SHA1
4aa5824c71de814f76a2c18f0ebccc0d47d1269f
-
SHA256
26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae
-
SHA512
d7d79de2545ef38d463b3c3d75f1bf7267727f5fcf35fa183cf2fe2b529b58a96ca5e436f08fb3684c3651b6fd690215578eece22f693d323b69f6811dc45c36
-
SSDEEP
24576:bE47kOUEfJvETlpqftmHioiS+yvk3RZAdBbVTb34k30/8dRi9:bEq5PfJvExMftmHzO0khZApykji9
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 1184 x7197568.exe 4612 f7319018.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7197568.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7197568.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4404 wrote to memory of 1184 4404 26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe 86 PID 4404 wrote to memory of 1184 4404 26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe 86 PID 4404 wrote to memory of 1184 4404 26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe 86 PID 1184 wrote to memory of 4612 1184 x7197568.exe 87 PID 1184 wrote to memory of 4612 1184 x7197568.exe 87 PID 1184 wrote to memory of 4612 1184 x7197568.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe"C:\Users\Admin\AppData\Local\Temp\26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exe3⤵
- Executes dropped EXE
PID:4612
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD57bd52f7aa7fb6e628532aa133ff46483
SHA1535f08698bc5fe0ed57736f0dec1c49eac2a9560
SHA25623804d67a2f3c169da6516bed1292569cd8a17af0a9b82eeb79135f6bec94416
SHA51240223bcc8060efa0a7bc3e62a25efd8288d14d8d87f6ad1440203e9ad89c5b4dbc426fd2ba8e0e1d6a8738ac0866599d3113f21e842d21505c21e1070f333a88
-
Filesize
756KB
MD57bd52f7aa7fb6e628532aa133ff46483
SHA1535f08698bc5fe0ed57736f0dec1c49eac2a9560
SHA25623804d67a2f3c169da6516bed1292569cd8a17af0a9b82eeb79135f6bec94416
SHA51240223bcc8060efa0a7bc3e62a25efd8288d14d8d87f6ad1440203e9ad89c5b4dbc426fd2ba8e0e1d6a8738ac0866599d3113f21e842d21505c21e1070f333a88
-
Filesize
692KB
MD5db0b619826f21030c82c49d4f1ea1e5d
SHA1b971a2c5541531164c6d6dfee7a181a401b84585
SHA2566c022922112f4ab96084f61dd11641dbe24a678dab84ed4524a0adee35012635
SHA51217c25903f9af0b2cdfaa65d039eac8d4806da79e383bc2a405e1e6d25186b1986057ef8aa5ce2a777ca91acedac36ed631ec174e0090f334573a879bc09a5829
-
Filesize
692KB
MD5db0b619826f21030c82c49d4f1ea1e5d
SHA1b971a2c5541531164c6d6dfee7a181a401b84585
SHA2566c022922112f4ab96084f61dd11641dbe24a678dab84ed4524a0adee35012635
SHA51217c25903f9af0b2cdfaa65d039eac8d4806da79e383bc2a405e1e6d25186b1986057ef8aa5ce2a777ca91acedac36ed631ec174e0090f334573a879bc09a5829