Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2023, 07:37
Static task
static1
Behavioral task
behavioral1
Sample
d6f0b5f1bb6db2ac09d16f88ad40f249.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
d6f0b5f1bb6db2ac09d16f88ad40f249.exe
Resource
win10v2004-20230703-en
General
-
Target
d6f0b5f1bb6db2ac09d16f88ad40f249.exe
-
Size
768KB
-
MD5
d6f0b5f1bb6db2ac09d16f88ad40f249
-
SHA1
2e6960beb908b90e988588fcfab5cfa44bb07cec
-
SHA256
eae2ebbd7384f13f7ddae701193b9c408f5b7b831268f0029bf72e137ba2d0d1
-
SHA512
b1cbe50cb679c4228ca2c8f04a8d8855df1ca37991d3e96812551cd34ac865b745bf84eab5bae1ff637d96605a1ebd3d1fbee1b52bb1600edf88e21cf2c83612
-
SSDEEP
12288:vMrKy907an+LseVnTDWZkI1CqPSJiUzRGhkQADBpMjW8Nkyx3Zj6u+yzxFH:ly+a+L7VnGZkmTSAUUJA1wW8bx3h1+yX
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2200 x4335159.exe 2948 x3789792.exe 1476 g1033252.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d6f0b5f1bb6db2ac09d16f88ad40f249.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d6f0b5f1bb6db2ac09d16f88ad40f249.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x4335159.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4335159.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3789792.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3789792.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4712 wrote to memory of 2200 4712 d6f0b5f1bb6db2ac09d16f88ad40f249.exe 85 PID 4712 wrote to memory of 2200 4712 d6f0b5f1bb6db2ac09d16f88ad40f249.exe 85 PID 4712 wrote to memory of 2200 4712 d6f0b5f1bb6db2ac09d16f88ad40f249.exe 85 PID 2200 wrote to memory of 2948 2200 x4335159.exe 86 PID 2200 wrote to memory of 2948 2200 x4335159.exe 86 PID 2200 wrote to memory of 2948 2200 x4335159.exe 86 PID 2948 wrote to memory of 1476 2948 x3789792.exe 87 PID 2948 wrote to memory of 1476 2948 x3789792.exe 87 PID 2948 wrote to memory of 1476 2948 x3789792.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6f0b5f1bb6db2ac09d16f88ad40f249.exe"C:\Users\Admin\AppData\Local\Temp\d6f0b5f1bb6db2ac09d16f88ad40f249.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exe4⤵
- Executes dropped EXE
PID:1476
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD55ff20899ef00b9870b48c8bc785d7481
SHA1b2ae7a2044fa9dcfb036a94a4dd7164e6aae3fc9
SHA2565d4a87160e86e781ba6fd3aa3c16668a27ce6c10c00653fa8860593d8a0d0f88
SHA5120b641d0e6cfb1c69a30abd4588b76f2a23e796b9453502e3c4a872011ed184189cc7c411aa4f7abce36c150bb7f7ee797c20ee4c611e45e89be0c1f8b01a8cda
-
Filesize
612KB
MD55ff20899ef00b9870b48c8bc785d7481
SHA1b2ae7a2044fa9dcfb036a94a4dd7164e6aae3fc9
SHA2565d4a87160e86e781ba6fd3aa3c16668a27ce6c10c00653fa8860593d8a0d0f88
SHA5120b641d0e6cfb1c69a30abd4588b76f2a23e796b9453502e3c4a872011ed184189cc7c411aa4f7abce36c150bb7f7ee797c20ee4c611e45e89be0c1f8b01a8cda
-
Filesize
511KB
MD5499cd4d6667cd498fd211dd6755cc64d
SHA1fcff8107a0d4facf6de585e884d8505a1e92c55b
SHA256d793350bc36742bc1ac440038cf42d78154647b4ae8c073bf016f41a882cef49
SHA51239f9f127bc8fb15177b06cb556cfc39eacf50116d14de570215c7eb925e1028147d516821081808bdb61d96243a50f75d399aac91876841b68a99b0412d1316b
-
Filesize
511KB
MD5499cd4d6667cd498fd211dd6755cc64d
SHA1fcff8107a0d4facf6de585e884d8505a1e92c55b
SHA256d793350bc36742bc1ac440038cf42d78154647b4ae8c073bf016f41a882cef49
SHA51239f9f127bc8fb15177b06cb556cfc39eacf50116d14de570215c7eb925e1028147d516821081808bdb61d96243a50f75d399aac91876841b68a99b0412d1316b
-
Filesize
491KB
MD5bc2e95923f0891140b494e146ee3a25c
SHA1e6c50500fa3ac45a34bd863c8743f70042ac0d0a
SHA2568cc91b07254aba1b612fcf76bf9ae9497be5443d18e059f98c36a2b7f38573e3
SHA512b7d134aef99db0c55e07f030440b4d325f5b97bb99fbdbdbb748fb0396aa64a90619d87cc4ec37c48b9aa4a58f39c81b1349caa32af6748ad39c9770892a4883
-
Filesize
491KB
MD5bc2e95923f0891140b494e146ee3a25c
SHA1e6c50500fa3ac45a34bd863c8743f70042ac0d0a
SHA2568cc91b07254aba1b612fcf76bf9ae9497be5443d18e059f98c36a2b7f38573e3
SHA512b7d134aef99db0c55e07f030440b4d325f5b97bb99fbdbdbb748fb0396aa64a90619d87cc4ec37c48b9aa4a58f39c81b1349caa32af6748ad39c9770892a4883