Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
16/08/2023, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe
Resource
win10-20230703-en
General
-
Target
a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe
-
Size
856KB
-
MD5
dfc59dca284135282ea4eaa0e655a50f
-
SHA1
d1d3155245dbf214c87b0d2a0051cfbf68f3f8b3
-
SHA256
a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341
-
SHA512
09c870e20ed7b8a58cd3328cbff17ab1a36daea27a1029b3236f33228cd67b741e3a0b8aa922350560117fd1dbbd1a165bbd1f2555facc5b58688486d5ee19d7
-
SSDEEP
12288:JMrKy90EGHXyn/N9P+VJoVFke0nyhtE1AtF/KS5x2VrXcyw220ShBh6FjO7:byjGHClJoJyvE1Q/KS5x2pXRF20SUK7
Malware Config
Extracted
redline
dava
77.91.124.54:19071
-
auth_value
3ce5222c1baaa06681dfe0012ce1de23
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 4676 v1167039.exe 320 v2497928.exe 3112 v7151927.exe 4640 v7167388.exe 164 a0498068.exe 1128 b6582972.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v7167388.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1167039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2497928.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7151927.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4676 4588 a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe 70 PID 4588 wrote to memory of 4676 4588 a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe 70 PID 4588 wrote to memory of 4676 4588 a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe 70 PID 4676 wrote to memory of 320 4676 v1167039.exe 71 PID 4676 wrote to memory of 320 4676 v1167039.exe 71 PID 4676 wrote to memory of 320 4676 v1167039.exe 71 PID 320 wrote to memory of 3112 320 v2497928.exe 72 PID 320 wrote to memory of 3112 320 v2497928.exe 72 PID 320 wrote to memory of 3112 320 v2497928.exe 72 PID 3112 wrote to memory of 4640 3112 v7151927.exe 73 PID 3112 wrote to memory of 4640 3112 v7151927.exe 73 PID 3112 wrote to memory of 4640 3112 v7151927.exe 73 PID 4640 wrote to memory of 164 4640 v7167388.exe 74 PID 4640 wrote to memory of 164 4640 v7167388.exe 74 PID 4640 wrote to memory of 164 4640 v7167388.exe 74 PID 4640 wrote to memory of 1128 4640 v7167388.exe 75 PID 4640 wrote to memory of 1128 4640 v7167388.exe 75 PID 4640 wrote to memory of 1128 4640 v7167388.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe"C:\Users\Admin\AppData\Local\Temp\a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exe6⤵
- Executes dropped EXE
PID:164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exe6⤵
- Executes dropped EXE
PID:1128
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5bab718737504eec7b41a1e99e31c0200
SHA1b3d5912060b1fac7bbeea1207b384686151d23e9
SHA256edb5fe6c3f3482afd4caa07967f3b8017d980cbd3e643a40171b14781cd41875
SHA5129c12f68412734f326f903aaae07f7725e4c7ff2f169e0a4dbc25cab00a2fda134122ed381f91e86eac2d1f9396ef07c24284c6e68c687d495bcaf89c34c2d099
-
Filesize
723KB
MD5bab718737504eec7b41a1e99e31c0200
SHA1b3d5912060b1fac7bbeea1207b384686151d23e9
SHA256edb5fe6c3f3482afd4caa07967f3b8017d980cbd3e643a40171b14781cd41875
SHA5129c12f68412734f326f903aaae07f7725e4c7ff2f169e0a4dbc25cab00a2fda134122ed381f91e86eac2d1f9396ef07c24284c6e68c687d495bcaf89c34c2d099
-
Filesize
599KB
MD520b10be840f01feb4df777538d10afff
SHA10cf00a570d66c04f2730b7e2bfd0fce2e889c3d9
SHA256db17a0f76139141bae48dc53cab01ee8d7c71fbbdb688b069b455f4ea71f465f
SHA512a464d48cd1ff17effc8f8103636c3b296066e51490cd1943c319fd52c5a254e8c0432649d4ea50e87c89ee127a4a0bbe2b30ea5727a983d21158284416f7c2ad
-
Filesize
599KB
MD520b10be840f01feb4df777538d10afff
SHA10cf00a570d66c04f2730b7e2bfd0fce2e889c3d9
SHA256db17a0f76139141bae48dc53cab01ee8d7c71fbbdb688b069b455f4ea71f465f
SHA512a464d48cd1ff17effc8f8103636c3b296066e51490cd1943c319fd52c5a254e8c0432649d4ea50e87c89ee127a4a0bbe2b30ea5727a983d21158284416f7c2ad
-
Filesize
373KB
MD5cc2bfc132cf71abce9ed4c497b8f3eed
SHA16afed79dd9d6c162c2299c5eedde450fc3a76385
SHA256e6cefd02ebbf10064dd81f11eebf29dabc8ce27506582273bd2881c24b904918
SHA512c7b2bbabe0a19bfb078b3bcca69126552deb34793ad43e13603c8f9292a7f5b3cdbe961863710dbb273253cea1d49d8b1fd01c5b3e1354e2c31cbe8cb0b46063
-
Filesize
373KB
MD5cc2bfc132cf71abce9ed4c497b8f3eed
SHA16afed79dd9d6c162c2299c5eedde450fc3a76385
SHA256e6cefd02ebbf10064dd81f11eebf29dabc8ce27506582273bd2881c24b904918
SHA512c7b2bbabe0a19bfb078b3bcca69126552deb34793ad43e13603c8f9292a7f5b3cdbe961863710dbb273253cea1d49d8b1fd01c5b3e1354e2c31cbe8cb0b46063
-
Filesize
271KB
MD5ab80cb2152f4ea7a8cae6c30db00437e
SHA1f8668d508dc9d2c63e9678814786ea1bf48acbfd
SHA256c959c1d6bb4241572d2b8c8c687afe05f914a4ae3adbf26566f11e2870f2a4c8
SHA5129cdc6abd486df8e75b8bdd306d6bc93fa23218000df883568ee34308fcf5dbb9e1cc8e70570ce2eb70cde028690ff3bf4abe4f0f568c97f91f9a4b5a3de69aad
-
Filesize
271KB
MD5ab80cb2152f4ea7a8cae6c30db00437e
SHA1f8668d508dc9d2c63e9678814786ea1bf48acbfd
SHA256c959c1d6bb4241572d2b8c8c687afe05f914a4ae3adbf26566f11e2870f2a4c8
SHA5129cdc6abd486df8e75b8bdd306d6bc93fa23218000df883568ee34308fcf5dbb9e1cc8e70570ce2eb70cde028690ff3bf4abe4f0f568c97f91f9a4b5a3de69aad
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1