Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2023, 08:04
Static task
static1
Behavioral task
behavioral1
Sample
b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe
Resource
win10v2004-20230703-en
General
-
Target
b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe
-
Size
855KB
-
MD5
43e356847a58f0119be8f31cf5806867
-
SHA1
859cbb9afad9c8e492ad7131cdd55b76dcf7abb5
-
SHA256
b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1
-
SHA512
ade3135a759fc1dcb28fe657e29dcfd76eea5d65a38ff783fdc5c4d6e3791c2761af71e1d0ca1de32e38936a9767aaec64ba7a07cc6bf5f0f203e446639567e4
-
SSDEEP
12288:lMrAy90gA9ptSzZvJ/HKYz0Jd8Ov02YG5RSJlO5u9bkIZWoD8RnamCg0AjmNa:5yiVSzZfF4/SHbTZ9D8RaJghyA
Malware Config
Extracted
redline
dava
77.91.124.54:19071
-
auth_value
3ce5222c1baaa06681dfe0012ce1de23
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2860 v1298987.exe 2408 v8705982.exe 2508 v3488496.exe 4588 v7760337.exe 4512 a7203138.exe 3020 b2095355.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3488496.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v7760337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1298987.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8705982.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3264 wrote to memory of 2860 3264 b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe 81 PID 3264 wrote to memory of 2860 3264 b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe 81 PID 3264 wrote to memory of 2860 3264 b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe 81 PID 2860 wrote to memory of 2408 2860 v1298987.exe 82 PID 2860 wrote to memory of 2408 2860 v1298987.exe 82 PID 2860 wrote to memory of 2408 2860 v1298987.exe 82 PID 2408 wrote to memory of 2508 2408 v8705982.exe 83 PID 2408 wrote to memory of 2508 2408 v8705982.exe 83 PID 2408 wrote to memory of 2508 2408 v8705982.exe 83 PID 2508 wrote to memory of 4588 2508 v3488496.exe 84 PID 2508 wrote to memory of 4588 2508 v3488496.exe 84 PID 2508 wrote to memory of 4588 2508 v3488496.exe 84 PID 4588 wrote to memory of 4512 4588 v7760337.exe 85 PID 4588 wrote to memory of 4512 4588 v7760337.exe 85 PID 4588 wrote to memory of 4512 4588 v7760337.exe 85 PID 4588 wrote to memory of 3020 4588 v7760337.exe 86 PID 4588 wrote to memory of 3020 4588 v7760337.exe 86 PID 4588 wrote to memory of 3020 4588 v7760337.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe"C:\Users\Admin\AppData\Local\Temp\b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exe6⤵
- Executes dropped EXE
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exe6⤵
- Executes dropped EXE
PID:3020
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5eab3f16d1b187a73b6ace727ea544ff8
SHA10f40b7bd4f13652b7d5983b3e290ab082a862f01
SHA256aa82484d4e4a94c0fe3e1e95324ce2c5c563986daefd3315aa41bda69304a9d9
SHA51213a6c8f8b3ac5cfc956464b4eaa2168e7c7e9054a439b3fdd0fc2cbaf635e584f41c617378f97c3665ad6261244a0f77654de0e2dcd475606b1167875bbf7b88
-
Filesize
723KB
MD5eab3f16d1b187a73b6ace727ea544ff8
SHA10f40b7bd4f13652b7d5983b3e290ab082a862f01
SHA256aa82484d4e4a94c0fe3e1e95324ce2c5c563986daefd3315aa41bda69304a9d9
SHA51213a6c8f8b3ac5cfc956464b4eaa2168e7c7e9054a439b3fdd0fc2cbaf635e584f41c617378f97c3665ad6261244a0f77654de0e2dcd475606b1167875bbf7b88
-
Filesize
599KB
MD58eac0c64a185f539032b920c7feb9af1
SHA10fac2c51f69e12148cea952e7664095bf7d3ce58
SHA256917a6e00d3ce391d7c6e53b559e03186e7d5824345b2eaccb9bdfa896d7ed13e
SHA512805d2509e2ab4dc5ac7b546a9c1715168538c7f0cd522f10eae691851a7b97f35214399f20d75638d1c0fae0155f35117e6cb6e3cd0a84f66eb7e66d5e892e36
-
Filesize
599KB
MD58eac0c64a185f539032b920c7feb9af1
SHA10fac2c51f69e12148cea952e7664095bf7d3ce58
SHA256917a6e00d3ce391d7c6e53b559e03186e7d5824345b2eaccb9bdfa896d7ed13e
SHA512805d2509e2ab4dc5ac7b546a9c1715168538c7f0cd522f10eae691851a7b97f35214399f20d75638d1c0fae0155f35117e6cb6e3cd0a84f66eb7e66d5e892e36
-
Filesize
373KB
MD5d92c207339934cadc006d81065843927
SHA14b5e181d6e90f2d59e55fe178c9132f69fbd8f4a
SHA256214b0c3cd4e4fe845505be88c23c90230ba5bfae219f85bb6cec05f41600e5e2
SHA5123230b35920eae64ccd87ae70ba22f2cfc847ea03981191058bed7d041141c9a63f5d80931b076883be8f507c6142b8bba7fabef34cc1d6540baaa02437ba42ab
-
Filesize
373KB
MD5d92c207339934cadc006d81065843927
SHA14b5e181d6e90f2d59e55fe178c9132f69fbd8f4a
SHA256214b0c3cd4e4fe845505be88c23c90230ba5bfae219f85bb6cec05f41600e5e2
SHA5123230b35920eae64ccd87ae70ba22f2cfc847ea03981191058bed7d041141c9a63f5d80931b076883be8f507c6142b8bba7fabef34cc1d6540baaa02437ba42ab
-
Filesize
271KB
MD5ac2607ec66eac709fce5939ef353bb61
SHA1f6c7fba15cb1718e866d5042f076eae39f5924de
SHA25655b5ac0a4f7c31c196005ff50ce353b912c749ee1ff51e941a5159d0f6b6378c
SHA5129a5699f552ce1e081b89f819a2ea7177fe6b60c3fd493f0718f6952e454ead826f752daf2d7f0e7a45710d48102e6daf041dfb4ce9dbaf251f1e58ffdc8db233
-
Filesize
271KB
MD5ac2607ec66eac709fce5939ef353bb61
SHA1f6c7fba15cb1718e866d5042f076eae39f5924de
SHA25655b5ac0a4f7c31c196005ff50ce353b912c749ee1ff51e941a5159d0f6b6378c
SHA5129a5699f552ce1e081b89f819a2ea7177fe6b60c3fd493f0718f6952e454ead826f752daf2d7f0e7a45710d48102e6daf041dfb4ce9dbaf251f1e58ffdc8db233
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1