Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2023, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe
Resource
win10v2004-20230703-en
General
-
Target
e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe
-
Size
854KB
-
MD5
6ffea49edea043c637932164084e37e4
-
SHA1
677a2490612180148eb42899d1fc0e085c560e26
-
SHA256
e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3
-
SHA512
b700446a8d8cff8af7987e0cca5ea6ceda41fd775cee1b8ef79976d11dabab4d245134efef3cb484a6b2917a7e448a40aad5b6d2cdd6798e4fd011ec4a0bf7b7
-
SSDEEP
12288:sMrRy90Vs0gAekBAl1XQx3xDHVYAOk+aVBlc7aQ5oYGT51dT6ztOtxrQGPI:lynLkw6x5VYBKc7a4Y5196gx9w
Malware Config
Extracted
redline
dava
77.91.124.54:19071
-
auth_value
3ce5222c1baaa06681dfe0012ce1de23
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 4756 v6972760.exe 1664 v8664317.exe 1904 v6297385.exe 2816 v5775710.exe 3796 a4489135.exe 2624 b2995690.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6972760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8664317.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6297385.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5775710.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4756 3940 e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe 82 PID 3940 wrote to memory of 4756 3940 e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe 82 PID 3940 wrote to memory of 4756 3940 e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe 82 PID 4756 wrote to memory of 1664 4756 v6972760.exe 83 PID 4756 wrote to memory of 1664 4756 v6972760.exe 83 PID 4756 wrote to memory of 1664 4756 v6972760.exe 83 PID 1664 wrote to memory of 1904 1664 v8664317.exe 84 PID 1664 wrote to memory of 1904 1664 v8664317.exe 84 PID 1664 wrote to memory of 1904 1664 v8664317.exe 84 PID 1904 wrote to memory of 2816 1904 v6297385.exe 85 PID 1904 wrote to memory of 2816 1904 v6297385.exe 85 PID 1904 wrote to memory of 2816 1904 v6297385.exe 85 PID 2816 wrote to memory of 3796 2816 v5775710.exe 86 PID 2816 wrote to memory of 3796 2816 v5775710.exe 86 PID 2816 wrote to memory of 3796 2816 v5775710.exe 86 PID 2816 wrote to memory of 2624 2816 v5775710.exe 87 PID 2816 wrote to memory of 2624 2816 v5775710.exe 87 PID 2816 wrote to memory of 2624 2816 v5775710.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe"C:\Users\Admin\AppData\Local\Temp\e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exe6⤵
- Executes dropped EXE
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exe6⤵
- Executes dropped EXE
PID:2624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD55b8d9af4156e76f2c1b1bb25bf6734fb
SHA10565ac59586eedc27fe5f5484bbfa06fb4f0033e
SHA256760a43c7842aa230fdfd7852bbd23c9748df493a3120b50b14cdc90e60992d11
SHA5121d7db9e99ab922b133c1245185775fd8ae3031e5c99074df7bb1eaf0e7d0535af558b93537085e8951d6e5976d305db2853b41daa2143125ac17f12cd5079954
-
Filesize
723KB
MD55b8d9af4156e76f2c1b1bb25bf6734fb
SHA10565ac59586eedc27fe5f5484bbfa06fb4f0033e
SHA256760a43c7842aa230fdfd7852bbd23c9748df493a3120b50b14cdc90e60992d11
SHA5121d7db9e99ab922b133c1245185775fd8ae3031e5c99074df7bb1eaf0e7d0535af558b93537085e8951d6e5976d305db2853b41daa2143125ac17f12cd5079954
-
Filesize
598KB
MD5c454146b322d4d505d763c3e031e3a43
SHA1a7de177dcad29753a1f7dd4250d48f77063a19c3
SHA2565f9328048cb6d9af57dbf5655c0cb915d276c0c69b15f02d41936cb8f63e3a4b
SHA5127171856b4d3cbce9521b30ff3b73155c8d172e651665940ea1875a449f1201ed20bba11f1bd0a605a2c156c564df508355587fb507845f922fad749ba127421f
-
Filesize
598KB
MD5c454146b322d4d505d763c3e031e3a43
SHA1a7de177dcad29753a1f7dd4250d48f77063a19c3
SHA2565f9328048cb6d9af57dbf5655c0cb915d276c0c69b15f02d41936cb8f63e3a4b
SHA5127171856b4d3cbce9521b30ff3b73155c8d172e651665940ea1875a449f1201ed20bba11f1bd0a605a2c156c564df508355587fb507845f922fad749ba127421f
-
Filesize
373KB
MD5956c8604037603c8ca2e9193b8784a4b
SHA1febc75fd182b0a67216becb60d16c372a12ea4d7
SHA25633d2bab243d1c7f63f3a40d53b71f59fcf64a91a0a1116a2e5f771e06cc905d5
SHA512d352e57c0942e3c149f6ae0779cfc326bdf2ad5e309d168384a559b4afde80695d7debd3c008470e5c9e138cf910e8b5c1cab710bd32b1eb9b2752dedfb3e032
-
Filesize
373KB
MD5956c8604037603c8ca2e9193b8784a4b
SHA1febc75fd182b0a67216becb60d16c372a12ea4d7
SHA25633d2bab243d1c7f63f3a40d53b71f59fcf64a91a0a1116a2e5f771e06cc905d5
SHA512d352e57c0942e3c149f6ae0779cfc326bdf2ad5e309d168384a559b4afde80695d7debd3c008470e5c9e138cf910e8b5c1cab710bd32b1eb9b2752dedfb3e032
-
Filesize
272KB
MD5ca9a956070f139eb03828d1518324cb2
SHA185940c9e79bc6ccbec6431b20efe8660d5697720
SHA25675f0e4ef4c421130c8752d9cd46abfbf3053c99122e146482da71615298385d1
SHA5123e8543ffb3538d58e935367753bb5f5811bd85974a5b41476f1a15a44ba57b09e4ed118a925bff59b7e27dd675718ce60899ed7a428bee72f17f3cdb7ef42cca
-
Filesize
272KB
MD5ca9a956070f139eb03828d1518324cb2
SHA185940c9e79bc6ccbec6431b20efe8660d5697720
SHA25675f0e4ef4c421130c8752d9cd46abfbf3053c99122e146482da71615298385d1
SHA5123e8543ffb3538d58e935367753bb5f5811bd85974a5b41476f1a15a44ba57b09e4ed118a925bff59b7e27dd675718ce60899ed7a428bee72f17f3cdb7ef42cca
-
Filesize
140KB
MD5996d1beb2364bfcc4e268fecb495ce8d
SHA12f2ab0cf7336407e23a195e88c5a591f9a34af2b
SHA256b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981
SHA51266b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111
-
Filesize
140KB
MD5996d1beb2364bfcc4e268fecb495ce8d
SHA12f2ab0cf7336407e23a195e88c5a591f9a34af2b
SHA256b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981
SHA51266b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1