Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
27/08/2023, 18:06
Static task
static1
Behavioral task
behavioral1
Sample
b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
Resource
win10v2004-20230824-en
General
-
Target
b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
-
Size
831KB
-
MD5
650bb84be58ede733ed023e1f86c9f30
-
SHA1
0a1e433dde0ac3882392dd49356b1f54dc6d139b
-
SHA256
b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae
-
SHA512
624c48e4cbf2ce1500c5a009554bb45a2eeddce466e7e66609d7891876d14108389794571a43f9314214896aff0d8c00c35d5ceca40ea41c1d45ccdde98c3b67
-
SSDEEP
12288:OMrxy90XtDkDoqWfg5omLWx6N+PpPrx4Vn5pP9lrkO1Xzh2oelBJEVFSEcnFjn:nyDWY5WUNit415pPN1Yl3jxnVn
Malware Config
Extracted
redline
dugin
77.91.124.73:19071
-
auth_value
7c3e46e091100fd26a6076996d374c28
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2436 z4385040.exe 4568 z3721239.exe 4292 z9526513.exe 952 r6791331.exe 1368 s0749182.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4385040.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z3721239.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z9526513.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2436 1780 b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe 84 PID 1780 wrote to memory of 2436 1780 b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe 84 PID 1780 wrote to memory of 2436 1780 b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe 84 PID 2436 wrote to memory of 4568 2436 z4385040.exe 85 PID 2436 wrote to memory of 4568 2436 z4385040.exe 85 PID 2436 wrote to memory of 4568 2436 z4385040.exe 85 PID 4568 wrote to memory of 4292 4568 z3721239.exe 86 PID 4568 wrote to memory of 4292 4568 z3721239.exe 86 PID 4568 wrote to memory of 4292 4568 z3721239.exe 86 PID 4292 wrote to memory of 952 4292 z9526513.exe 87 PID 4292 wrote to memory of 952 4292 z9526513.exe 87 PID 4292 wrote to memory of 952 4292 z9526513.exe 87 PID 4292 wrote to memory of 1368 4292 z9526513.exe 88 PID 4292 wrote to memory of 1368 4292 z9526513.exe 88 PID 4292 wrote to memory of 1368 4292 z9526513.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe"C:\Users\Admin\AppData\Local\Temp\b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exe5⤵
- Executes dropped EXE
PID:952
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exe5⤵
- Executes dropped EXE
PID:1368
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
598KB
MD5a90af1091bbb3c62fd3a0d6a4cf0de22
SHA1b0d929ab1482db306047cb43a84a16abf988205b
SHA256519d160e2d2731c7e2a9a339a114efa0147bb9a29fe516f5ab2cb8e17273827c
SHA5125611383e94dcf6acb8c47d3758e69362c7348e15cf877b60bff09e1533a6e85ebb2e09ec68b356f5bed90894297d7a61a494017538be823209fa64720327af8a
-
Filesize
598KB
MD5a90af1091bbb3c62fd3a0d6a4cf0de22
SHA1b0d929ab1482db306047cb43a84a16abf988205b
SHA256519d160e2d2731c7e2a9a339a114efa0147bb9a29fe516f5ab2cb8e17273827c
SHA5125611383e94dcf6acb8c47d3758e69362c7348e15cf877b60bff09e1533a6e85ebb2e09ec68b356f5bed90894297d7a61a494017538be823209fa64720327af8a
-
Filesize
372KB
MD525b3c79c4c64ef5594778c5934c66cca
SHA1934dd0aff1a87527467bf5c827f124195c558eef
SHA256e789da652b9ebd714349e98164d18df23153eddcb10bd8f61cd36963a9b61323
SHA51216f3edc2b0b651dbd3c9ae3e64d0207ef21ef5677b586f7e29faba1dbc956f6716bdbd12de7cf0c61ccfd6d0b614830e9cdc21d2e1d8f3d09bedba491e2a4a17
-
Filesize
372KB
MD525b3c79c4c64ef5594778c5934c66cca
SHA1934dd0aff1a87527467bf5c827f124195c558eef
SHA256e789da652b9ebd714349e98164d18df23153eddcb10bd8f61cd36963a9b61323
SHA51216f3edc2b0b651dbd3c9ae3e64d0207ef21ef5677b586f7e29faba1dbc956f6716bdbd12de7cf0c61ccfd6d0b614830e9cdc21d2e1d8f3d09bedba491e2a4a17
-
Filesize
271KB
MD5bcd39d8bdaf1dfa8b69717a3bfc1d8fb
SHA1f182c0c8342f12f0f9a16ef4b717f90ced267d86
SHA25656098882c2d32e64370b6cf8bd5b6abc5ae9abbb565bfedfe07ebf3ec401bf04
SHA512b64516da316b19d5a44e3d60abc9b6f3de32a112600648a5177f2f8da7aa4c2b15e811999667d032b033cf45c0d776ba583f68aaca7e339cf65841f77d49dd01
-
Filesize
271KB
MD5bcd39d8bdaf1dfa8b69717a3bfc1d8fb
SHA1f182c0c8342f12f0f9a16ef4b717f90ced267d86
SHA25656098882c2d32e64370b6cf8bd5b6abc5ae9abbb565bfedfe07ebf3ec401bf04
SHA512b64516da316b19d5a44e3d60abc9b6f3de32a112600648a5177f2f8da7aa4c2b15e811999667d032b033cf45c0d776ba583f68aaca7e339cf65841f77d49dd01
-
Filesize
140KB
MD577a93a6afb1d7fa81c674cbecbee8531
SHA1fbd5275cea45278e48c3306c5e069619cdf038b3
SHA2560fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675
SHA512dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e
-
Filesize
140KB
MD577a93a6afb1d7fa81c674cbecbee8531
SHA1fbd5275cea45278e48c3306c5e069619cdf038b3
SHA2560fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675
SHA512dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e
-
Filesize
173KB
MD5d5f3785f09b0b4ddb516cb1bba85a36d
SHA1978b0c33233c9ab63a596cbb282473f1e99b07d4
SHA25664b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0
SHA51240f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb
-
Filesize
173KB
MD5d5f3785f09b0b4ddb516cb1bba85a36d
SHA1978b0c33233c9ab63a596cbb282473f1e99b07d4
SHA25664b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0
SHA51240f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb