Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/09/2023, 06:06

General

  • Target

    6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe

  • Size

    785KB

  • MD5

    25dd2010403833bdf9a0ce82ebaef893

  • SHA1

    b7735b5cf88af8fed9811bdd4d3dc628faecf263

  • SHA256

    6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2

  • SHA512

    fd4cc9ba6104ff0bf465eec20e76ca7c28bd0aaeacf7db97d3e02d855b641e2e592189f503daa8f937273b75f16cc6cf06c93fd626525e5799be0e2eeb9c73f6

  • SSDEEP

    24576:2ygAYfZxMCZUx9L/OY/i8QVkwOf5uT8c:FgA2ZxMPjR/i84SE8

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
    "C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe
          4⤵
          • Executes dropped EXE
          PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe

    Filesize

    683KB

    MD5

    06690eaf90a911194a23295d95d095de

    SHA1

    5e68e728f1c5f06fdc284d78e88f913398f99c33

    SHA256

    f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b

    SHA512

    ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe

    Filesize

    683KB

    MD5

    06690eaf90a911194a23295d95d095de

    SHA1

    5e68e728f1c5f06fdc284d78e88f913398f99c33

    SHA256

    f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b

    SHA512

    ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe

    Filesize

    292KB

    MD5

    42c03c7551187693b05cfe87d8b4e006

    SHA1

    5655ce056ae2b28a0e2ee46556c315ca6658f8b1

    SHA256

    374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a

    SHA512

    b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe

    Filesize

    292KB

    MD5

    42c03c7551187693b05cfe87d8b4e006

    SHA1

    5655ce056ae2b28a0e2ee46556c315ca6658f8b1

    SHA256

    374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a

    SHA512

    b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe

    Filesize

    174KB

    MD5

    9b8ec2d5e50778b2304b0a00aecf9b88

    SHA1

    e7a619d7f841468490b5440445de4a747587982f

    SHA256

    c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22

    SHA512

    3c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe

    Filesize

    174KB

    MD5

    9b8ec2d5e50778b2304b0a00aecf9b88

    SHA1

    e7a619d7f841468490b5440445de4a747587982f

    SHA256

    c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22

    SHA512

    3c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7

  • memory/1580-21-0x0000000000610000-0x0000000000640000-memory.dmp

    Filesize

    192KB

  • memory/1580-22-0x0000000073AA0000-0x000000007418E000-memory.dmp

    Filesize

    6.9MB

  • memory/1580-23-0x0000000004DD0000-0x0000000004DD6000-memory.dmp

    Filesize

    24KB

  • memory/1580-24-0x000000000A920000-0x000000000AF26000-memory.dmp

    Filesize

    6.0MB

  • memory/1580-25-0x000000000A420000-0x000000000A52A000-memory.dmp

    Filesize

    1.0MB

  • memory/1580-26-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

  • memory/1580-27-0x000000000A3B0000-0x000000000A3EE000-memory.dmp

    Filesize

    248KB

  • memory/1580-28-0x000000000A530000-0x000000000A57B000-memory.dmp

    Filesize

    300KB

  • memory/1580-29-0x0000000073AA0000-0x000000007418E000-memory.dmp

    Filesize

    6.9MB