Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
21/09/2023, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
Resource
win10-20230915-en
General
-
Target
6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
-
Size
785KB
-
MD5
25dd2010403833bdf9a0ce82ebaef893
-
SHA1
b7735b5cf88af8fed9811bdd4d3dc628faecf263
-
SHA256
6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2
-
SHA512
fd4cc9ba6104ff0bf465eec20e76ca7c28bd0aaeacf7db97d3e02d855b641e2e592189f503daa8f937273b75f16cc6cf06c93fd626525e5799be0e2eeb9c73f6
-
SSDEEP
24576:2ygAYfZxMCZUx9L/OY/i8QVkwOf5uT8c:FgA2ZxMPjR/i84SE8
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3964 x3628451.exe 1672 x1324198.exe 1580 h4701601.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3628451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1324198.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3964 2300 6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe 70 PID 2300 wrote to memory of 3964 2300 6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe 70 PID 2300 wrote to memory of 3964 2300 6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe 70 PID 3964 wrote to memory of 1672 3964 x3628451.exe 71 PID 3964 wrote to memory of 1672 3964 x3628451.exe 71 PID 3964 wrote to memory of 1672 3964 x3628451.exe 71 PID 1672 wrote to memory of 1580 1672 x1324198.exe 72 PID 1672 wrote to memory of 1580 1672 x1324198.exe 72 PID 1672 wrote to memory of 1580 1672 x1324198.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe"C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe4⤵
- Executes dropped EXE
PID:1580
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
683KB
MD506690eaf90a911194a23295d95d095de
SHA15e68e728f1c5f06fdc284d78e88f913398f99c33
SHA256f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b
SHA512ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec
-
Filesize
683KB
MD506690eaf90a911194a23295d95d095de
SHA15e68e728f1c5f06fdc284d78e88f913398f99c33
SHA256f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b
SHA512ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec
-
Filesize
292KB
MD542c03c7551187693b05cfe87d8b4e006
SHA15655ce056ae2b28a0e2ee46556c315ca6658f8b1
SHA256374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a
SHA512b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886
-
Filesize
292KB
MD542c03c7551187693b05cfe87d8b4e006
SHA15655ce056ae2b28a0e2ee46556c315ca6658f8b1
SHA256374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a
SHA512b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886
-
Filesize
174KB
MD59b8ec2d5e50778b2304b0a00aecf9b88
SHA1e7a619d7f841468490b5440445de4a747587982f
SHA256c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22
SHA5123c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7
-
Filesize
174KB
MD59b8ec2d5e50778b2304b0a00aecf9b88
SHA1e7a619d7f841468490b5440445de4a747587982f
SHA256c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22
SHA5123c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7