Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
21/09/2023, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
Resource
win10-20230915-en
General
-
Target
d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
-
Size
784KB
-
MD5
51c9ee25aaa18e5d6f4e972d5d5cfd2d
-
SHA1
b41cd9b3bbc50eec073ba951d043d50855249b52
-
SHA256
d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a
-
SHA512
798ff8d4f18301ce40f56c7b61dd9d182143ddde9af68c0af4d057a40e7ce7a3519238494a858a1d74ebb355de1e93acd60b9f1eafd01b5ddf21a1267211e192
-
SSDEEP
12288:TMrIy90KTex558mXKEFPItyzOYDnlrO3gnRr9rSYZA6NgCNzPrp9h/KcUEG7G0BW:TyF+8mNatyzxDl62dSGNDd9MEklBW
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4908 x0719101.exe 4544 x2457753.exe 1040 h4776929.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2457753.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0719101.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4908 5048 d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe 70 PID 5048 wrote to memory of 4908 5048 d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe 70 PID 5048 wrote to memory of 4908 5048 d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe 70 PID 4908 wrote to memory of 4544 4908 x0719101.exe 71 PID 4908 wrote to memory of 4544 4908 x0719101.exe 71 PID 4908 wrote to memory of 4544 4908 x0719101.exe 71 PID 4544 wrote to memory of 1040 4544 x2457753.exe 72 PID 4544 wrote to memory of 1040 4544 x2457753.exe 72 PID 4544 wrote to memory of 1040 4544 x2457753.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe"C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe4⤵
- Executes dropped EXE
PID:1040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
683KB
MD51bc56701ce55735a0c4365e2dcf03f70
SHA1a074d478b585cfcdf2bacd7b4e77b7a4e7967865
SHA256a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7
SHA512a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743
-
Filesize
683KB
MD51bc56701ce55735a0c4365e2dcf03f70
SHA1a074d478b585cfcdf2bacd7b4e77b7a4e7967865
SHA256a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7
SHA512a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743
-
Filesize
292KB
MD5223dd37df1d8a9fcb3dd3b3f17c24e40
SHA12b8814f0454d650d66c518ab6ee6f3b2fa3802db
SHA256ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909
SHA512670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757
-
Filesize
292KB
MD5223dd37df1d8a9fcb3dd3b3f17c24e40
SHA12b8814f0454d650d66c518ab6ee6f3b2fa3802db
SHA256ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909
SHA512670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757
-
Filesize
174KB
MD5f086fc5f65273ca2479b5a3b126ea427
SHA1a87200a7a777655ea2c646ed324346866f0f5bb1
SHA256cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc
SHA51232ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608
-
Filesize
174KB
MD5f086fc5f65273ca2479b5a3b126ea427
SHA1a87200a7a777655ea2c646ed324346866f0f5bb1
SHA256cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc
SHA51232ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608