Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/09/2023, 10:45

General

  • Target

    d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe

  • Size

    784KB

  • MD5

    51c9ee25aaa18e5d6f4e972d5d5cfd2d

  • SHA1

    b41cd9b3bbc50eec073ba951d043d50855249b52

  • SHA256

    d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a

  • SHA512

    798ff8d4f18301ce40f56c7b61dd9d182143ddde9af68c0af4d057a40e7ce7a3519238494a858a1d74ebb355de1e93acd60b9f1eafd01b5ddf21a1267211e192

  • SSDEEP

    12288:TMrIy90KTex558mXKEFPItyzOYDnlrO3gnRr9rSYZA6NgCNzPrp9h/KcUEG7G0BW:TyF+8mNatyzxDl62dSGNDd9MEklBW

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
    "C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe
          4⤵
          • Executes dropped EXE
          PID:1040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe

    Filesize

    683KB

    MD5

    1bc56701ce55735a0c4365e2dcf03f70

    SHA1

    a074d478b585cfcdf2bacd7b4e77b7a4e7967865

    SHA256

    a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7

    SHA512

    a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe

    Filesize

    683KB

    MD5

    1bc56701ce55735a0c4365e2dcf03f70

    SHA1

    a074d478b585cfcdf2bacd7b4e77b7a4e7967865

    SHA256

    a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7

    SHA512

    a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe

    Filesize

    292KB

    MD5

    223dd37df1d8a9fcb3dd3b3f17c24e40

    SHA1

    2b8814f0454d650d66c518ab6ee6f3b2fa3802db

    SHA256

    ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909

    SHA512

    670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe

    Filesize

    292KB

    MD5

    223dd37df1d8a9fcb3dd3b3f17c24e40

    SHA1

    2b8814f0454d650d66c518ab6ee6f3b2fa3802db

    SHA256

    ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909

    SHA512

    670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe

    Filesize

    174KB

    MD5

    f086fc5f65273ca2479b5a3b126ea427

    SHA1

    a87200a7a777655ea2c646ed324346866f0f5bb1

    SHA256

    cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc

    SHA512

    32ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe

    Filesize

    174KB

    MD5

    f086fc5f65273ca2479b5a3b126ea427

    SHA1

    a87200a7a777655ea2c646ed324346866f0f5bb1

    SHA256

    cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc

    SHA512

    32ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608

  • memory/1040-22-0x0000000072C10000-0x00000000732FE000-memory.dmp

    Filesize

    6.9MB

  • memory/1040-21-0x0000000000630000-0x0000000000660000-memory.dmp

    Filesize

    192KB

  • memory/1040-23-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

    Filesize

    24KB

  • memory/1040-24-0x000000000A900000-0x000000000AF06000-memory.dmp

    Filesize

    6.0MB

  • memory/1040-25-0x000000000A440000-0x000000000A54A000-memory.dmp

    Filesize

    1.0MB

  • memory/1040-26-0x000000000A370000-0x000000000A382000-memory.dmp

    Filesize

    72KB

  • memory/1040-27-0x000000000A3D0000-0x000000000A40E000-memory.dmp

    Filesize

    248KB

  • memory/1040-28-0x000000000A550000-0x000000000A59B000-memory.dmp

    Filesize

    300KB

  • memory/1040-29-0x0000000072C10000-0x00000000732FE000-memory.dmp

    Filesize

    6.9MB