Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2023, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe
Resource
win10v2004-20230915-en
General
-
Target
dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe
-
Size
847KB
-
MD5
503da9d1629d30c10c5efc25d4328193
-
SHA1
b94d04f6e6c96d12e7c7695be7ebfb9a1f46f701
-
SHA256
dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198
-
SHA512
a28d03ba2911b1b1654b6f06f90b151aa1929286f0c1f6afcfde813b4a178b28be8845080d717870601c85d0730e66adb9b336a12ce67e98e959779489a65b41
-
SSDEEP
12288:pMr8y90/fEu/uE0IZj5UBup4rHSso2v2R4Dsg0Zra//ZiPWPMi0LsIOIxkYcB8Bf:xyqTuXuRgPwryZ3PTOxkDeQhcP
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4436 x2621072.exe 2888 x4044038.exe 4896 x2677167.exe 3872 g0180867.exe 4336 h2497844.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2621072.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4044038.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x2677167.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3872 set thread context of 1980 3872 g0180867.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 1624 3872 WerFault.exe 89 3672 1980 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1556 wrote to memory of 4436 1556 dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe 86 PID 1556 wrote to memory of 4436 1556 dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe 86 PID 1556 wrote to memory of 4436 1556 dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe 86 PID 4436 wrote to memory of 2888 4436 x2621072.exe 87 PID 4436 wrote to memory of 2888 4436 x2621072.exe 87 PID 4436 wrote to memory of 2888 4436 x2621072.exe 87 PID 2888 wrote to memory of 4896 2888 x4044038.exe 88 PID 2888 wrote to memory of 4896 2888 x4044038.exe 88 PID 2888 wrote to memory of 4896 2888 x4044038.exe 88 PID 4896 wrote to memory of 3872 4896 x2677167.exe 89 PID 4896 wrote to memory of 3872 4896 x2677167.exe 89 PID 4896 wrote to memory of 3872 4896 x2677167.exe 89 PID 3872 wrote to memory of 656 3872 g0180867.exe 91 PID 3872 wrote to memory of 656 3872 g0180867.exe 91 PID 3872 wrote to memory of 656 3872 g0180867.exe 91 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 3872 wrote to memory of 1980 3872 g0180867.exe 92 PID 4896 wrote to memory of 4336 4896 x2677167.exe 99 PID 4896 wrote to memory of 4336 4896 x2677167.exe 99 PID 4896 wrote to memory of 4336 4896 x2677167.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe"C:\Users\Admin\AppData\Local\Temp\dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 5407⤵
- Program crash
PID:3672
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1526⤵
- Program crash
PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exe5⤵
- Executes dropped EXE
PID:4336
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1980 -ip 19801⤵PID:4728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3872 -ip 38721⤵PID:3712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD5e6aa844cf09c3bf56d86c306e40e823b
SHA1826af94b58ec64701f204b3b1cdb97a8959e0d7c
SHA25697a9877a0127b0180247622600435a7a4ae70d791c96c69b7cf4ad5b5060a7a4
SHA512d7fa6903710cddc8c98ac53f96a7860df68d46ee1d7cb9371213f3c278485c763389e7de3e728b47ec9fb0495b4702c432738422f7617836c18316eabc8f7809
-
Filesize
746KB
MD5e6aa844cf09c3bf56d86c306e40e823b
SHA1826af94b58ec64701f204b3b1cdb97a8959e0d7c
SHA25697a9877a0127b0180247622600435a7a4ae70d791c96c69b7cf4ad5b5060a7a4
SHA512d7fa6903710cddc8c98ac53f96a7860df68d46ee1d7cb9371213f3c278485c763389e7de3e728b47ec9fb0495b4702c432738422f7617836c18316eabc8f7809
-
Filesize
515KB
MD50df8fda4448c00fb24ce2955c8aec876
SHA12665e9df5835c7a16fa827587f10ca034843aba3
SHA256839a7b15fe955a2cfdaf5b87d1d5f4e190f543385efbb9085f34b440f95be4eb
SHA5124e22e04ae53c160374c81e29f895b3f385c60f83b444b446c09ae4a1099e074f114639e1be18a0f04c873daa5cb8754f7cc5792ef0c424f3dc0b9ae807254e88
-
Filesize
515KB
MD50df8fda4448c00fb24ce2955c8aec876
SHA12665e9df5835c7a16fa827587f10ca034843aba3
SHA256839a7b15fe955a2cfdaf5b87d1d5f4e190f543385efbb9085f34b440f95be4eb
SHA5124e22e04ae53c160374c81e29f895b3f385c60f83b444b446c09ae4a1099e074f114639e1be18a0f04c873daa5cb8754f7cc5792ef0c424f3dc0b9ae807254e88
-
Filesize
350KB
MD5fbf8bb7321b2f55917e23d6f877ac37b
SHA1aac6bcac8e7e2b463bb2d4572c9a73555c1ac352
SHA256dcc5d4564359cbaf811f138d88441b2119afbc769b29205cf3a0105381472d1a
SHA512ffb404bbd185bed42beee493d1930de50ce7f092e088f7e3839986df7665a96c498fffb93c729f9196a3bfb0626e3c38748ab46e67c129c6fc8a831111938e88
-
Filesize
350KB
MD5fbf8bb7321b2f55917e23d6f877ac37b
SHA1aac6bcac8e7e2b463bb2d4572c9a73555c1ac352
SHA256dcc5d4564359cbaf811f138d88441b2119afbc769b29205cf3a0105381472d1a
SHA512ffb404bbd185bed42beee493d1930de50ce7f092e088f7e3839986df7665a96c498fffb93c729f9196a3bfb0626e3c38748ab46e67c129c6fc8a831111938e88
-
Filesize
276KB
MD538bb3a1acba1def231c3cc73aba206c7
SHA1cec65375e00013034d3be98a17539d52a4df61ef
SHA2564f6f70f7f4f89a4d606c1407ad3067998114f0b3f93a0b8e1434ee3dac243876
SHA512737b6ddfcef88abc552ab1e1851ff90f4a737ace1a76594fef80d115342229fe2068f9319f4e092909cd30be5d1f09d863df0f04c91aa4f1e5e1b9c85c1cd8aa
-
Filesize
276KB
MD538bb3a1acba1def231c3cc73aba206c7
SHA1cec65375e00013034d3be98a17539d52a4df61ef
SHA2564f6f70f7f4f89a4d606c1407ad3067998114f0b3f93a0b8e1434ee3dac243876
SHA512737b6ddfcef88abc552ab1e1851ff90f4a737ace1a76594fef80d115342229fe2068f9319f4e092909cd30be5d1f09d863df0f04c91aa4f1e5e1b9c85c1cd8aa
-
Filesize
174KB
MD5e7b9f83fa2fea6471e6bc5f62be60ab9
SHA1a802cc6ec0477762e2bb108071268ed3be7c841c
SHA256a1f0acd1161a2ae1b8a35339245fdfdebb2ee1b75b0a4d7c7dbd5028bc8ea0e5
SHA512f0a71daca233608f0677c152146203ca82f87a25f696de9cd2b49f6a0ec6dc684a5c32c28f39ae1e002f85a8fdc4e84bbc7edb4c8b4f03017e7f3ee4e88f7c2b
-
Filesize
174KB
MD5e7b9f83fa2fea6471e6bc5f62be60ab9
SHA1a802cc6ec0477762e2bb108071268ed3be7c841c
SHA256a1f0acd1161a2ae1b8a35339245fdfdebb2ee1b75b0a4d7c7dbd5028bc8ea0e5
SHA512f0a71daca233608f0677c152146203ca82f87a25f696de9cd2b49f6a0ec6dc684a5c32c28f39ae1e002f85a8fdc4e84bbc7edb4c8b4f03017e7f3ee4e88f7c2b