Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2023, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe
Resource
win10v2004-20230915-en
General
-
Target
a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe
-
Size
1.1MB
-
MD5
ab731e7d8e334afc7db4eb1a39e2e0a9
-
SHA1
78ab5a0c98af58f132f0da58cec8774b4778418c
-
SHA256
a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b
-
SHA512
8946c23fa8da79fb08b05b5eea221efca7743ee04bb183a740fa3a0a73fbe9235f0527f3c52cb4efb9a2f66cf975d59c58edb51a743060218b0fe7c014ec4379
-
SSDEEP
24576:Hyf/Y8iDZJTIPoLboRsmX18izZGsvGompPf:Sf/Y8iDjIQS18izZGsvG3P
Malware Config
Extracted
redline
larek
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023218-41.dat family_redline behavioral1/files/0x0006000000023218-42.dat family_redline behavioral1/memory/4696-43-0x00000000007C0000-0x00000000007FE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1364 Kr5Py4HA.exe 532 Xs1EI1sJ.exe 4508 kT5Ka0DV.exe 4872 mL9NC1BT.exe 4960 1PH25yU5.exe 4696 2ac459wb.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Kr5Py4HA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Xs1EI1sJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kT5Ka0DV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" mL9NC1BT.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4960 set thread context of 4572 4960 1PH25yU5.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 2704 4960 WerFault.exe 90 3012 4572 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4804 wrote to memory of 1364 4804 a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe 86 PID 4804 wrote to memory of 1364 4804 a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe 86 PID 4804 wrote to memory of 1364 4804 a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe 86 PID 1364 wrote to memory of 532 1364 Kr5Py4HA.exe 87 PID 1364 wrote to memory of 532 1364 Kr5Py4HA.exe 87 PID 1364 wrote to memory of 532 1364 Kr5Py4HA.exe 87 PID 532 wrote to memory of 4508 532 Xs1EI1sJ.exe 88 PID 532 wrote to memory of 4508 532 Xs1EI1sJ.exe 88 PID 532 wrote to memory of 4508 532 Xs1EI1sJ.exe 88 PID 4508 wrote to memory of 4872 4508 kT5Ka0DV.exe 89 PID 4508 wrote to memory of 4872 4508 kT5Ka0DV.exe 89 PID 4508 wrote to memory of 4872 4508 kT5Ka0DV.exe 89 PID 4872 wrote to memory of 4960 4872 mL9NC1BT.exe 90 PID 4872 wrote to memory of 4960 4872 mL9NC1BT.exe 90 PID 4872 wrote to memory of 4960 4872 mL9NC1BT.exe 90 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4960 wrote to memory of 4572 4960 1PH25yU5.exe 92 PID 4872 wrote to memory of 4696 4872 mL9NC1BT.exe 99 PID 4872 wrote to memory of 4696 4872 mL9NC1BT.exe 99 PID 4872 wrote to memory of 4696 4872 mL9NC1BT.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe"C:\Users\Admin\AppData\Local\Temp\a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 2008⤵
- Program crash
PID:3012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 6007⤵
- Program crash
PID:2704
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exe6⤵
- Executes dropped EXE
PID:4696
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 45721⤵PID:1404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 49601⤵PID:1392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
962KB
MD5c6cabeed9e881806ed1b1b52d53336c9
SHA1794d91a11a66f3866a0abe14ff160a9ffdc7204c
SHA2568c752f522be42f2caabd8ff8cea522e8f4b7458d1cba471bdb127c3ae1191caf
SHA512507f55796b8d71411692dff1e4f9fef69c1ca8da18c00d213bc97c1ff60c93eada7e87398e8f3f3c393a900635e0deef93e21464f0e5eb78bfa37a5541240d3c
-
Filesize
962KB
MD5c6cabeed9e881806ed1b1b52d53336c9
SHA1794d91a11a66f3866a0abe14ff160a9ffdc7204c
SHA2568c752f522be42f2caabd8ff8cea522e8f4b7458d1cba471bdb127c3ae1191caf
SHA512507f55796b8d71411692dff1e4f9fef69c1ca8da18c00d213bc97c1ff60c93eada7e87398e8f3f3c393a900635e0deef93e21464f0e5eb78bfa37a5541240d3c
-
Filesize
779KB
MD579811594ea052cc044eadcbdd1787356
SHA14c87047b276215eb4c037fe63597e90b697976e6
SHA2565f6c9c628d867c65974efcc3337ff2d34695c93ddd54365a15691299021ebf22
SHA512658e404be0df1a2550c52bdecd8630e1e508fd099b0900fd99fb57ef9acb122f5dd2147d95ca07225701cee6035c5a8594b635486e99bc568d16d25a7894a0c9
-
Filesize
779KB
MD579811594ea052cc044eadcbdd1787356
SHA14c87047b276215eb4c037fe63597e90b697976e6
SHA2565f6c9c628d867c65974efcc3337ff2d34695c93ddd54365a15691299021ebf22
SHA512658e404be0df1a2550c52bdecd8630e1e508fd099b0900fd99fb57ef9acb122f5dd2147d95ca07225701cee6035c5a8594b635486e99bc568d16d25a7894a0c9
-
Filesize
532KB
MD5daf2d48b049bc84be4a51eb8a1ea46f2
SHA145c88b646428401a3b2c8abc0e9f23a7166f5e0c
SHA2563a773430d8f2a4e3aacc03e4765e3f75100623c62c9dd6e8875f96b05908521e
SHA512a9c63d8d6e25df39cd911d73f985fd8276a7759ce91e10231a31471e7259d4cc66a7e3781437ce769d03912cd6a77869442066b1ca1d30187d9a814b0392d8b1
-
Filesize
532KB
MD5daf2d48b049bc84be4a51eb8a1ea46f2
SHA145c88b646428401a3b2c8abc0e9f23a7166f5e0c
SHA2563a773430d8f2a4e3aacc03e4765e3f75100623c62c9dd6e8875f96b05908521e
SHA512a9c63d8d6e25df39cd911d73f985fd8276a7759ce91e10231a31471e7259d4cc66a7e3781437ce769d03912cd6a77869442066b1ca1d30187d9a814b0392d8b1
-
Filesize
366KB
MD5335e47232fb0829a94dae38ff8346b8e
SHA1566a0e702384afcde472ef321f5ed471b5127679
SHA2561458ae8c765ae1e34ff262c45c7e9eb79fa05a7c96105d7d5d5beaabb5211baa
SHA512bfb35a145d1768e661ae2ce01033cdc61fafc75295c7eba9eb7ee302014693cc762bd0e2e2e4f6d37d0bfc881edc00c06adc63d01ee1b50b0b6f6c5f30ce56b3
-
Filesize
366KB
MD5335e47232fb0829a94dae38ff8346b8e
SHA1566a0e702384afcde472ef321f5ed471b5127679
SHA2561458ae8c765ae1e34ff262c45c7e9eb79fa05a7c96105d7d5d5beaabb5211baa
SHA512bfb35a145d1768e661ae2ce01033cdc61fafc75295c7eba9eb7ee302014693cc762bd0e2e2e4f6d37d0bfc881edc00c06adc63d01ee1b50b0b6f6c5f30ce56b3
-
Filesize
285KB
MD500b3ec92baa015f7eaad12ce3382bfda
SHA15e224bcc279dcac7ad6a02b76e1a0adc6921a6b3
SHA2566f34d3a7d5e937e015427f008e9a99d26a4aaabf544850a2a9d250f3e5db1fd6
SHA5120bd739e320875d248d7acbd18c8160e2a12be9a55fa13b27cad1a453e30b30ee39b2551e0d1fa5517c1f966583a18e013f878aea89922b281a832b9b98ab86f8
-
Filesize
285KB
MD500b3ec92baa015f7eaad12ce3382bfda
SHA15e224bcc279dcac7ad6a02b76e1a0adc6921a6b3
SHA2566f34d3a7d5e937e015427f008e9a99d26a4aaabf544850a2a9d250f3e5db1fd6
SHA5120bd739e320875d248d7acbd18c8160e2a12be9a55fa13b27cad1a453e30b30ee39b2551e0d1fa5517c1f966583a18e013f878aea89922b281a832b9b98ab86f8
-
Filesize
221KB
MD58e213011bb8ec2212ecf574d7e39ffe4
SHA14fb3e4d280d5169aa1c914148104f180e3731b35
SHA2562070a1daccb6f2817fc92f8be7615b31526f0ec752ffd42b0951844aeefbeb3b
SHA5129b6d2ebd9f9a03d801f38b45582f96c1b1106927f8ad17c9b66188ec4b465a0278b2a0df5c5d32d5ac08daa549e6240116fe863e7b249a46a220910d167c3723
-
Filesize
221KB
MD58e213011bb8ec2212ecf574d7e39ffe4
SHA14fb3e4d280d5169aa1c914148104f180e3731b35
SHA2562070a1daccb6f2817fc92f8be7615b31526f0ec752ffd42b0951844aeefbeb3b
SHA5129b6d2ebd9f9a03d801f38b45582f96c1b1106927f8ad17c9b66188ec4b465a0278b2a0df5c5d32d5ac08daa549e6240116fe863e7b249a46a220910d167c3723