Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
Resource
win10v2004-20230915-en
General
-
Target
c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
-
Size
928KB
-
MD5
519596ab5b0b18755fbfc8ad73919d22
-
SHA1
142e5fdc9756125133a02b72ec0258f54caf8188
-
SHA256
c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32
-
SHA512
1c5c19a8834f530a7a5328606c2bc4053ae212b0be957774e36f2c32ba451ea48535ad7efb3425232d86483485973f51b90b1f67f6af66091f9904eb9807698d
-
SSDEEP
12288:xMrmy90sAF/ev7zEVpmHyZDKZ+kgCZ8XudHeW0txAf8ErCyfKUno2gdR7VV2gho0:nyAF/2zEVpNkgC+uMN08Eha3/haE
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00060000000231fa-34.dat family_redline behavioral2/files/0x00060000000231fa-35.dat family_redline behavioral2/memory/3532-36-0x0000000000D00000-0x0000000000D30000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 4584 x2331666.exe 3556 x8951912.exe 3336 x0201647.exe 4580 g1764452.exe 3532 h4998559.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8951912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x0201647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2331666.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4580 set thread context of 2272 4580 g1764452.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 3872 2272 WerFault.exe 90 1336 4580 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4520 wrote to memory of 4584 4520 c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe 86 PID 4520 wrote to memory of 4584 4520 c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe 86 PID 4520 wrote to memory of 4584 4520 c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe 86 PID 4584 wrote to memory of 3556 4584 x2331666.exe 87 PID 4584 wrote to memory of 3556 4584 x2331666.exe 87 PID 4584 wrote to memory of 3556 4584 x2331666.exe 87 PID 3556 wrote to memory of 3336 3556 x8951912.exe 88 PID 3556 wrote to memory of 3336 3556 x8951912.exe 88 PID 3556 wrote to memory of 3336 3556 x8951912.exe 88 PID 3336 wrote to memory of 4580 3336 x0201647.exe 89 PID 3336 wrote to memory of 4580 3336 x0201647.exe 89 PID 3336 wrote to memory of 4580 3336 x0201647.exe 89 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 4580 wrote to memory of 2272 4580 g1764452.exe 90 PID 3336 wrote to memory of 3532 3336 x0201647.exe 97 PID 3336 wrote to memory of 3532 3336 x0201647.exe 97 PID 3336 wrote to memory of 3532 3336 x0201647.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe"C:\Users\Admin\AppData\Local\Temp\c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 5407⤵
- Program crash
PID:3872
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 5806⤵
- Program crash
PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exe5⤵
- Executes dropped EXE
PID:3532
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4580 -ip 45801⤵PID:2432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2272 -ip 22721⤵PID:3796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD559bd3434155c08ab083cf46e2361fe9e
SHA11977cb881c7cb547e853bb76a033cfe4fd2f53a7
SHA2566ac1b975c1f7ba9a3105f1e4b401bc51d892ac9db8484311c1ba33ee7c0d42d1
SHA5123fe3bd03b92f30884f712ba75ca493b763f187b6f3fd20d1285a80707120d2861c4154140784e19a24767a9c594c0f7d106dddc476d1f089ce1fd53c31c7c6f7
-
Filesize
826KB
MD559bd3434155c08ab083cf46e2361fe9e
SHA11977cb881c7cb547e853bb76a033cfe4fd2f53a7
SHA2566ac1b975c1f7ba9a3105f1e4b401bc51d892ac9db8484311c1ba33ee7c0d42d1
SHA5123fe3bd03b92f30884f712ba75ca493b763f187b6f3fd20d1285a80707120d2861c4154140784e19a24767a9c594c0f7d106dddc476d1f089ce1fd53c31c7c6f7
-
Filesize
567KB
MD5181641b662437fd99b9e6a7cb57f6dc6
SHA189eac573b5fc74ad52649184e05d3621b789171c
SHA256f10bb6b31be6a4fd8bd917f6ca964e9a893308d6459e0f82786b41518c05aa4a
SHA512b9502793c9b87e8c859436d0ea9b6ba4f67d3e0de94bc8907800eee8abb2433e1a6f6ab6e762893aee2b750d215eb4f7ec66804a80810e5af608505ec23209ec
-
Filesize
567KB
MD5181641b662437fd99b9e6a7cb57f6dc6
SHA189eac573b5fc74ad52649184e05d3621b789171c
SHA256f10bb6b31be6a4fd8bd917f6ca964e9a893308d6459e0f82786b41518c05aa4a
SHA512b9502793c9b87e8c859436d0ea9b6ba4f67d3e0de94bc8907800eee8abb2433e1a6f6ab6e762893aee2b750d215eb4f7ec66804a80810e5af608505ec23209ec
-
Filesize
390KB
MD5d21abaab99e865e5c8e309a84382a268
SHA1ab794e2cf17b9469374587ad8d0087973f114e97
SHA256eea8f7467592f1ead9ec19e814ee54b493038989455f94dbf8924f6239aad904
SHA512e344b9956e7163398085a450fce72a0e07eab7605e3b4921614626071c56ba2b78009eec66211ab5d5e5e5bab2ed31422f06ee09fd3b34c998c5e1c1d47438a6
-
Filesize
390KB
MD5d21abaab99e865e5c8e309a84382a268
SHA1ab794e2cf17b9469374587ad8d0087973f114e97
SHA256eea8f7467592f1ead9ec19e814ee54b493038989455f94dbf8924f6239aad904
SHA512e344b9956e7163398085a450fce72a0e07eab7605e3b4921614626071c56ba2b78009eec66211ab5d5e5e5bab2ed31422f06ee09fd3b34c998c5e1c1d47438a6
-
Filesize
364KB
MD530c004d6065691a03a20f9bafaf54d4f
SHA1d9386769bc8b1158f2a041a2868064200e5ce72e
SHA25668def0c756c56866bc1e8493c17e7255cc2b3208bdb15d3a578b2eddbd4603b1
SHA512f5f08aac2cc2be90c76fecfa535e099002c509451bc9ddbd773029254ac74f9a672236a7f8ff50283549f194bf30a0ba554ffa1f31ba788344e681352c1d911c
-
Filesize
364KB
MD530c004d6065691a03a20f9bafaf54d4f
SHA1d9386769bc8b1158f2a041a2868064200e5ce72e
SHA25668def0c756c56866bc1e8493c17e7255cc2b3208bdb15d3a578b2eddbd4603b1
SHA512f5f08aac2cc2be90c76fecfa535e099002c509451bc9ddbd773029254ac74f9a672236a7f8ff50283549f194bf30a0ba554ffa1f31ba788344e681352c1d911c
-
Filesize
174KB
MD55de887bdd300e7ac6174fd6f8ff0e23d
SHA1f752c273171c3df722dbee219fb16d8d62177811
SHA2565b1d5fccbd72a6f79b09a18944793ee17b51d07c502de1fdd40557b7c274f248
SHA5120e24d304feba8527be74cad5f4dbb812898b339f4f43e3312d7c72deb2ce562a2af2f23aec37eff6d316f76d73763a5e8c194417a922b9ecbd4571f029a98527
-
Filesize
174KB
MD55de887bdd300e7ac6174fd6f8ff0e23d
SHA1f752c273171c3df722dbee219fb16d8d62177811
SHA2565b1d5fccbd72a6f79b09a18944793ee17b51d07c502de1fdd40557b7c274f248
SHA5120e24d304feba8527be74cad5f4dbb812898b339f4f43e3312d7c72deb2ce562a2af2f23aec37eff6d316f76d73763a5e8c194417a922b9ecbd4571f029a98527