Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
506KB
-
MD5
0f724d78d4a65272ac085236c9caf06b
-
SHA1
9449892f318709e1abfd33dd059dbdd1de8a0392
-
SHA256
b7215d29651d883138e7000f2568418b02cb62350924f78ec75b7c7f0d3a9a72
-
SHA512
6c4e203e8de1c30cb4fc417fb55887adb80682f1c24ff7f2a8786a7ca179369cdbe4c16fbbe0efc154eaac741ff62c3d81132fd2a8f8125613ac1df4ba678ba5
-
SSDEEP
12288:qMriy90OWwCjyUi0kYkqnDIw4M0/2+Vlnw+Q1:0yywmyUigbDIw7AZQ1
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 4452 v8951797.exe 4644 b1432077.exe 3056 c9143329.exe 3024 d2056472.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8951797.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4644 set thread context of 2724 4644 b1432077.exe 90 PID 3056 set thread context of 1316 3056 c9143329.exe 99 -
Program crash 3 IoCs
pid pid_target Process procid_target 3468 4644 WerFault.exe 88 4656 2724 WerFault.exe 90 768 3056 WerFault.exe 97 -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4152 wrote to memory of 4452 4152 file.exe 87 PID 4152 wrote to memory of 4452 4152 file.exe 87 PID 4152 wrote to memory of 4452 4152 file.exe 87 PID 4452 wrote to memory of 4644 4452 v8951797.exe 88 PID 4452 wrote to memory of 4644 4452 v8951797.exe 88 PID 4452 wrote to memory of 4644 4452 v8951797.exe 88 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4644 wrote to memory of 2724 4644 b1432077.exe 90 PID 4452 wrote to memory of 3056 4452 v8951797.exe 97 PID 4452 wrote to memory of 3056 4452 v8951797.exe 97 PID 4452 wrote to memory of 3056 4452 v8951797.exe 97 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 3056 wrote to memory of 1316 3056 c9143329.exe 99 PID 4152 wrote to memory of 3024 4152 file.exe 105 PID 4152 wrote to memory of 3024 4152 file.exe 105 PID 4152 wrote to memory of 3024 4152 file.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 5405⤵
- Program crash
PID:4656
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 5524⤵
- Program crash
PID:3468
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5524⤵
- Program crash
PID:768
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exe2⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2724 -ip 27241⤵PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 46441⤵PID:1004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3056 -ip 30561⤵PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5e187daa5150d3c47191e43aaa3f52057
SHA1b2efe176a8fc4e5c656c78a8bd8c3615a94e06ab
SHA256065694316980f07d5093a145542832fd17544f7692486232edd40187fd325db7
SHA5121cc863cd7a3b4f519f530c86763f93080c579234da2b38fbcf754cd501670b9aa3835462ed8929d50553156d6139f9936a3ad131b81bb142beb45836a9fbbbc4
-
Filesize
19KB
MD5e187daa5150d3c47191e43aaa3f52057
SHA1b2efe176a8fc4e5c656c78a8bd8c3615a94e06ab
SHA256065694316980f07d5093a145542832fd17544f7692486232edd40187fd325db7
SHA5121cc863cd7a3b4f519f530c86763f93080c579234da2b38fbcf754cd501670b9aa3835462ed8929d50553156d6139f9936a3ad131b81bb142beb45836a9fbbbc4
-
Filesize
404KB
MD5f450161c6fbfb5e27aaab5d37245a5f6
SHA11b2fd749a55efcbff0663ae81deaee1e32f49bdb
SHA256c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c
SHA512804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e
-
Filesize
404KB
MD5f450161c6fbfb5e27aaab5d37245a5f6
SHA11b2fd749a55efcbff0663ae81deaee1e32f49bdb
SHA256c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c
SHA512804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e
-
Filesize
365KB
MD551bb6acc0f4a12e5c6fba58447b0069a
SHA1c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f
SHA2566a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6
SHA512e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1
-
Filesize
365KB
MD551bb6acc0f4a12e5c6fba58447b0069a
SHA1c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f
SHA2566a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6
SHA512e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1
-
Filesize
384KB
MD58c648236a813795020178f3c6a26f663
SHA1529c4915583644921f62ee3377bfd55d280e0e0a
SHA256776d36f05dcb937f5a2f82b18232ff49b90376f8582dac97d7df2175ac23ddb9
SHA512bc6efb32f199cf80894cb9d196415eae3e233c776d6f1c753bf1bcaff4e4c0642c7678c37184405bf4bbe0587c4e14b66e42c496800fa430e11fc71d9eb1cb5f
-
Filesize
384KB
MD58c648236a813795020178f3c6a26f663
SHA1529c4915583644921f62ee3377bfd55d280e0e0a
SHA256776d36f05dcb937f5a2f82b18232ff49b90376f8582dac97d7df2175ac23ddb9
SHA512bc6efb32f199cf80894cb9d196415eae3e233c776d6f1c753bf1bcaff4e4c0642c7678c37184405bf4bbe0587c4e14b66e42c496800fa430e11fc71d9eb1cb5f