Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 03:34
Static task
static1
Behavioral task
behavioral1
Sample
6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe
Resource
win10v2004-20230915-en
General
-
Target
6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe
-
Size
937KB
-
MD5
ede54b1684018891a17bd10c478eda44
-
SHA1
4a2b27d8989151400eb02c0199b84b63a12ae9d7
-
SHA256
6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1
-
SHA512
9c2de726fcd9fe8a9af2057cbbb5cc49817e97f9486195654544c327469440c5d3e1b34e9ec5475cdc627dd1df83a9f677c5c63934b459a5d992cdabd7b040d6
-
SSDEEP
24576:jy4q5mlJWWeuQhH48lPx6ZF+iGsS9dbhD8ri6z7w:24q5ml6hHRx6ZYVbyV
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023283-34.dat family_redline behavioral2/files/0x0007000000023283-35.dat family_redline behavioral2/memory/5048-36-0x0000000000330000-0x0000000000360000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 4408 x8795829.exe 3716 x6483988.exe 4760 x1826574.exe 4824 g3927233.exe 5048 h9533751.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8795829.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6483988.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x1826574.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4824 set thread context of 4612 4824 g3927233.exe 91 -
Program crash 2 IoCs
pid pid_target Process procid_target 3820 4612 WerFault.exe 91 5008 4824 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4408 3708 6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe 86 PID 3708 wrote to memory of 4408 3708 6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe 86 PID 3708 wrote to memory of 4408 3708 6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe 86 PID 4408 wrote to memory of 3716 4408 x8795829.exe 87 PID 4408 wrote to memory of 3716 4408 x8795829.exe 87 PID 4408 wrote to memory of 3716 4408 x8795829.exe 87 PID 3716 wrote to memory of 4760 3716 x6483988.exe 88 PID 3716 wrote to memory of 4760 3716 x6483988.exe 88 PID 3716 wrote to memory of 4760 3716 x6483988.exe 88 PID 4760 wrote to memory of 4824 4760 x1826574.exe 89 PID 4760 wrote to memory of 4824 4760 x1826574.exe 89 PID 4760 wrote to memory of 4824 4760 x1826574.exe 89 PID 4824 wrote to memory of 1448 4824 g3927233.exe 90 PID 4824 wrote to memory of 1448 4824 g3927233.exe 90 PID 4824 wrote to memory of 1448 4824 g3927233.exe 90 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4824 wrote to memory of 4612 4824 g3927233.exe 91 PID 4760 wrote to memory of 5048 4760 x1826574.exe 104 PID 4760 wrote to memory of 5048 4760 x1826574.exe 104 PID 4760 wrote to memory of 5048 4760 x1826574.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe"C:\Users\Admin\AppData\Local\Temp\6b70ffc25486e3c82f904a6e5793b4e8a25e607e2ac7c85bb63fbdf985121cc1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8795829.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8795829.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6483988.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6483988.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1826574.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1826574.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3927233.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3927233.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 5407⤵
- Program crash
PID:3820
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 5726⤵
- Program crash
PID:5008
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9533751.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9533751.exe5⤵
- Executes dropped EXE
PID:5048
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4824 -ip 48241⤵PID:1472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4612 -ip 46121⤵PID:1112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
836KB
MD500f1e5b26c6069e838d6f3b9e4d5fc3b
SHA1463bd55af681c244345c06662bfc4e24364ffb53
SHA256a8fdb45e9c2a20836e29cb1110c425757da860470368f9688b006e2b58eba242
SHA5123615e8a41d6b9990849a9b2db8c9790851cf451332d16967855d9862278b448fafbb079683e8bfcad3c6ce815c44c56bdfe2bcc7ac159aff879011861da757be
-
Filesize
836KB
MD500f1e5b26c6069e838d6f3b9e4d5fc3b
SHA1463bd55af681c244345c06662bfc4e24364ffb53
SHA256a8fdb45e9c2a20836e29cb1110c425757da860470368f9688b006e2b58eba242
SHA5123615e8a41d6b9990849a9b2db8c9790851cf451332d16967855d9862278b448fafbb079683e8bfcad3c6ce815c44c56bdfe2bcc7ac159aff879011861da757be
-
Filesize
571KB
MD5998069d1f184617e80f137e9b16d272f
SHA13f95beca13ee43f303dd75cc5623b7364ab99de7
SHA2566b6415c2a8da4c3ebdf8877d2103333793e248272a1d58e248461ddc89e526fa
SHA5127e0618db1f95702dfbc380f1baed307d3f045932b64110fc7f0fbcee34d5c8fa5764aa09502bb2289f8da34fb139f0fc0cbb4ecc8beeebba6dafcab6eaa1bd69
-
Filesize
571KB
MD5998069d1f184617e80f137e9b16d272f
SHA13f95beca13ee43f303dd75cc5623b7364ab99de7
SHA2566b6415c2a8da4c3ebdf8877d2103333793e248272a1d58e248461ddc89e526fa
SHA5127e0618db1f95702dfbc380f1baed307d3f045932b64110fc7f0fbcee34d5c8fa5764aa09502bb2289f8da34fb139f0fc0cbb4ecc8beeebba6dafcab6eaa1bd69
-
Filesize
394KB
MD518771d7bdd771966ca52ddc1acb58fb0
SHA169a18f87eb1e658cb419bc864cb4e5a1f9a64f73
SHA256a4b0c9d80f8329ae4b427df816b4085f2302de704860bfbc758ce23dc34dceb6
SHA51251dcb9617d39ebdebda0c0a82fcd76fcf3e4acd855ea2aba69fdebefb7a879183e0ffd39789afe96834faa3d55735c217fac85659c0150b7e1e956e8eacf71b1
-
Filesize
394KB
MD518771d7bdd771966ca52ddc1acb58fb0
SHA169a18f87eb1e658cb419bc864cb4e5a1f9a64f73
SHA256a4b0c9d80f8329ae4b427df816b4085f2302de704860bfbc758ce23dc34dceb6
SHA51251dcb9617d39ebdebda0c0a82fcd76fcf3e4acd855ea2aba69fdebefb7a879183e0ffd39789afe96834faa3d55735c217fac85659c0150b7e1e956e8eacf71b1
-
Filesize
365KB
MD56d094330acf1ac4df12903f64e0b898b
SHA102618f8bcc536bf163ffa268f2188601c9c9a1ad
SHA256266681ac76224bbb893f632164f50b588625b8d161e6459b93e4705119e81d89
SHA512d9166fac863a8bc94bad2a459d182ef02012b12cea711b02f5bfa2c7c387cd1e4029e708e8ed3b6431b5e717205a5145d4953ad1777c5aa52a2368f25589ae8c
-
Filesize
365KB
MD56d094330acf1ac4df12903f64e0b898b
SHA102618f8bcc536bf163ffa268f2188601c9c9a1ad
SHA256266681ac76224bbb893f632164f50b588625b8d161e6459b93e4705119e81d89
SHA512d9166fac863a8bc94bad2a459d182ef02012b12cea711b02f5bfa2c7c387cd1e4029e708e8ed3b6431b5e717205a5145d4953ad1777c5aa52a2368f25589ae8c
-
Filesize
174KB
MD56a63493c65be549629dce03e3a2d358b
SHA14354b8fbbafa4e02badfa2faf1750d534129bb28
SHA25685458c9139da317524f7a776d0d1e844bfc957ea57870d397bde5a29af77c3f6
SHA512ce63a8c9fff7daafca7339d71415d1d6cbd5f8ed676716e75c580a89a3e38cca02adc6a1c4803b52e7b983aaa33e30f323018d86daad9afc585cec2c332ace2e
-
Filesize
174KB
MD56a63493c65be549629dce03e3a2d358b
SHA14354b8fbbafa4e02badfa2faf1750d534129bb28
SHA25685458c9139da317524f7a776d0d1e844bfc957ea57870d397bde5a29af77c3f6
SHA512ce63a8c9fff7daafca7339d71415d1d6cbd5f8ed676716e75c580a89a3e38cca02adc6a1c4803b52e7b983aaa33e30f323018d86daad9afc585cec2c332ace2e