Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe
Resource
win10v2004-20230915-en
General
-
Target
457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe
-
Size
937KB
-
MD5
3425ee6512fd3261419c1884e7927c44
-
SHA1
302403783d00df8d96355c108757051b040dd973
-
SHA256
457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48
-
SHA512
e13e3cf116af5f084714b5283ae4a8a6cbb4ff5b59f7a8cd134dc5d50ce465779cee583c4d146469775517ff82488c3f4087c8ba73207be783b718bd82d64038
-
SSDEEP
24576:Uyk7ho7n05eJj330Avw+xAgSwhvZwCTHOY:j0hen7Jfx4UvOCTu
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000023230-34.dat family_redline behavioral2/files/0x0006000000023230-35.dat family_redline behavioral2/memory/2036-36-0x00000000006F0000-0x0000000000720000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 4008 x1757176.exe 532 x0020773.exe 1920 x7901868.exe 5016 g2055023.exe 2036 h3810120.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1757176.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x0020773.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x7901868.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5016 set thread context of 4232 5016 g2055023.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 1800 4232 WerFault.exe 90 1276 5016 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3904 wrote to memory of 4008 3904 457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe 86 PID 3904 wrote to memory of 4008 3904 457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe 86 PID 3904 wrote to memory of 4008 3904 457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe 86 PID 4008 wrote to memory of 532 4008 x1757176.exe 87 PID 4008 wrote to memory of 532 4008 x1757176.exe 87 PID 4008 wrote to memory of 532 4008 x1757176.exe 87 PID 532 wrote to memory of 1920 532 x0020773.exe 88 PID 532 wrote to memory of 1920 532 x0020773.exe 88 PID 532 wrote to memory of 1920 532 x0020773.exe 88 PID 1920 wrote to memory of 5016 1920 x7901868.exe 89 PID 1920 wrote to memory of 5016 1920 x7901868.exe 89 PID 1920 wrote to memory of 5016 1920 x7901868.exe 89 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 5016 wrote to memory of 4232 5016 g2055023.exe 90 PID 1920 wrote to memory of 2036 1920 x7901868.exe 100 PID 1920 wrote to memory of 2036 1920 x7901868.exe 100 PID 1920 wrote to memory of 2036 1920 x7901868.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe"C:\Users\Admin\AppData\Local\Temp\457b849ab77aa59fca97484b22506966a90cc1657b1d6766a70789a3f9fe0c48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1757176.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1757176.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0020773.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0020773.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7901868.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7901868.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2055023.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2055023.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 5407⤵
- Program crash
PID:1800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 5806⤵
- Program crash
PID:1276
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3810120.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3810120.exe5⤵
- Executes dropped EXE
PID:2036
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5016 -ip 50161⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4232 -ip 42321⤵PID:5012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
835KB
MD514680fec545ad097ae78784c46d017c7
SHA17790262bb579afba031cdbc14acb32bfc5c82164
SHA256ca6c8bca33a133a015ea7f886fad77a4d02ce439ee650a2bf027eef24f84b3d3
SHA512642ecaa7623d26a334afb1e4b3c30b774235e3fdc5d5b96fe1b77d33c7baaaae75d76558ef77ba29c0ba06c9d4290fe0a77d7caaded51e6e1f17c9bf652f4793
-
Filesize
835KB
MD514680fec545ad097ae78784c46d017c7
SHA17790262bb579afba031cdbc14acb32bfc5c82164
SHA256ca6c8bca33a133a015ea7f886fad77a4d02ce439ee650a2bf027eef24f84b3d3
SHA512642ecaa7623d26a334afb1e4b3c30b774235e3fdc5d5b96fe1b77d33c7baaaae75d76558ef77ba29c0ba06c9d4290fe0a77d7caaded51e6e1f17c9bf652f4793
-
Filesize
570KB
MD52d4f95425c919f5bc2189fa6c0510960
SHA12d9a19a01df266970b493347b7bd2b648c33608c
SHA256aea23c169e0bfe411ff9af7af5a35b988049c5d7df3f3a0072b65a8569f4d7b0
SHA512c7de8be5e56dbc6688dea0ff5f324229e7ffb16d3d04536e6de6aa2caa89938bc6e248b87d4464172c280e9c29d3f5824e73a79cc79798bff2c3a5be0904ee8f
-
Filesize
570KB
MD52d4f95425c919f5bc2189fa6c0510960
SHA12d9a19a01df266970b493347b7bd2b648c33608c
SHA256aea23c169e0bfe411ff9af7af5a35b988049c5d7df3f3a0072b65a8569f4d7b0
SHA512c7de8be5e56dbc6688dea0ff5f324229e7ffb16d3d04536e6de6aa2caa89938bc6e248b87d4464172c280e9c29d3f5824e73a79cc79798bff2c3a5be0904ee8f
-
Filesize
394KB
MD511c4bfffbf7be4f4ee354001a7f56262
SHA1173108974511ad0efeac1f6184c410db8be6f2bc
SHA256c593efa3913af507a0d74733608222c0ac25f9a0c75656e17dd3053652340235
SHA512fa7266ceab79a9e374677ab3a9d753940210fbb3df907e7bbfea986476a200c69920729f0f81e8936c6d839ebbfc653fdfa9e5899f52ede935f14ff269e4ee6f
-
Filesize
394KB
MD511c4bfffbf7be4f4ee354001a7f56262
SHA1173108974511ad0efeac1f6184c410db8be6f2bc
SHA256c593efa3913af507a0d74733608222c0ac25f9a0c75656e17dd3053652340235
SHA512fa7266ceab79a9e374677ab3a9d753940210fbb3df907e7bbfea986476a200c69920729f0f81e8936c6d839ebbfc653fdfa9e5899f52ede935f14ff269e4ee6f
-
Filesize
365KB
MD52ebe5b4f0de53f2e974e007436fb1187
SHA1d6cf3720d179b621b9597927afcde51bab678830
SHA2561130941f690aa7bd80afee4ef7f1c39d49d404665af63ea749671a9f5adc44e7
SHA512405786c1e269685d7d0ff96776ef2511a79d50ff6969a37f7aa4660e22daaec3ed67a2f38cd59075396710c32c0e069294d4a58d6705708e0609699ae8b96956
-
Filesize
365KB
MD52ebe5b4f0de53f2e974e007436fb1187
SHA1d6cf3720d179b621b9597927afcde51bab678830
SHA2561130941f690aa7bd80afee4ef7f1c39d49d404665af63ea749671a9f5adc44e7
SHA512405786c1e269685d7d0ff96776ef2511a79d50ff6969a37f7aa4660e22daaec3ed67a2f38cd59075396710c32c0e069294d4a58d6705708e0609699ae8b96956
-
Filesize
174KB
MD52104595df43517f57fba870b49f25044
SHA19d96366db1c65f931e3800ec7f762013eb564063
SHA25684a8e9cd8fed804eec787f3204cf236ae5dedfc6efb11685850b001887e622bd
SHA5126f46635a5a62e4b1b93233029611c6ac631f6662df372946367eacc90207666d1bb8f59e389f9d2d282f3e34257f1505146418e1feef05d3ff3958a32b081306
-
Filesize
174KB
MD52104595df43517f57fba870b49f25044
SHA19d96366db1c65f931e3800ec7f762013eb564063
SHA25684a8e9cd8fed804eec787f3204cf236ae5dedfc6efb11685850b001887e622bd
SHA5126f46635a5a62e4b1b93233029611c6ac631f6662df372946367eacc90207666d1bb8f59e389f9d2d282f3e34257f1505146418e1feef05d3ff3958a32b081306