Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe
Resource
win10v2004-20230915-en
General
-
Target
dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe
-
Size
937KB
-
MD5
5466d6e8f7e190b0db624958b4844b7c
-
SHA1
e576c4888e5a290f3aa33316000a38cfb92e94b2
-
SHA256
dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f
-
SHA512
0406528fe4370dc8de9cf6ac81f46376542470a14d36154ac3e387325bca14043481e7998f241162ae2b63c7dcc872052d5ffbaf8cb03c399b6e8efa6fb4e36e
-
SSDEEP
24576:LybIieayuBpxxQ5UhhimHTY/9BGL5IBNUL+Pi5MSEbC9HnHE8k:+buMrxlhZHs/iL5IBNhPEu2
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00060000000231d6-34.dat family_redline behavioral2/files/0x00060000000231d6-35.dat family_redline behavioral2/memory/1832-36-0x00000000008B0000-0x00000000008E0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 4296 x6313644.exe 4456 x0728934.exe 3732 x0865767.exe 4892 g7262670.exe 1832 h2716118.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6313644.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x0728934.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x0865767.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 1668 4892 g7262670.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 1288 1668 WerFault.exe 92 5004 4892 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4296 4280 dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe 86 PID 4280 wrote to memory of 4296 4280 dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe 86 PID 4280 wrote to memory of 4296 4280 dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe 86 PID 4296 wrote to memory of 4456 4296 x6313644.exe 87 PID 4296 wrote to memory of 4456 4296 x6313644.exe 87 PID 4296 wrote to memory of 4456 4296 x6313644.exe 87 PID 4456 wrote to memory of 3732 4456 x0728934.exe 88 PID 4456 wrote to memory of 3732 4456 x0728934.exe 88 PID 4456 wrote to memory of 3732 4456 x0728934.exe 88 PID 3732 wrote to memory of 4892 3732 x0865767.exe 89 PID 3732 wrote to memory of 4892 3732 x0865767.exe 89 PID 3732 wrote to memory of 4892 3732 x0865767.exe 89 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 4892 wrote to memory of 1668 4892 g7262670.exe 92 PID 3732 wrote to memory of 1832 3732 x0865767.exe 97 PID 3732 wrote to memory of 1832 3732 x0865767.exe 97 PID 3732 wrote to memory of 1832 3732 x0865767.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe"C:\Users\Admin\AppData\Local\Temp\dc6d5bd8f0c5781801301c209a03004c1d7309335238355bcc31c5ad5f3ae83f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6313644.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6313644.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0728934.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0728934.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0865767.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0865767.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7262670.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7262670.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 5407⤵
- Program crash
PID:1288
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 5566⤵
- Program crash
PID:5004
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2716118.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2716118.exe5⤵
- Executes dropped EXE
PID:1832
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4892 -ip 48921⤵PID:4792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1668 -ip 16681⤵PID:4640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
836KB
MD5de825d1dd2075e37acd6d65d78b2b3cf
SHA1841cbfd6470eda445b82056e6b0325949a388dfa
SHA25632297758761cd491cf8fe2a198d277f4fd844ebb1e2867d7b025c9085513dc9f
SHA51212768a8e11eab3108bc5dbf5c96b8b291f8a0f1f2b61787fce25161b0998010afc0aae15d302fe385dd5d043ac350f1502d20e9ebf6ba95ea75268417e3f1413
-
Filesize
836KB
MD5de825d1dd2075e37acd6d65d78b2b3cf
SHA1841cbfd6470eda445b82056e6b0325949a388dfa
SHA25632297758761cd491cf8fe2a198d277f4fd844ebb1e2867d7b025c9085513dc9f
SHA51212768a8e11eab3108bc5dbf5c96b8b291f8a0f1f2b61787fce25161b0998010afc0aae15d302fe385dd5d043ac350f1502d20e9ebf6ba95ea75268417e3f1413
-
Filesize
571KB
MD5c3c0ecc8ef0cebe910c75b4452999cba
SHA17269cd2ba945159955e542c94f1b2dd9ba06650f
SHA2561dbed4c0b9a383e4c8a944b4a6a04f1a3e1042c7b590fd05c42e0cb67acdd264
SHA51209791bb8d270ecdcbdd1b4b2ab45f711cccd2d1035a30efb82df4b69749d63439213043ecad251946ea2ee2ba41eac29bdb771d8ca8cf03e9361a18254e71813
-
Filesize
571KB
MD5c3c0ecc8ef0cebe910c75b4452999cba
SHA17269cd2ba945159955e542c94f1b2dd9ba06650f
SHA2561dbed4c0b9a383e4c8a944b4a6a04f1a3e1042c7b590fd05c42e0cb67acdd264
SHA51209791bb8d270ecdcbdd1b4b2ab45f711cccd2d1035a30efb82df4b69749d63439213043ecad251946ea2ee2ba41eac29bdb771d8ca8cf03e9361a18254e71813
-
Filesize
394KB
MD540b9226a7da2e7b42b051cfd8b0cc5be
SHA13e68d73e14696acb245a233472797a8aec8aa7c2
SHA256258df03e7af46a9bdb068ebabdea47cb8e9797ab23863470495890f9f036fa25
SHA512f391c913f73dfe092cde125c7283f6f9d64d61056dc34badc00eca1896379631adc40884cc82c0a547f1b060fd86ef56aae04c87fe7d0be93472db400dbc0cd0
-
Filesize
394KB
MD540b9226a7da2e7b42b051cfd8b0cc5be
SHA13e68d73e14696acb245a233472797a8aec8aa7c2
SHA256258df03e7af46a9bdb068ebabdea47cb8e9797ab23863470495890f9f036fa25
SHA512f391c913f73dfe092cde125c7283f6f9d64d61056dc34badc00eca1896379631adc40884cc82c0a547f1b060fd86ef56aae04c87fe7d0be93472db400dbc0cd0
-
Filesize
365KB
MD501c404e834818ca8eabe9fe6c322cd4a
SHA17b7676e08cfbb3c93c4ca5d742ae9da1db929d55
SHA2562fa0939efd5437f0151cca497890dcaee3f4dce2568edbe5bb2483ce0116e105
SHA5121d0a9142a448f2db5aeef44e5a084169677bc71fd3c5996b19090a87d6de493493def6507e81760d27c045a8f71476ae10d78e2b77433040ad09165fb502af7a
-
Filesize
365KB
MD501c404e834818ca8eabe9fe6c322cd4a
SHA17b7676e08cfbb3c93c4ca5d742ae9da1db929d55
SHA2562fa0939efd5437f0151cca497890dcaee3f4dce2568edbe5bb2483ce0116e105
SHA5121d0a9142a448f2db5aeef44e5a084169677bc71fd3c5996b19090a87d6de493493def6507e81760d27c045a8f71476ae10d78e2b77433040ad09165fb502af7a
-
Filesize
174KB
MD52176a84304b74fb5ecca37c2c88b9e04
SHA1f0b42493e0da6f3c04ad2e529780058a5226836e
SHA256ca9993f60db0e0d2db02204db002d5e815b0e380a558d04a99bcbb2149a9a9d6
SHA512ccf51a393036e44575190b9119b74bdb5d156a9fc9c74bc8b214b776d27988e3fda086557796dfc055855104541b40965f597a3197dc818e4d3bc5a81220692a
-
Filesize
174KB
MD52176a84304b74fb5ecca37c2c88b9e04
SHA1f0b42493e0da6f3c04ad2e529780058a5226836e
SHA256ca9993f60db0e0d2db02204db002d5e815b0e380a558d04a99bcbb2149a9a9d6
SHA512ccf51a393036e44575190b9119b74bdb5d156a9fc9c74bc8b214b776d27988e3fda086557796dfc055855104541b40965f597a3197dc818e4d3bc5a81220692a