Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Resource
win10v2004-20230915-en
General
-
Target
bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
-
Size
567KB
-
MD5
2cc6cd76d79dcf0755db05f04f40f085
-
SHA1
a2ff4b22b3da8cd8b2a8c8764f0071a3b7403ad7
-
SHA256
bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4
-
SHA512
4473555da2d416a288695c311e02f84ef615b2ffd5faf13d3ce3fbf857343bcd4d4053cf36d64dd0095b21e315a63e798f83d14db0ec615d0564b1a065bcf3e2
-
SSDEEP
12288:RMriy90qbRcrpfFoSiLHw/S71LzUpjlCM9tdTDD:TyN1crni8WzUpZCMZ
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 4636 v3717937.exe 2988 a4204768.exe 3388 b6377477.exe 4356 c8533066.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3717937.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2988 set thread context of 3316 2988 a4204768.exe 92 PID 3388 set thread context of 2656 3388 b6377477.exe 104 -
Program crash 3 IoCs
pid pid_target Process procid_target 1344 2988 WerFault.exe 88 4220 3388 WerFault.exe 95 2372 2656 WerFault.exe 104 -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2708 wrote to memory of 4636 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 87 PID 2708 wrote to memory of 4636 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 87 PID 2708 wrote to memory of 4636 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 87 PID 4636 wrote to memory of 2988 4636 v3717937.exe 88 PID 4636 wrote to memory of 2988 4636 v3717937.exe 88 PID 4636 wrote to memory of 2988 4636 v3717937.exe 88 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 2988 wrote to memory of 3316 2988 a4204768.exe 92 PID 4636 wrote to memory of 3388 4636 v3717937.exe 95 PID 4636 wrote to memory of 3388 4636 v3717937.exe 95 PID 4636 wrote to memory of 3388 4636 v3717937.exe 95 PID 3388 wrote to memory of 2596 3388 b6377477.exe 103 PID 3388 wrote to memory of 2596 3388 b6377477.exe 103 PID 3388 wrote to memory of 2596 3388 b6377477.exe 103 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 3388 wrote to memory of 2656 3388 b6377477.exe 104 PID 2708 wrote to memory of 4356 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 109 PID 2708 wrote to memory of 4356 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 109 PID 2708 wrote to memory of 4356 2708 bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe"C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1404⤵
- Program crash
PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 5405⤵
- Program crash
PID:2372
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1364⤵
- Program crash
PID:4220
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exe2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2988 -ip 29881⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3388 -ip 33881⤵PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2656 -ip 26561⤵PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5e6035776afbc928f163051af77a758b1
SHA127cb235a2790a06b6bef4062ab6ff2eca8923456
SHA2563f8c47f4a1fed2fb66d217fd70f34acbdb9f21906e312c7f187bb797c60ae84f
SHA5121fcbac7d028bd703613c79e16d07349e05d124a805083ff428ff749382973e7f7759541f02a7eefeae9bcc5ed3fc61f7e214c54fdf5b4f68d0d3cf3b08139753
-
Filesize
18KB
MD5e6035776afbc928f163051af77a758b1
SHA127cb235a2790a06b6bef4062ab6ff2eca8923456
SHA2563f8c47f4a1fed2fb66d217fd70f34acbdb9f21906e312c7f187bb797c60ae84f
SHA5121fcbac7d028bd703613c79e16d07349e05d124a805083ff428ff749382973e7f7759541f02a7eefeae9bcc5ed3fc61f7e214c54fdf5b4f68d0d3cf3b08139753
-
Filesize
466KB
MD58c8173baf2e67a940c8c48c03beac9f6
SHA16216ee2c5270a80d343eed95cac68bfe5186837a
SHA256847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2
SHA5122efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1
-
Filesize
466KB
MD58c8173baf2e67a940c8c48c03beac9f6
SHA16216ee2c5270a80d343eed95cac68bfe5186837a
SHA256847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2
SHA5122efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1
-
Filesize
707KB
MD59ab016785e50278a579af890aab259cc
SHA1d67d6fab2a2194102c59d94945388d016003e55d
SHA256712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6
SHA512f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9
-
Filesize
707KB
MD59ab016785e50278a579af890aab259cc
SHA1d67d6fab2a2194102c59d94945388d016003e55d
SHA256712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6
SHA512f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9
-
Filesize
700KB
MD59fd9c5c643a0cb93fc9782db5125dd25
SHA18eaefb900f80a5583b01b29de246deb553a9183f
SHA25612c83592f8c1c720dd3b4c12dd81fa2b24f3345a7074771917203e21be40b6d8
SHA512eac6df8deae47512d0e56973836ac4cf8728762a3aeef7f1fdc377222755a5d5e90ab080898f40fc3936f7b5cd0216b13da2815541bf7808212b414f799a1134
-
Filesize
700KB
MD59fd9c5c643a0cb93fc9782db5125dd25
SHA18eaefb900f80a5583b01b29de246deb553a9183f
SHA25612c83592f8c1c720dd3b4c12dd81fa2b24f3345a7074771917203e21be40b6d8
SHA512eac6df8deae47512d0e56973836ac4cf8728762a3aeef7f1fdc377222755a5d5e90ab080898f40fc3936f7b5cd0216b13da2815541bf7808212b414f799a1134