Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
x0543664.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
x0543664.exe
Resource
win10v2004-20230915-en
General
-
Target
x0543664.exe
-
Size
291KB
-
MD5
d72e8eb9bc5f8e9b119f39216631733b
-
SHA1
d8e29c1d02381d7339910f4f0aed1e0fc4e9fea9
-
SHA256
6508ea148ad32be86b59cadc266e2a72343e0dc3896742fd74bc324cb1a5ef57
-
SHA512
9b3a3188b794d03302d6657c834fcfa45d008a402e426afa36f17e28b8d20bbfc3d7a597e9d03e633f23db638751b40de90c3914882779d5da7bd0b902c8aa74
-
SSDEEP
6144:Kry+bnr+jp0yN90QEGAV5HR0zwDm88tH50brv3zFq:dMrjy907cHIbj3g
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/files/0x00050000000130e5-4.dat family_redline behavioral1/files/0x00050000000130e5-7.dat family_redline behavioral1/files/0x00050000000130e5-9.dat family_redline behavioral1/files/0x00050000000130e5-8.dat family_redline behavioral1/memory/1708-10-0x0000000000AC0000-0x0000000000AF0000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
pid Process 1708 h8131180.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 x0543664.exe 1708 h8131180.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x0543664.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28 PID 2016 wrote to memory of 1708 2016 x0543664.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\x0543664.exe"C:\Users\Admin\AppData\Local\Temp\x0543664.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8131180.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8131180.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5ac0b8c45614a0b94074d9f7a4cc76f38
SHA1240b5d17766503fd7dfa2a7f8f05be2f7857dc8a
SHA256d7aa1acf2186822f215379df2f4731a9502aa6802dd8f4c87431e68ffb82fc74
SHA51270abd5c774de1df94d4f89f6fc16734012135b1bab6c21f00da133c5f8194941f4bf118c449b8dd02ac087ff729bca63227140c56bebdaa7cefba560866ebff4
-
Filesize
174KB
MD5ac0b8c45614a0b94074d9f7a4cc76f38
SHA1240b5d17766503fd7dfa2a7f8f05be2f7857dc8a
SHA256d7aa1acf2186822f215379df2f4731a9502aa6802dd8f4c87431e68ffb82fc74
SHA51270abd5c774de1df94d4f89f6fc16734012135b1bab6c21f00da133c5f8194941f4bf118c449b8dd02ac087ff729bca63227140c56bebdaa7cefba560866ebff4
-
Filesize
174KB
MD5ac0b8c45614a0b94074d9f7a4cc76f38
SHA1240b5d17766503fd7dfa2a7f8f05be2f7857dc8a
SHA256d7aa1acf2186822f215379df2f4731a9502aa6802dd8f4c87431e68ffb82fc74
SHA51270abd5c774de1df94d4f89f6fc16734012135b1bab6c21f00da133c5f8194941f4bf118c449b8dd02ac087ff729bca63227140c56bebdaa7cefba560866ebff4
-
Filesize
174KB
MD5ac0b8c45614a0b94074d9f7a4cc76f38
SHA1240b5d17766503fd7dfa2a7f8f05be2f7857dc8a
SHA256d7aa1acf2186822f215379df2f4731a9502aa6802dd8f4c87431e68ffb82fc74
SHA51270abd5c774de1df94d4f89f6fc16734012135b1bab6c21f00da133c5f8194941f4bf118c449b8dd02ac087ff729bca63227140c56bebdaa7cefba560866ebff4