Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe
Resource
win10v2004-20230915-en
General
-
Target
cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe
-
Size
1.0MB
-
MD5
2a6e11cfe25c5b88147a176f45c95c75
-
SHA1
2713b7c35daac11e8a3361dd055efe41e9e1ecfe
-
SHA256
cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79
-
SHA512
9b0a1f886504b2d23eebc438198c732a428bf7182a71a4f1c9c15cda343deb129ec03d84c0f9e32e5c26e1cd4814ae5f8fc7e7e341cf5f8ee5461afd23444dca
-
SSDEEP
24576:ByAtcnpvkxwE99FkMcU9aD+Lfv49ch5yFniyad:0A0ZfE94U9r89eanU
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00070000000231e4-34.dat family_redline behavioral2/files/0x00070000000231e4-35.dat family_redline behavioral2/memory/3612-36-0x00000000007B0000-0x00000000007E0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 4600 x0534055.exe 4568 x0021083.exe 4484 x7905287.exe 2444 g7829731.exe 3612 h6040855.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0534055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x0021083.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x7905287.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2444 set thread context of 5088 2444 g7829731.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 1848 5088 WerFault.exe 92 1960 2444 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4600 4056 cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe 87 PID 4056 wrote to memory of 4600 4056 cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe 87 PID 4056 wrote to memory of 4600 4056 cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe 87 PID 4600 wrote to memory of 4568 4600 x0534055.exe 88 PID 4600 wrote to memory of 4568 4600 x0534055.exe 88 PID 4600 wrote to memory of 4568 4600 x0534055.exe 88 PID 4568 wrote to memory of 4484 4568 x0021083.exe 89 PID 4568 wrote to memory of 4484 4568 x0021083.exe 89 PID 4568 wrote to memory of 4484 4568 x0021083.exe 89 PID 4484 wrote to memory of 2444 4484 x7905287.exe 90 PID 4484 wrote to memory of 2444 4484 x7905287.exe 90 PID 4484 wrote to memory of 2444 4484 x7905287.exe 90 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 2444 wrote to memory of 5088 2444 g7829731.exe 92 PID 4484 wrote to memory of 3612 4484 x7905287.exe 101 PID 4484 wrote to memory of 3612 4484 x7905287.exe 101 PID 4484 wrote to memory of 3612 4484 x7905287.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe"C:\Users\Admin\AppData\Local\Temp\cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 5407⤵
- Program crash
PID:1848
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1406⤵
- Program crash
PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exe5⤵
- Executes dropped EXE
PID:3612
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 24441⤵PID:4308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5088 -ip 50881⤵PID:4724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
931KB
MD57416bf38f70fffb516ae7c29b8cad15f
SHA1ef9a4a6efac05487b4c71dfc841c49c25b772900
SHA256820bdb3f164f2fe6d503472821e9046574012966880e20e4fb6d7ac3d65f90c8
SHA512636743b9b5681c15f0e40152982d0e558fc641e440c8b839a1d250e3f8aa0447817198508cd27a62ca0b7932c3f38e6fcb14b30c431fd6908c9634cbed8b90e2
-
Filesize
931KB
MD57416bf38f70fffb516ae7c29b8cad15f
SHA1ef9a4a6efac05487b4c71dfc841c49c25b772900
SHA256820bdb3f164f2fe6d503472821e9046574012966880e20e4fb6d7ac3d65f90c8
SHA512636743b9b5681c15f0e40152982d0e558fc641e440c8b839a1d250e3f8aa0447817198508cd27a62ca0b7932c3f38e6fcb14b30c431fd6908c9634cbed8b90e2
-
Filesize
628KB
MD58eca8e10935075576cc60a3ce948f54c
SHA16a0ba6baa4c38f10b0bbca5ddaef312368220a87
SHA2561c7747510cb10283a3d43f7715791f1f5cf84fb548363589f7df7208980655bc
SHA5127c1815add40af48726f1ce055d5e2cc74781dde3b64edfb76298fa4a454a07182c301577e9bac0d9bece29d3b341635d914d14a79ebd5c8fa107aa809e27f0a5
-
Filesize
628KB
MD58eca8e10935075576cc60a3ce948f54c
SHA16a0ba6baa4c38f10b0bbca5ddaef312368220a87
SHA2561c7747510cb10283a3d43f7715791f1f5cf84fb548363589f7df7208980655bc
SHA5127c1815add40af48726f1ce055d5e2cc74781dde3b64edfb76298fa4a454a07182c301577e9bac0d9bece29d3b341635d914d14a79ebd5c8fa107aa809e27f0a5
-
Filesize
442KB
MD536d56781c7e1d81807ceed1fe6464f93
SHA141f44bf34ee84d822432268b9893f0070337f575
SHA256024638437c48977df01f314a352b22948cce0bfc4a23550bd68d2f9321796909
SHA5125c6022cb7dce9259a7f2a97e4628bb904ec79ae1e7300b677a97e546e9e3be5a8895e5d3f1340b29f56f6c695eb6b666db26d990595816abfa27cdf988525827
-
Filesize
442KB
MD536d56781c7e1d81807ceed1fe6464f93
SHA141f44bf34ee84d822432268b9893f0070337f575
SHA256024638437c48977df01f314a352b22948cce0bfc4a23550bd68d2f9321796909
SHA5125c6022cb7dce9259a7f2a97e4628bb904ec79ae1e7300b677a97e546e9e3be5a8895e5d3f1340b29f56f6c695eb6b666db26d990595816abfa27cdf988525827
-
Filesize
700KB
MD5bb0e8cfe0fb46c98520beb19b2638bc6
SHA1d934149f484871137e834f1c37053d21ffad4940
SHA25617310375c40bd781a6205d4858fcb690fbba4eb6ad18a410d9dac0cd108c6fb0
SHA512cd1fba0e56109277d44085109ae0158b4ea010441e565f5004290fbcd0abecccc09d6a44df29de4945fae31c6c517e80ba657c00a26ee9888c692522c4a42e12
-
Filesize
700KB
MD5bb0e8cfe0fb46c98520beb19b2638bc6
SHA1d934149f484871137e834f1c37053d21ffad4940
SHA25617310375c40bd781a6205d4858fcb690fbba4eb6ad18a410d9dac0cd108c6fb0
SHA512cd1fba0e56109277d44085109ae0158b4ea010441e565f5004290fbcd0abecccc09d6a44df29de4945fae31c6c517e80ba657c00a26ee9888c692522c4a42e12
-
Filesize
174KB
MD5098fb74a905e28f690b24f173eb15184
SHA1aaf4ab61e17b639ad06bc8f0618ec3c9be860a6a
SHA256ec2a8551b744a368edfe87ff473eae038b79d2ead51c4cd9f4658b7ff12f8a2c
SHA512875d3096d5f69921f2090bb1d4763818a0b6509f1c8b22208040c7a1f27783f6137ad426833b6a7771fd23029abfb18b3fcd69505c0dd942efbcf59bec99bf38
-
Filesize
174KB
MD5098fb74a905e28f690b24f173eb15184
SHA1aaf4ab61e17b639ad06bc8f0618ec3c9be860a6a
SHA256ec2a8551b744a368edfe87ff473eae038b79d2ead51c4cd9f4658b7ff12f8a2c
SHA512875d3096d5f69921f2090bb1d4763818a0b6509f1c8b22208040c7a1f27783f6137ad426833b6a7771fd23029abfb18b3fcd69505c0dd942efbcf59bec99bf38