Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
14/10/2023, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
Resource
win10-20230915-en
General
-
Target
477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
-
Size
1.5MB
-
MD5
27a377d27d16aa9df83edabfd23b565a
-
SHA1
4d4d71f95db9e6b0e80c1decfd7e587b71e5663d
-
SHA256
477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db
-
SHA512
f89a2dc0b7b7a9e9843dcaed4c436a0ea6d485bfe5e741cdef46de3dc6f21c6f55194cc47d98efda2f3483b8a5f6df854282af8dface09758496d7aa9651010a
-
SSDEEP
24576:3y1IC/BgLwm1SaGpzU4VpCDyRmtsN8YtTFRUgZy9qBhlJiLD7ef0nkK8JkrM:Cf/lajcpC3tsN8EBRd8kblJiLD7znkk
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001afa0-39.dat family_redline behavioral1/files/0x000600000001afa0-40.dat family_redline behavioral1/memory/2416-45-0x0000000000EC0000-0x0000000000EFE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3752 xQ9FN8xn.exe 2824 yw8Yt8qc.exe 2728 nP5sl3PK.exe 4236 Cj9AV7id.exe 2712 1an99dM7.exe 2416 2BA930jt.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nP5sl3PK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Cj9AV7id.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xQ9FN8xn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yw8Yt8qc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 1220 2712 1an99dM7.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 164 1220 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 5024 wrote to memory of 3752 5024 477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe 70 PID 5024 wrote to memory of 3752 5024 477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe 70 PID 5024 wrote to memory of 3752 5024 477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe 70 PID 3752 wrote to memory of 2824 3752 xQ9FN8xn.exe 71 PID 3752 wrote to memory of 2824 3752 xQ9FN8xn.exe 71 PID 3752 wrote to memory of 2824 3752 xQ9FN8xn.exe 71 PID 2824 wrote to memory of 2728 2824 yw8Yt8qc.exe 72 PID 2824 wrote to memory of 2728 2824 yw8Yt8qc.exe 72 PID 2824 wrote to memory of 2728 2824 yw8Yt8qc.exe 72 PID 2728 wrote to memory of 4236 2728 nP5sl3PK.exe 73 PID 2728 wrote to memory of 4236 2728 nP5sl3PK.exe 73 PID 2728 wrote to memory of 4236 2728 nP5sl3PK.exe 73 PID 4236 wrote to memory of 2712 4236 Cj9AV7id.exe 74 PID 4236 wrote to memory of 2712 4236 Cj9AV7id.exe 74 PID 4236 wrote to memory of 2712 4236 Cj9AV7id.exe 74 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 2712 wrote to memory of 1220 2712 1an99dM7.exe 76 PID 4236 wrote to memory of 2416 4236 Cj9AV7id.exe 77 PID 4236 wrote to memory of 2416 4236 Cj9AV7id.exe 77 PID 4236 wrote to memory of 2416 4236 Cj9AV7id.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe"C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 5688⤵
- Program crash
PID:164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe6⤵
- Executes dropped EXE
PID:2416
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53a9498ef02f9064e0ac360c26d00d943
SHA1617f6dbe66aa0139c2e99a4f053a36860565e93e
SHA256c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b
SHA51260736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e
-
Filesize
1.4MB
MD53a9498ef02f9064e0ac360c26d00d943
SHA1617f6dbe66aa0139c2e99a4f053a36860565e93e
SHA256c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b
SHA51260736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e
-
Filesize
1.2MB
MD5d375f511438636562992f7f7bc73bf10
SHA11f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f
SHA256c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346
SHA512a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372
-
Filesize
1.2MB
MD5d375f511438636562992f7f7bc73bf10
SHA11f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f
SHA256c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346
SHA512a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372
-
Filesize
782KB
MD58b757cbde5ba54c44f56d67abd60d4f3
SHA1ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a
SHA2567a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6
SHA512381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef
-
Filesize
782KB
MD58b757cbde5ba54c44f56d67abd60d4f3
SHA1ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a
SHA2567a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6
SHA512381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef
-
Filesize
581KB
MD523eb4bb71703067527c3911067f3ac39
SHA18c82d461f93d5ce11a6039a4b44f2e429cbb9f06
SHA256917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d
SHA512ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c
-
Filesize
581KB
MD523eb4bb71703067527c3911067f3ac39
SHA18c82d461f93d5ce11a6039a4b44f2e429cbb9f06
SHA256917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d
SHA512ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c
-
Filesize
1.1MB
MD56ef68ec5b2d91cbc9c66fa0553e527ec
SHA18d8ab02a5f2433cf12ba62336e4d774f2bbf21d2
SHA2568ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f
SHA5121a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6
-
Filesize
1.1MB
MD56ef68ec5b2d91cbc9c66fa0553e527ec
SHA18d8ab02a5f2433cf12ba62336e4d774f2bbf21d2
SHA2568ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f
SHA5121a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6
-
Filesize
222KB
MD5ca2da7d9a152e2b133f095fb49a7055a
SHA1639fedda2b77f6b416f184c5da648d3306fac76c
SHA25673868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82
SHA51225565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b
-
Filesize
222KB
MD5ca2da7d9a152e2b133f095fb49a7055a
SHA1639fedda2b77f6b416f184c5da648d3306fac76c
SHA25673868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82
SHA51225565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b