Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 00:25
Static task
static1
Behavioral task
behavioral1
Sample
cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe
Resource
win10v2004-20230915-en
General
-
Target
cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe
-
Size
1.1MB
-
MD5
258e87fa967c3dc0c360fd63aa81d1bf
-
SHA1
334a591725643b0e44637d3c0577a818ab137718
-
SHA256
cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f
-
SHA512
c750db7e5e71d69d67ca6f924d2d80c2d0a5ef97e2334e171036359971696ae8a214f27e199b8cd24eef65d0add2a3e7a9bb90dbd2eb042702228d0a565f6690
-
SSDEEP
24576:IyEhhQqPRv/08vU7Sbuzp4BI+9bAen4P+vmEx+cSAnlKeB:P2PP1M8vqSCmIg9dmo+hS
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023227-41.dat family_redline behavioral1/files/0x0006000000023227-42.dat family_redline behavioral1/memory/3408-43-0x00000000008D0000-0x000000000090E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4352 zC9Oc6gD.exe 3508 Ml4IV5la.exe 3596 uo1DA0QZ.exe 3816 pe3Nm7Jr.exe 1780 1YW21Wp9.exe 3408 2AL736sq.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zC9Oc6gD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ml4IV5la.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" uo1DA0QZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" pe3Nm7Jr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1780 set thread context of 4856 1780 1YW21Wp9.exe 88 -
Program crash 2 IoCs
pid pid_target Process procid_target 3648 1780 WerFault.exe 86 1792 4856 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1380 wrote to memory of 4352 1380 cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe 82 PID 1380 wrote to memory of 4352 1380 cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe 82 PID 1380 wrote to memory of 4352 1380 cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe 82 PID 4352 wrote to memory of 3508 4352 zC9Oc6gD.exe 83 PID 4352 wrote to memory of 3508 4352 zC9Oc6gD.exe 83 PID 4352 wrote to memory of 3508 4352 zC9Oc6gD.exe 83 PID 3508 wrote to memory of 3596 3508 Ml4IV5la.exe 84 PID 3508 wrote to memory of 3596 3508 Ml4IV5la.exe 84 PID 3508 wrote to memory of 3596 3508 Ml4IV5la.exe 84 PID 3596 wrote to memory of 3816 3596 uo1DA0QZ.exe 85 PID 3596 wrote to memory of 3816 3596 uo1DA0QZ.exe 85 PID 3596 wrote to memory of 3816 3596 uo1DA0QZ.exe 85 PID 3816 wrote to memory of 1780 3816 pe3Nm7Jr.exe 86 PID 3816 wrote to memory of 1780 3816 pe3Nm7Jr.exe 86 PID 3816 wrote to memory of 1780 3816 pe3Nm7Jr.exe 86 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 1780 wrote to memory of 4856 1780 1YW21Wp9.exe 88 PID 3816 wrote to memory of 3408 3816 pe3Nm7Jr.exe 95 PID 3816 wrote to memory of 3408 3816 pe3Nm7Jr.exe 95 PID 3816 wrote to memory of 3408 3816 pe3Nm7Jr.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe"C:\Users\Admin\AppData\Local\Temp\cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 5408⤵
- Program crash
PID:1792
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 6047⤵
- Program crash
PID:3648
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exe6⤵
- Executes dropped EXE
PID:3408
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4856 -ip 48561⤵PID:3480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1780 -ip 17801⤵PID:5112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD55435dd437858fa1360e284784372624f
SHA1d5978ca8df8fe8c9763a67a5a1acdcf3af1b707a
SHA256beba4754b0a7c1463c84587ad9866baaa14fab38894392a8daa2286902155af4
SHA512eba287863543a7d045d1ef08ce7afa9b724d4ce6369582a6b2e0e4e5925ca8fa58e248af0d4e64826b22317286f64175ed562109748d218dbcb759ed2c15d276
-
Filesize
1000KB
MD55435dd437858fa1360e284784372624f
SHA1d5978ca8df8fe8c9763a67a5a1acdcf3af1b707a
SHA256beba4754b0a7c1463c84587ad9866baaa14fab38894392a8daa2286902155af4
SHA512eba287863543a7d045d1ef08ce7afa9b724d4ce6369582a6b2e0e4e5925ca8fa58e248af0d4e64826b22317286f64175ed562109748d218dbcb759ed2c15d276
-
Filesize
811KB
MD5da343c51d2630c94f26aec091e3e6c7c
SHA1742db1d56da44719b84d64034225f4a50e9376b9
SHA256de14d54727f74b59a71aebc6cf281e0dc1ec300af886ca22f30780b9b8277dbd
SHA5128a3e022783c6a23f11de383a496db280c6430da312ccb1cf37196505a08eba99756dc32106fcb1659a01b8dd742a1a18504dded93776702d161f91887bcf9515
-
Filesize
811KB
MD5da343c51d2630c94f26aec091e3e6c7c
SHA1742db1d56da44719b84d64034225f4a50e9376b9
SHA256de14d54727f74b59a71aebc6cf281e0dc1ec300af886ca22f30780b9b8277dbd
SHA5128a3e022783c6a23f11de383a496db280c6430da312ccb1cf37196505a08eba99756dc32106fcb1659a01b8dd742a1a18504dded93776702d161f91887bcf9515
-
Filesize
577KB
MD5cf0439e80ac8018c47f4b6c408c79fe9
SHA1928b8c935206fe5d26ab867e8242370832122bbe
SHA25600e132595173bf95b2edd90166cc1234fca082f876dfa3b454bba99282e36958
SHA5121b3583c29145ddded0eecfa656df18971db3cff7a841c0fd2bae653ed54c6982e441c3d1260a18f172cc2e4a3e1fae4a6c5bd1831d12bc772a621a01ee2f84b9
-
Filesize
577KB
MD5cf0439e80ac8018c47f4b6c408c79fe9
SHA1928b8c935206fe5d26ab867e8242370832122bbe
SHA25600e132595173bf95b2edd90166cc1234fca082f876dfa3b454bba99282e36958
SHA5121b3583c29145ddded0eecfa656df18971db3cff7a841c0fd2bae653ed54c6982e441c3d1260a18f172cc2e4a3e1fae4a6c5bd1831d12bc772a621a01ee2f84b9
-
Filesize
382KB
MD59c1ae8bc58ac26d580174ba22c433d79
SHA1a021b3f6f8050be6673cb2456d904268c2805fe7
SHA256abdb8b7623ca6ab698f9259eba76d4d26a080f42c1de051e0505ac996674a67f
SHA51279bf6297424e10fcc6deb284138d5c943629a5aff8bc7174c5d2e8ef495545285c20791999cd9447a9aa1394e4c812d62421e9ebd3ea7134fc4dc63a68204b28
-
Filesize
382KB
MD59c1ae8bc58ac26d580174ba22c433d79
SHA1a021b3f6f8050be6673cb2456d904268c2805fe7
SHA256abdb8b7623ca6ab698f9259eba76d4d26a080f42c1de051e0505ac996674a67f
SHA51279bf6297424e10fcc6deb284138d5c943629a5aff8bc7174c5d2e8ef495545285c20791999cd9447a9aa1394e4c812d62421e9ebd3ea7134fc4dc63a68204b28
-
Filesize
295KB
MD5ba6806e09e0617ab727abb9804759d83
SHA162413aeac9a0938d66e9e8d7a57e91cbffab91f1
SHA256d33a327c26c2eb980e273cabb9a342d41891f5a45fb55bc65309179cb4c0c64f
SHA51226902b6a5787d4c008b60add14e9f120852eec90f467ace29783af25b9dac8d93216fef6ce169d081876695f4c70fd1e8fa3bdfbd4f8532cfa91d3afcae9c80f
-
Filesize
295KB
MD5ba6806e09e0617ab727abb9804759d83
SHA162413aeac9a0938d66e9e8d7a57e91cbffab91f1
SHA256d33a327c26c2eb980e273cabb9a342d41891f5a45fb55bc65309179cb4c0c64f
SHA51226902b6a5787d4c008b60add14e9f120852eec90f467ace29783af25b9dac8d93216fef6ce169d081876695f4c70fd1e8fa3bdfbd4f8532cfa91d3afcae9c80f
-
Filesize
222KB
MD51b7601bd97685054727c8ada65d9a0de
SHA180cc886b944b73249a83381adfba46698dd5f087
SHA25664199496342990a177ea505db8e336801e0c0d4d8ae01173d54f1fb1c8fa0117
SHA51242822450ccc7d15e4205e02bb6f2531c6c3806ee27f352a44513edffbc81d1d9958c58f10362f8c1cd7765b62a2c5fbd9769563788ccd56ea1d198aa53d33519
-
Filesize
222KB
MD51b7601bd97685054727c8ada65d9a0de
SHA180cc886b944b73249a83381adfba46698dd5f087
SHA25664199496342990a177ea505db8e336801e0c0d4d8ae01173d54f1fb1c8fa0117
SHA51242822450ccc7d15e4205e02bb6f2531c6c3806ee27f352a44513edffbc81d1d9958c58f10362f8c1cd7765b62a2c5fbd9769563788ccd56ea1d198aa53d33519