Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
16/10/2023, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe
Resource
win10-20230915-en
General
-
Target
5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe
-
Size
1.1MB
-
MD5
e7607d4fa7ba9243de7bebf6e31ff5e3
-
SHA1
5e374f01dbc9c4c2eda1d46442d0078433f51c68
-
SHA256
5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a
-
SHA512
5b5040d7ba536db055783ecb62dec79d207b063705d6fbf50af55889c7146ada4a9cd30021c30a2f624f5a536ae06dd058f8fd734df6639d14d03d4e58952dd3
-
SSDEEP
24576:oyvrM8Qir/BiwbX+lUbnfXm5TnDwplIwMDZwgXC/uvx5oW+lay:vDt3r5i6XOUbfXm5Tn6ywMDehy4la
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001b005-39.dat family_redline behavioral1/files/0x000600000001b005-44.dat family_redline behavioral1/memory/4780-45-0x0000000000110000-0x000000000014E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 944 MS3Ht0Rm.exe 5112 Mf8FA4Yn.exe 4444 fV8yy1Sk.exe 4104 qm0HE3Zk.exe 2608 1sh58Ac9.exe 4780 2bW128ze.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MS3Ht0Rm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Mf8FA4Yn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" fV8yy1Sk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" qm0HE3Zk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2608 set thread context of 4704 2608 1sh58Ac9.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 4716 4704 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4768 wrote to memory of 944 4768 5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe 70 PID 4768 wrote to memory of 944 4768 5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe 70 PID 4768 wrote to memory of 944 4768 5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe 70 PID 944 wrote to memory of 5112 944 MS3Ht0Rm.exe 71 PID 944 wrote to memory of 5112 944 MS3Ht0Rm.exe 71 PID 944 wrote to memory of 5112 944 MS3Ht0Rm.exe 71 PID 5112 wrote to memory of 4444 5112 Mf8FA4Yn.exe 72 PID 5112 wrote to memory of 4444 5112 Mf8FA4Yn.exe 72 PID 5112 wrote to memory of 4444 5112 Mf8FA4Yn.exe 72 PID 4444 wrote to memory of 4104 4444 fV8yy1Sk.exe 73 PID 4444 wrote to memory of 4104 4444 fV8yy1Sk.exe 73 PID 4444 wrote to memory of 4104 4444 fV8yy1Sk.exe 73 PID 4104 wrote to memory of 2608 4104 qm0HE3Zk.exe 74 PID 4104 wrote to memory of 2608 4104 qm0HE3Zk.exe 74 PID 4104 wrote to memory of 2608 4104 qm0HE3Zk.exe 74 PID 2608 wrote to memory of 2572 2608 1sh58Ac9.exe 75 PID 2608 wrote to memory of 2572 2608 1sh58Ac9.exe 75 PID 2608 wrote to memory of 2572 2608 1sh58Ac9.exe 75 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 2608 wrote to memory of 4704 2608 1sh58Ac9.exe 76 PID 4104 wrote to memory of 4780 4104 qm0HE3Zk.exe 77 PID 4104 wrote to memory of 4780 4104 qm0HE3Zk.exe 77 PID 4104 wrote to memory of 4780 4104 qm0HE3Zk.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe"C:\Users\Admin\AppData\Local\Temp\5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2008⤵
- Program crash
PID:4716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exe6⤵
- Executes dropped EXE
PID:4780
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD57e54ab06d0ab41ac52f9b11cbdde93a4
SHA1c146e3ac5799d630e39a057cb900b5e5d3d6b145
SHA25638c817f48bb4ee271c0381e56ed77506f27ba476b654cfae98f495e084f8beaf
SHA512fe0c62d132a4a3fbed4de809eb844a630bfa05299832cc3f54e1538a14cc1b32915ce209e238c35ed51117f96f89d70000594134b831206f2f4743c7ee61ac69
-
Filesize
1.0MB
MD57e54ab06d0ab41ac52f9b11cbdde93a4
SHA1c146e3ac5799d630e39a057cb900b5e5d3d6b145
SHA25638c817f48bb4ee271c0381e56ed77506f27ba476b654cfae98f495e084f8beaf
SHA512fe0c62d132a4a3fbed4de809eb844a630bfa05299832cc3f54e1538a14cc1b32915ce209e238c35ed51117f96f89d70000594134b831206f2f4743c7ee61ac69
-
Filesize
838KB
MD5f898f6de5f17e0d9103a1ea36e3d3a13
SHA1ecc7c3cc1bb4c30ec49a0866402278624d515a50
SHA256930587869e1bd3a3b21bba56212c9b92677604595c8e90312bb3444559e4f15d
SHA512cca9f064137fc8158f2946c67c03c65dad822c0e92e72d614f39eed26404063287ee3a33c3b6027cbc656c36d4b0cafd0bdde3e374dc4edf0a55a57f538b38d5
-
Filesize
838KB
MD5f898f6de5f17e0d9103a1ea36e3d3a13
SHA1ecc7c3cc1bb4c30ec49a0866402278624d515a50
SHA256930587869e1bd3a3b21bba56212c9b92677604595c8e90312bb3444559e4f15d
SHA512cca9f064137fc8158f2946c67c03c65dad822c0e92e72d614f39eed26404063287ee3a33c3b6027cbc656c36d4b0cafd0bdde3e374dc4edf0a55a57f538b38d5
-
Filesize
591KB
MD566dbcecb5c485a45fecb8bdcdbed0e7d
SHA112857441e6e0ecc32b5e0c4d8288a6e582a4ff44
SHA256b0ae9fcb7f5e0d24d1b01c71c31ab2eb42193c0bebe1cc3d6bed507d22bb6db3
SHA51291df4a0e38b7bb08a2ff75887f2a2e84c1fe710dd8eb930466257783a43f7ab6fb652fb6de00f0ebd6dcc0975e89b19e3d254ff2c860f6bf2a6aa40800bde1f8
-
Filesize
591KB
MD566dbcecb5c485a45fecb8bdcdbed0e7d
SHA112857441e6e0ecc32b5e0c4d8288a6e582a4ff44
SHA256b0ae9fcb7f5e0d24d1b01c71c31ab2eb42193c0bebe1cc3d6bed507d22bb6db3
SHA51291df4a0e38b7bb08a2ff75887f2a2e84c1fe710dd8eb930466257783a43f7ab6fb652fb6de00f0ebd6dcc0975e89b19e3d254ff2c860f6bf2a6aa40800bde1f8
-
Filesize
396KB
MD59e2a6a680cf6198a12ef15650d2a1601
SHA18cba2770bfa0de5125e8fe19e055315491a18c28
SHA256a310918bf7c65f1338c114903f21b4c7749c61f23fc500f51b5200a705bc2fe4
SHA512bd18e305a703e7575a06dd539108481d0d451a32a3070425b36a9cccd520742241959422a0d0c1a25447cb7112852fa5872f0efb30c8ce9f4c0418edbb90dabb
-
Filesize
396KB
MD59e2a6a680cf6198a12ef15650d2a1601
SHA18cba2770bfa0de5125e8fe19e055315491a18c28
SHA256a310918bf7c65f1338c114903f21b4c7749c61f23fc500f51b5200a705bc2fe4
SHA512bd18e305a703e7575a06dd539108481d0d451a32a3070425b36a9cccd520742241959422a0d0c1a25447cb7112852fa5872f0efb30c8ce9f4c0418edbb90dabb
-
Filesize
314KB
MD5260a4a825b5c3c3a99c93b2c6afca5d6
SHA1e25a0c7226f28bcdd5725d6d9df35d0bdb92e33c
SHA256f255ac13437b2d074bda1524710a98eb6420bead4dcb5fb684e4078b001df39b
SHA5123c4e8161cbd82aff2d62006c325f1d82ea7ba85d3b1f9d4cbfaab97560775f6b8c928c0a76a84771ff6abf4627e866f635b119d9f2ac9da994a491f4a3b7bd60
-
Filesize
314KB
MD5260a4a825b5c3c3a99c93b2c6afca5d6
SHA1e25a0c7226f28bcdd5725d6d9df35d0bdb92e33c
SHA256f255ac13437b2d074bda1524710a98eb6420bead4dcb5fb684e4078b001df39b
SHA5123c4e8161cbd82aff2d62006c325f1d82ea7ba85d3b1f9d4cbfaab97560775f6b8c928c0a76a84771ff6abf4627e866f635b119d9f2ac9da994a491f4a3b7bd60
-
Filesize
222KB
MD58218a20b873ac2c6046d348ba7766afe
SHA1655734b6f560de0916d210a4314a6489cc3610ef
SHA2566f5f29c8db5ebf908a7dca7edf380657f5b4a4d1e0da9ba77e2da7826ca301d3
SHA51287ef5b6d21f9273a09f4396063e9104c475d9d19f362a639061f5a9670451dacd0bba2edeec90d113b27409ad9c43b52da31130f58d3c8e226ec4ff9e3a87b18
-
Filesize
222KB
MD58218a20b873ac2c6046d348ba7766afe
SHA1655734b6f560de0916d210a4314a6489cc3610ef
SHA2566f5f29c8db5ebf908a7dca7edf380657f5b4a4d1e0da9ba77e2da7826ca301d3
SHA51287ef5b6d21f9273a09f4396063e9104c475d9d19f362a639061f5a9670451dacd0bba2edeec90d113b27409ad9c43b52da31130f58d3c8e226ec4ff9e3a87b18