Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
16/10/2023, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe
Resource
win10-20230915-en
General
-
Target
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe
-
Size
1.1MB
-
MD5
836a38caaae69ce3f1f5fc23ced607a4
-
SHA1
15074e86cb042ffcaf2e2bdf4374a2bce8751733
-
SHA256
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922
-
SHA512
821b8df1cb39900f1ee29738352ecd6905f184d50144b80ea315d9374e0a9cd2c044082925a42a31bb33a61ca284284d362e7f476b0064a0bb3d03a2198d8152
-
SSDEEP
24576:zyZ0ZGQqWbWXLyCUlv8dhy6u57OeOEfrfZK/DOAwyWCSD2hkuPyaNQ2:GCEallv+ru5TOEfzFihv
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001af61-41.dat family_redline behavioral1/files/0x000600000001af61-44.dat family_redline behavioral1/memory/4884-45-0x0000000000360000-0x000000000039E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4772 wj2Sc1wu.exe 4708 Vt4Sp5Po.exe 4524 Tp5Er8ax.exe 4824 Fn3zL6nr.exe 2120 1SH39BH0.exe 4884 2Lt723oN.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" wj2Sc1wu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Vt4Sp5Po.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Tp5Er8ax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Fn3zL6nr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2120 set thread context of 1892 2120 1SH39BH0.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 4192 1892 WerFault.exe 74 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2212 wrote to memory of 4772 2212 d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe 69 PID 2212 wrote to memory of 4772 2212 d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe 69 PID 2212 wrote to memory of 4772 2212 d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe 69 PID 4772 wrote to memory of 4708 4772 wj2Sc1wu.exe 70 PID 4772 wrote to memory of 4708 4772 wj2Sc1wu.exe 70 PID 4772 wrote to memory of 4708 4772 wj2Sc1wu.exe 70 PID 4708 wrote to memory of 4524 4708 Vt4Sp5Po.exe 71 PID 4708 wrote to memory of 4524 4708 Vt4Sp5Po.exe 71 PID 4708 wrote to memory of 4524 4708 Vt4Sp5Po.exe 71 PID 4524 wrote to memory of 4824 4524 Tp5Er8ax.exe 72 PID 4524 wrote to memory of 4824 4524 Tp5Er8ax.exe 72 PID 4524 wrote to memory of 4824 4524 Tp5Er8ax.exe 72 PID 4824 wrote to memory of 2120 4824 Fn3zL6nr.exe 73 PID 4824 wrote to memory of 2120 4824 Fn3zL6nr.exe 73 PID 4824 wrote to memory of 2120 4824 Fn3zL6nr.exe 73 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 2120 wrote to memory of 1892 2120 1SH39BH0.exe 74 PID 4824 wrote to memory of 4884 4824 Fn3zL6nr.exe 75 PID 4824 wrote to memory of 4884 4824 Fn3zL6nr.exe 75 PID 4824 wrote to memory of 4884 4824 Fn3zL6nr.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe"C:\Users\Admin\AppData\Local\Temp\d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 5688⤵
- Program crash
PID:4192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe6⤵
- Executes dropped EXE
PID:4884
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5193963f09541048cf035b3504a388c92
SHA1790b0fd99a4794eb958d166b239204b7f847b293
SHA25689d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e
SHA5123926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d
-
Filesize
1.0MB
MD5193963f09541048cf035b3504a388c92
SHA1790b0fd99a4794eb958d166b239204b7f847b293
SHA25689d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e
SHA5123926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d
-
Filesize
839KB
MD50be9ec8a4dd67da4d9bf82362b3281bb
SHA117c9321ce4e65362d79a5075fae2ffc2e12562fb
SHA256607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b
SHA5123e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646
-
Filesize
839KB
MD50be9ec8a4dd67da4d9bf82362b3281bb
SHA117c9321ce4e65362d79a5075fae2ffc2e12562fb
SHA256607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b
SHA5123e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646
-
Filesize
591KB
MD5369740c6d89d313a48a795e543cb1c8f
SHA1b6891b018ce0cdd4f0e393f731c572e57dfd4927
SHA25602b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994
SHA5121e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3
-
Filesize
591KB
MD5369740c6d89d313a48a795e543cb1c8f
SHA1b6891b018ce0cdd4f0e393f731c572e57dfd4927
SHA25602b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994
SHA5121e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3
-
Filesize
396KB
MD50d0d9be70edd172d9f39f88c5120f2a8
SHA16a4b01a94d842f717f0430df6ae0fc2aee427812
SHA2566846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75
SHA51250d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b
-
Filesize
396KB
MD50d0d9be70edd172d9f39f88c5120f2a8
SHA16a4b01a94d842f717f0430df6ae0fc2aee427812
SHA2566846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75
SHA51250d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b
-
Filesize
314KB
MD58cef6a83ddb511ef699e1bdfdb430d20
SHA18839d5d82eef037dad8fa83771748829b3a98583
SHA2569903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b
SHA512e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5
-
Filesize
314KB
MD58cef6a83ddb511ef699e1bdfdb430d20
SHA18839d5d82eef037dad8fa83771748829b3a98583
SHA2569903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b
SHA512e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5
-
Filesize
222KB
MD524aaff529d54683757167da84006c817
SHA1b14ab5da418d25aa6952f9cda70e9893c5aded16
SHA256a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a
SHA512b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891
-
Filesize
222KB
MD524aaff529d54683757167da84006c817
SHA1b14ab5da418d25aa6952f9cda70e9893c5aded16
SHA256a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a
SHA512b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891