Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
275s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
22/10/2023, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
Resource
win10-20231020-en
General
-
Target
1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
-
Size
1.1MB
-
MD5
726211d761490028db412b94f41560cd
-
SHA1
35e2eaa4aef889f7ed15ba77c7a06790e983a507
-
SHA256
1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4
-
SHA512
290d47a1f42171474266fb2626ee9b0b02a81d337ccdbfd74355fe86c089fe4d8b63f7b804fe16ed0fed5ac27dcec2460ca13e91b252a399509d04bdd5da8abc
-
SSDEEP
24576:ey95/7BePPX9rVOgu6sz8O2K8UZhPfZnrwdidLlhl+2fYe:t9VEP1xOLP6SPWEHlTf
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000001abf0-39.dat family_redline behavioral2/files/0x000600000001abf0-40.dat family_redline behavioral2/memory/4008-45-0x00000000006D0000-0x000000000070E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2536 Rs9Pc2fH.exe 2292 eR5fv0Ub.exe 3252 oG1hS0CJ.exe 3700 Go0AG3VT.exe 5020 1AE46Yf6.exe 4008 2ns475Vf.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rs9Pc2fH.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" eR5fv0Ub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" oG1hS0CJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Go0AG3VT.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5020 set thread context of 4940 5020 1AE46Yf6.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 4084 4940 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2536 4420 1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe 71 PID 4420 wrote to memory of 2536 4420 1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe 71 PID 4420 wrote to memory of 2536 4420 1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe 71 PID 2536 wrote to memory of 2292 2536 Rs9Pc2fH.exe 72 PID 2536 wrote to memory of 2292 2536 Rs9Pc2fH.exe 72 PID 2536 wrote to memory of 2292 2536 Rs9Pc2fH.exe 72 PID 2292 wrote to memory of 3252 2292 eR5fv0Ub.exe 73 PID 2292 wrote to memory of 3252 2292 eR5fv0Ub.exe 73 PID 2292 wrote to memory of 3252 2292 eR5fv0Ub.exe 73 PID 3252 wrote to memory of 3700 3252 oG1hS0CJ.exe 74 PID 3252 wrote to memory of 3700 3252 oG1hS0CJ.exe 74 PID 3252 wrote to memory of 3700 3252 oG1hS0CJ.exe 74 PID 3700 wrote to memory of 5020 3700 Go0AG3VT.exe 75 PID 3700 wrote to memory of 5020 3700 Go0AG3VT.exe 75 PID 3700 wrote to memory of 5020 3700 Go0AG3VT.exe 75 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 5020 wrote to memory of 4940 5020 1AE46Yf6.exe 76 PID 3700 wrote to memory of 4008 3700 Go0AG3VT.exe 77 PID 3700 wrote to memory of 4008 3700 Go0AG3VT.exe 77 PID 3700 wrote to memory of 4008 3700 Go0AG3VT.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe"C:\Users\Admin\AppData\Local\Temp\1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 5688⤵
- Program crash
PID:4084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exe6⤵
- Executes dropped EXE
PID:4008
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD53ffce82243bf0fa7a1cb87b066e33f2f
SHA19f19000b6406bc3a27f382bf643d5c40333c2828
SHA25695781c67818a759372fb2e8544fd6bbef027c8577b3aab2775ebd7dc5aa997da
SHA5127952f20c0c3f63db738c79c17c280dbe95c0c46b072b043b5320e89344c99332ca05aa0ea6064d6fb5965998541c215412748aaec25beb19ff28f774c6bae6b3
-
Filesize
1.0MB
MD53ffce82243bf0fa7a1cb87b066e33f2f
SHA19f19000b6406bc3a27f382bf643d5c40333c2828
SHA25695781c67818a759372fb2e8544fd6bbef027c8577b3aab2775ebd7dc5aa997da
SHA5127952f20c0c3f63db738c79c17c280dbe95c0c46b072b043b5320e89344c99332ca05aa0ea6064d6fb5965998541c215412748aaec25beb19ff28f774c6bae6b3
-
Filesize
843KB
MD505469b49b0091b2b9ef6330c14f152b1
SHA1fa66d88036b3e1b2435af9569be4f6ef862edac8
SHA25666d8ae38cfd8313488b09350fb8d3ef264afe4fad378d114e9f2895a7057cbfc
SHA512225ad4cf527d947e200023710f02360ffc3d1b4582c97c4a3aef1ddd45513822a4d56b1ddace639535d9301b7ebf6ba3c570dc01436feaf71b79e2e1a7d75c1f
-
Filesize
843KB
MD505469b49b0091b2b9ef6330c14f152b1
SHA1fa66d88036b3e1b2435af9569be4f6ef862edac8
SHA25666d8ae38cfd8313488b09350fb8d3ef264afe4fad378d114e9f2895a7057cbfc
SHA512225ad4cf527d947e200023710f02360ffc3d1b4582c97c4a3aef1ddd45513822a4d56b1ddace639535d9301b7ebf6ba3c570dc01436feaf71b79e2e1a7d75c1f
-
Filesize
593KB
MD55fcf4905afd88c3331bdeef226bcf1e3
SHA1526c7c6c4f03098e64668218c36232f357555a36
SHA256f4e71298168165ee46550537696fb2618c82fe702591c1a78fd0c320c397e853
SHA51292fed6a808f8917f5015227aa411d7ee72be1a63120d06465b8b7a8535e74769799f128959a64c937b70e727c38e1566f4d5e54aed8d7c115d14f1b51765e4a8
-
Filesize
593KB
MD55fcf4905afd88c3331bdeef226bcf1e3
SHA1526c7c6c4f03098e64668218c36232f357555a36
SHA256f4e71298168165ee46550537696fb2618c82fe702591c1a78fd0c320c397e853
SHA51292fed6a808f8917f5015227aa411d7ee72be1a63120d06465b8b7a8535e74769799f128959a64c937b70e727c38e1566f4d5e54aed8d7c115d14f1b51765e4a8
-
Filesize
398KB
MD582b8ef7dc3016639519f61dab53fd45c
SHA172a48d09ddf862aa9fe876d999df45973c994ac1
SHA256602ba5059b5ab005f43b419684ae2ebdde93abca409fb458a0fdb8675fbeb050
SHA5125b30476707bdc657c4a2c36a8f098c143a8cea9250b6faff4d5495d726111ae4bbcac46f992e55b8cd1fdb690972dbad8df37655ba58eb29ca380d728e1defcf
-
Filesize
398KB
MD582b8ef7dc3016639519f61dab53fd45c
SHA172a48d09ddf862aa9fe876d999df45973c994ac1
SHA256602ba5059b5ab005f43b419684ae2ebdde93abca409fb458a0fdb8675fbeb050
SHA5125b30476707bdc657c4a2c36a8f098c143a8cea9250b6faff4d5495d726111ae4bbcac46f992e55b8cd1fdb690972dbad8df37655ba58eb29ca380d728e1defcf
-
Filesize
320KB
MD5e941da6fe6a36a6e4c84d19a15d99743
SHA1d557bd482ed220d9f1f6b06ec3791ad9d41af036
SHA2566f955c6d0db18df11a8c1797208beb949eb30b5bd0443f7adb9731615b368aa8
SHA51245a973c191368cc56f6ff79a235ad7103f54df6a5d32ee7d11d4e3346af1cc60996caa1c6e94a4fa21789ad9f7ee57a82dde607455ca8fb48407c60cbd023920
-
Filesize
320KB
MD5e941da6fe6a36a6e4c84d19a15d99743
SHA1d557bd482ed220d9f1f6b06ec3791ad9d41af036
SHA2566f955c6d0db18df11a8c1797208beb949eb30b5bd0443f7adb9731615b368aa8
SHA51245a973c191368cc56f6ff79a235ad7103f54df6a5d32ee7d11d4e3346af1cc60996caa1c6e94a4fa21789ad9f7ee57a82dde607455ca8fb48407c60cbd023920
-
Filesize
222KB
MD5d630dd384dd7df38ecaf9e878432343b
SHA19f39065c4cc8e7d7c0890011e1b8a059551e8236
SHA2562946cf3bff46d9cd413962bf01d5d440bfc5624bfef33b626349d8e3751c4f02
SHA512d207b77d2c24f958a87948c9b24f000e86adff94b6c526ba3813661eb85fa8e75ff867602e0106c807770efd93a764f35a0a604bac05fb5000683dc2e213c4ba
-
Filesize
222KB
MD5d630dd384dd7df38ecaf9e878432343b
SHA19f39065c4cc8e7d7c0890011e1b8a059551e8236
SHA2562946cf3bff46d9cd413962bf01d5d440bfc5624bfef33b626349d8e3751c4f02
SHA512d207b77d2c24f958a87948c9b24f000e86adff94b6c526ba3813661eb85fa8e75ff867602e0106c807770efd93a764f35a0a604bac05fb5000683dc2e213c4ba