Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
287s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
22/10/2023, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
Resource
win10-20231020-en
General
-
Target
f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
-
Size
1.1MB
-
MD5
d31549c62f36bb6910880a4e621ec890
-
SHA1
18242b20daf81c2d9fb144c41f782ec7c53028e7
-
SHA256
f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504
-
SHA512
5b1d64b0940efe36e794235d8e4358933a56f1657d7d31a27728a8825963d4952c50e1fce84492055b573ee429b38a8b26ffb73f6d3c69d651cfbdaade571ad0
-
SSDEEP
24576:ayDqKzQ22INnFuCQJ1mSo6LHEEq7vxsPqhsHEDrEfW6C:hDBzHzDkEEi2qeHqwfW6
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000001ac3a-39.dat family_redline behavioral2/files/0x000600000001ac3a-40.dat family_redline behavioral2/memory/308-45-0x0000000000310000-0x000000000034E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2472 uJ9LL1Bk.exe 4520 ax6WB3TS.exe 1652 jb0Cp7gG.exe 4448 qc0Cb6GH.exe 2616 1LU39YQ5.exe 308 2Gt192Uj.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" uJ9LL1Bk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ax6WB3TS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" jb0Cp7gG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" qc0Cb6GH.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 168 2616 1LU39YQ5.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 4128 168 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3648 wrote to memory of 2472 3648 f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe 71 PID 3648 wrote to memory of 2472 3648 f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe 71 PID 3648 wrote to memory of 2472 3648 f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe 71 PID 2472 wrote to memory of 4520 2472 uJ9LL1Bk.exe 72 PID 2472 wrote to memory of 4520 2472 uJ9LL1Bk.exe 72 PID 2472 wrote to memory of 4520 2472 uJ9LL1Bk.exe 72 PID 4520 wrote to memory of 1652 4520 ax6WB3TS.exe 73 PID 4520 wrote to memory of 1652 4520 ax6WB3TS.exe 73 PID 4520 wrote to memory of 1652 4520 ax6WB3TS.exe 73 PID 1652 wrote to memory of 4448 1652 jb0Cp7gG.exe 74 PID 1652 wrote to memory of 4448 1652 jb0Cp7gG.exe 74 PID 1652 wrote to memory of 4448 1652 jb0Cp7gG.exe 74 PID 4448 wrote to memory of 2616 4448 qc0Cb6GH.exe 75 PID 4448 wrote to memory of 2616 4448 qc0Cb6GH.exe 75 PID 4448 wrote to memory of 2616 4448 qc0Cb6GH.exe 75 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 2616 wrote to memory of 168 2616 1LU39YQ5.exe 76 PID 4448 wrote to memory of 308 4448 qc0Cb6GH.exe 77 PID 4448 wrote to memory of 308 4448 qc0Cb6GH.exe 77 PID 4448 wrote to memory of 308 4448 qc0Cb6GH.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe"C:\Users\Admin\AppData\Local\Temp\f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 168 -s 5688⤵
- Program crash
PID:4128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exe6⤵
- Executes dropped EXE
PID:308
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5dbdcdb1cde294de9c8cbddee99e0f8b0
SHA15f8ef1045334298376161324e4ecce8cc3d86192
SHA2564350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056
SHA512dcea87b7d4bea51cb31a7034cee7244892b41f931302ebfd4c8b8c687950a28ea8d16aa191616bcb06a4a29f30e15410f525f26daf205d0802f86a5a2973ee18
-
Filesize
1.0MB
MD5dbdcdb1cde294de9c8cbddee99e0f8b0
SHA15f8ef1045334298376161324e4ecce8cc3d86192
SHA2564350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056
SHA512dcea87b7d4bea51cb31a7034cee7244892b41f931302ebfd4c8b8c687950a28ea8d16aa191616bcb06a4a29f30e15410f525f26daf205d0802f86a5a2973ee18
-
Filesize
843KB
MD5070848152214a72aec282eee0109a501
SHA1a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20
SHA25697205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77
SHA5123dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816
-
Filesize
843KB
MD5070848152214a72aec282eee0109a501
SHA1a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20
SHA25697205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77
SHA5123dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816
-
Filesize
593KB
MD57573b4633bff6cf0a548a2c6f05723d1
SHA1394f6efcae97b60635b20f37385532d822d2602b
SHA2566f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea
SHA512dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe
-
Filesize
593KB
MD57573b4633bff6cf0a548a2c6f05723d1
SHA1394f6efcae97b60635b20f37385532d822d2602b
SHA2566f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea
SHA512dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe
-
Filesize
398KB
MD517d4fdc6880b99a20d99038b87fb29a5
SHA1af015129a2c4a0644f07103adbb9eb1e591216c9
SHA2561f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277
SHA5129e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164
-
Filesize
398KB
MD517d4fdc6880b99a20d99038b87fb29a5
SHA1af015129a2c4a0644f07103adbb9eb1e591216c9
SHA2561f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277
SHA5129e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164
-
Filesize
320KB
MD59419c3cff65d99855cffd56f94a73c99
SHA1c36716081f649ce638cedd4f052adacafaa5bafa
SHA256d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e
SHA512ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1
-
Filesize
320KB
MD59419c3cff65d99855cffd56f94a73c99
SHA1c36716081f649ce638cedd4f052adacafaa5bafa
SHA256d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e
SHA512ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1
-
Filesize
222KB
MD5bf4559ec513ad2dc641ac343fbe748ce
SHA1c865a0c2cabfe4f9d755203ceb25b6afc53b0709
SHA256771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc
SHA512d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854
-
Filesize
222KB
MD5bf4559ec513ad2dc641ac343fbe748ce
SHA1c865a0c2cabfe4f9d755203ceb25b6afc53b0709
SHA256771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc
SHA512d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854