Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
24/10/2023, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
xY1ol9cz.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
xY1ol9cz.exe
Resource
win10-20231020-en
General
-
Target
xY1ol9cz.exe
-
Size
782KB
-
MD5
40b509736f2336f0ae4798e08093be25
-
SHA1
aef0b5561edf2078238e0550b1468910c0730d2b
-
SHA256
5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81
-
SHA512
1e42ec6f3e618a4259c5c4b809f3109ff8807e5d83b7f37f541b3eba599f3fe153ea43002eabdfcc2bd4e5e21fc3ece00f95f35ae8c9c4cc09a61e0c07dad22d
-
SSDEEP
12288:/Mray90a9vSkBkezQqbtzOyWHCqr8pJ+FqGQplIkXEFS1+gz4HRLhQWy:JywckLqdpC8efQDtEFS4gEHVy
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000001abc4-18.dat family_redline behavioral2/files/0x000600000001abc4-19.dat family_redline behavioral2/memory/1368-24-0x0000000000C30000-0x0000000000C6E000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 3540 Lv0ai3dz.exe 2604 1pm49Un8.exe 1368 2hp794uB.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Lv0ai3dz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" xY1ol9cz.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2604 set thread context of 4804 2604 1pm49Un8.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 2856 4804 WerFault.exe 74 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3540 2364 xY1ol9cz.exe 71 PID 2364 wrote to memory of 3540 2364 xY1ol9cz.exe 71 PID 2364 wrote to memory of 3540 2364 xY1ol9cz.exe 71 PID 3540 wrote to memory of 2604 3540 Lv0ai3dz.exe 72 PID 3540 wrote to memory of 2604 3540 Lv0ai3dz.exe 72 PID 3540 wrote to memory of 2604 3540 Lv0ai3dz.exe 72 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 2604 wrote to memory of 4804 2604 1pm49Un8.exe 74 PID 3540 wrote to memory of 1368 3540 Lv0ai3dz.exe 75 PID 3540 wrote to memory of 1368 3540 Lv0ai3dz.exe 75 PID 3540 wrote to memory of 1368 3540 Lv0ai3dz.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe"C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 5685⤵
- Program crash
PID:2856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe3⤵
- Executes dropped EXE
PID:1368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581KB
MD547faacabe3e611fee8ca21df0ee60a3a
SHA1d7ce2a93a642faa7760fa90088472e04dadaa38c
SHA256bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf
SHA5125f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca
-
Filesize
581KB
MD547faacabe3e611fee8ca21df0ee60a3a
SHA1d7ce2a93a642faa7760fa90088472e04dadaa38c
SHA256bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf
SHA5125f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca
-
Filesize
1.1MB
MD56ef68ec5b2d91cbc9c66fa0553e527ec
SHA18d8ab02a5f2433cf12ba62336e4d774f2bbf21d2
SHA2568ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f
SHA5121a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6
-
Filesize
1.1MB
MD56ef68ec5b2d91cbc9c66fa0553e527ec
SHA18d8ab02a5f2433cf12ba62336e4d774f2bbf21d2
SHA2568ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f
SHA5121a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6
-
Filesize
222KB
MD5d049270ff6e8fdefaafc53820f3ea25a
SHA1606c65b1c7a3c2400e14f4e97bac91027ce600ea
SHA256e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e
SHA51274d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347
-
Filesize
222KB
MD5d049270ff6e8fdefaafc53820f3ea25a
SHA1606c65b1c7a3c2400e14f4e97bac91027ce600ea
SHA256e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e
SHA51274d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347