Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
303cef1108b...25.exe
windows10-2004-x64
10062bf5eda9...2b.exe
windows10-2004-x64
101c0cc29edf...ac.exe
windows10-2004-x64
101c46e1db34...f7.exe
windows10-2004-x64
1020811d5e08...84.exe
windows10-2004-x64
1028627b3333...c8.exe
windows10-2004-x64
10437213eb4b...b5.exe
windows10-2004-x64
1054a19d5a7a...d8.exe
windows10-2004-x64
106407653fb9...7c.exe
windows10-2004-x64
106dd993cade...4e.exe
windows10-2004-x64
10764d92d88b...5f.exe
windows10-2004-x64
109c51d813e0...74.exe
windows7-x64
39c51d813e0...74.exe
windows10-2004-x64
10b813f799e9...17.exe
windows10-2004-x64
10bc2ed7f926...f9.exe
windows10-2004-x64
10c1a9af1ad6...d5.exe
windows10-2004-x64
10cf90d774fa...01.exe
windows10-2004-x64
10e65fa29126...d8.exe
windows10-2004-x64
10e81854abc9...1a.exe
windows10-2004-x64
10ed835b70d5...6c.exe
windows10-2004-x64
10f48c36cb91...ef.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef.exe
Resource
win10v2004-20240426-en
General
-
Target
28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
-
Size
857KB
-
MD5
237c39297542fa123e7be74d1eaae4e8
-
SHA1
e4473b2e8bb53b9fc2b0f7e9c4e31721fcb9f0a9
-
SHA256
28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8
-
SHA512
a16b6f0ea0e24b4f5898ceaf363599d682d4ad38e4b1f67dbf13d1a2272a49b2d042362816fccde43de295f7354e0c1b62c0e7b9f7c1a378c3431fc4145f5a13
-
SSDEEP
24576:lyJLHvLRaQFKWeHcPlaBbI29NLrunu79Tf:AJFKWG2cI29NnuCl
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral6/memory/3044-16-0x0000000000440000-0x0000000000470000-memory.dmp family_redline behavioral6/memory/3044-19-0x0000000000400000-0x000000000043A000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 1228 x9434757.exe 3044 f1115157.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9434757.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1228 1280 28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe 82 PID 1280 wrote to memory of 1228 1280 28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe 82 PID 1280 wrote to memory of 1228 1280 28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe 82 PID 1228 wrote to memory of 3044 1228 x9434757.exe 84 PID 1228 wrote to memory of 3044 1228 x9434757.exe 84 PID 1228 wrote to memory of 3044 1228 x9434757.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe"C:\Users\Admin\AppData\Local\Temp\28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9434757.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9434757.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1115157.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1115157.exe3⤵
- Executes dropped EXE
PID:3044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD517612205140dbf13fe18ecc01cf26827
SHA1f0cd309a1e5cefd09da363e18af50e028ff91c2b
SHA256e1e80454790db734118276070b090c5725a9a41b8ec05b228e977617b1d5cd86
SHA512081583c010d9d2a388c501003d609b40b889869bacc9fd1bedcc0b5fe83d34a809193d14be5137f136809d8cfa90aea3687708a5cbf5d2664b78b32948edb79f
-
Filesize
691KB
MD5b66f0db799260482b5631114186a4059
SHA1f32e8af8a9fefc3fdf8ebf6aee9c47cbf7d853b7
SHA25611ac4710e163fb5c6c4e973d060ebe02becd58bd351de75e1c31cbea8f513070
SHA512f0d4103cc773c25df02b46d277799e5d35f6d80c29a72b815a615662185b3a48300cd80c8539136d6fa10bc42281bd20af2d5c092474bd405a08197d838d354c