Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
-
Size
479KB
-
MD5
4097f39b2f4df3413e17f2edde16ef80
-
SHA1
87034f08e1d3d5a39d2c9b1ee55de70ab782b9e3
-
SHA256
66821762b2a591d0a9feba7726e852660e185a1f158f742fc459ee129cad4226
-
SHA512
9a655ad0d7381e050006f6468d68aee3534e5205b7ebed9c79a9aa51fc0a5f5849aecd1186c39b9fa7c6990f61eb77b3a3e8dc07064688cc3331efaec05d9712
-
SSDEEP
12288:YMrcy90XjE0KA0o4heYFe86n5xXT2ayW93iD:UygL0YY4Lj2aeD
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023429-12.dat family_redline behavioral1/memory/4456-15-0x0000000000D50000-0x0000000000D80000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 1656 x3167573.exe 4456 g7847907.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3167573.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1656 1320 4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe 83 PID 1320 wrote to memory of 1656 1320 4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe 83 PID 1320 wrote to memory of 1656 1320 4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe 83 PID 1656 wrote to memory of 4456 1656 x3167573.exe 84 PID 1656 wrote to memory of 4456 1656 x3167573.exe 84 PID 1656 wrote to memory of 4456 1656 x3167573.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe3⤵
- Executes dropped EXE
PID:4456
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5b16e53bf8c31df4612c6d929fe180180
SHA189b65a826c47294d98c3377d4255588874e126d8
SHA2567d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77
SHA512c0b0173bf1440693c36fa7c0cbc76ba8643a2487694eb69255181433d69b29ffcf6089c49604600331570ad5a886f176052e79e7dbcc5e4219e0db4e17fb49b3
-
Filesize
168KB
MD581f68822d19104305bdd0882aba3403e
SHA1d94d613353d62c5df63f5df88185c47dd307346a
SHA256c1874b4ff67ae37ad64be9f96b29c74c981575880f73521825cafd32c0123e99
SHA512f6808c8fe0d0bf3b23cb197af13600b57e7cc38b4cb833edbb4a9a33871b12538a40db2c885244ea276d764db4b00a476108daf59a6229bb14274dabc021a116