Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 18:24

General

  • Target

    4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe

  • Size

    479KB

  • MD5

    4097f39b2f4df3413e17f2edde16ef80

  • SHA1

    87034f08e1d3d5a39d2c9b1ee55de70ab782b9e3

  • SHA256

    66821762b2a591d0a9feba7726e852660e185a1f158f742fc459ee129cad4226

  • SHA512

    9a655ad0d7381e050006f6468d68aee3534e5205b7ebed9c79a9aa51fc0a5f5849aecd1186c39b9fa7c6990f61eb77b3a3e8dc07064688cc3331efaec05d9712

  • SSDEEP

    12288:YMrcy90XjE0KA0o4heYFe86n5xXT2ayW93iD:UygL0YY4Lj2aeD

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe
        3⤵
        • Executes dropped EXE
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe

    Filesize

    307KB

    MD5

    b16e53bf8c31df4612c6d929fe180180

    SHA1

    89b65a826c47294d98c3377d4255588874e126d8

    SHA256

    7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77

    SHA512

    c0b0173bf1440693c36fa7c0cbc76ba8643a2487694eb69255181433d69b29ffcf6089c49604600331570ad5a886f176052e79e7dbcc5e4219e0db4e17fb49b3

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe

    Filesize

    168KB

    MD5

    81f68822d19104305bdd0882aba3403e

    SHA1

    d94d613353d62c5df63f5df88185c47dd307346a

    SHA256

    c1874b4ff67ae37ad64be9f96b29c74c981575880f73521825cafd32c0123e99

    SHA512

    f6808c8fe0d0bf3b23cb197af13600b57e7cc38b4cb833edbb4a9a33871b12538a40db2c885244ea276d764db4b00a476108daf59a6229bb14274dabc021a116

  • memory/4456-14-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

  • memory/4456-15-0x0000000000D50000-0x0000000000D80000-memory.dmp

    Filesize

    192KB

  • memory/4456-16-0x0000000001540000-0x0000000001546000-memory.dmp

    Filesize

    24KB

  • memory/4456-17-0x0000000005E10000-0x0000000006428000-memory.dmp

    Filesize

    6.1MB

  • memory/4456-18-0x0000000005900000-0x0000000005A0A000-memory.dmp

    Filesize

    1.0MB

  • memory/4456-19-0x0000000005810000-0x0000000005822000-memory.dmp

    Filesize

    72KB

  • memory/4456-20-0x0000000005870000-0x00000000058AC000-memory.dmp

    Filesize

    240KB

  • memory/4456-21-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

  • memory/4456-22-0x0000000005A10000-0x0000000005A5C000-memory.dmp

    Filesize

    304KB

  • memory/4456-23-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

  • memory/4456-24-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB