Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe
-
Size
488KB
-
MD5
d2baad5181035b853d37213e96ab5cb0
-
SHA1
ea7d2a47054b24b4c3f9569f6440e241448696c2
-
SHA256
149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01
-
SHA512
074df38a24e951caa6f69cda76683bcd9058e0ff87406a96f8d18a95998484a55e3401f89c59f28ffe029fcf581f028e40da8cf0d24deef53b1662539df3e291
-
SSDEEP
12288:CMrOy90tPjCZopOsfm8DfbuusCN3Tv1lpqokW4md:Yy1A+8DdsCR1/FkW4c
Malware Config
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000233e7-12.dat family_redline behavioral1/memory/4036-15-0x00000000005F0000-0x000000000061E000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 3404 x4127652.exe 4036 f5875111.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4127652.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2600 wrote to memory of 3404 2600 d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe 82 PID 2600 wrote to memory of 3404 2600 d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe 82 PID 2600 wrote to memory of 3404 2600 d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe 82 PID 3404 wrote to memory of 4036 3404 x4127652.exe 83 PID 3404 wrote to memory of 4036 3404 x4127652.exe 83 PID 3404 wrote to memory of 4036 3404 x4127652.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d2baad5181035b853d37213e96ab5cb0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4127652.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4127652.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5875111.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5875111.exe3⤵
- Executes dropped EXE
PID:4036
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD50dfa00ef7dd88c58d78e4340dd5ae2dc
SHA13c1612fd08f43f64ca684bd81f1d96fbb6a2e7f6
SHA25666e75d8b2b30497bc2d658cff1612173503234cdd343219cabe22954ef5ed726
SHA51265587f99b60a881ab906592dba93e724b5fae1e3269e1792c7878e55fe68fc5eaafc4a3e0c397044cf8f805332e87380b090ee60c67061aebb2178fef9b6509a
-
Filesize
168KB
MD5e10039f9013490e8cda467f1f754cd85
SHA137ed33ecd5455d4bdf2e52a975069717581b3931
SHA256507f56c424e6e8c6eaab75a80dae68a710d5a54b69cc232abed8ed8023355e7a
SHA512ff520466d9ee1c6591da19f3f8de6c05a56ece708f2044169a649e5c3f8513d3beb880d58d556979a47d6f5adffc0f20703d4500ab03ef2e7862e6691ed02647