Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe
Resource
win10v2004-20240226-en
General
-
Target
8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe
-
Size
751KB
-
MD5
7f19560c3e3968a7fa94beaf1ddcb636
-
SHA1
65db45b284de8a5c5d77cf8673c732a98cb16361
-
SHA256
8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a
-
SHA512
bb0a1bc7d0b6e30c331c1f1a5597a45482d7d91e97158d576381ada74af4f526e482c0cb4c73fb1d20606f46d2f2e531385e5ec14803697cf19a4bd0aa3fdb53
-
SSDEEP
12288:lMrLy908zdk4hMXuDzpmrrXrO8+/UJHc6qoEiD8Zi7sEV10sFn5A9oDHDPq1QGAV:qy3hk2DzIbO8goHc6JEm8VEV1ddv+1QB
Malware Config
Extracted
redline
diza
185.161.248.37:4138
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023273-12.dat family_redline behavioral1/memory/1192-15-0x0000000000100000-0x000000000012A000-memory.dmp family_redline -
Detects executables packed with ConfuserEx Mod 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023273-12.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1192-15-0x0000000000100000-0x000000000012A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 2 IoCs
pid Process 3388 x0262850.exe 1192 f3690067.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0262850.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3148 wrote to memory of 3388 3148 8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe 91 PID 3148 wrote to memory of 3388 3148 8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe 91 PID 3148 wrote to memory of 3388 3148 8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe 91 PID 3388 wrote to memory of 1192 3388 x0262850.exe 92 PID 3388 wrote to memory of 1192 3388 x0262850.exe 92 PID 3388 wrote to memory of 1192 3388 x0262850.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe"C:\Users\Admin\AppData\Local\Temp\8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0262850.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0262850.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3690067.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3690067.exe3⤵
- Executes dropped EXE
PID:1192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD544c2e003d7eeae3fc7a9fa21cdded269
SHA1cdc10a8b2f02590d0bbc7024c5b26a104727798c
SHA256e29881e1e8ccf604ca3e001c21c9b033838cfd64b4ae5255475f42b778fe4850
SHA51265863bd5b2babe5314d5d42c719adfdc1ff467dcbba64c917a07ecaf8c57132cbe5f87d893585e8898bcfd24d089621918c8bce60ec660566d4bdbf0f84d6909
-
Filesize
145KB
MD509454c5f1efc99b380457bf5999600c9
SHA1593a23bc19fe5e3b239f5fc7567a6f8059ee5dcb
SHA256bd08f6ef9c7213c2395e83602533b2025a75f327f00a6f76b32d698aa6360ccc
SHA512835d1c488b408d9a2b7e2e315d94159d00372f9b104712e4de8ae3a211954bb25a5f251d77b53d6b9f23535ffb3d16d925ed99a1648b3ec18cfe55991a6e7d46