Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 21:20
Static task
static1
Behavioral task
behavioral1
Sample
9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe
Resource
win10v2004-20241007-en
General
-
Target
9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe
-
Size
469KB
-
MD5
a718d5d1a97ec5f2f594f59422c7fca9
-
SHA1
787dfd35b1aa64cc9971a87f2db0ac19b2c49a0f
-
SHA256
9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c
-
SHA512
549e7f04d7043e809faa12860155a0176e7b4c54c274a2cef9ea748294a2bd8e48450394bc8294a44b5d0f169bbb1c15a2ee744469afda7f16246b0ba0f35a12
-
SSDEEP
12288:lMryy90In57QFNMdzQo1QbTeCRsQ7Cksiys:LyNg+/CmCuQf
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb3-12.dat family_redline behavioral1/memory/3656-15-0x00000000004A0000-0x00000000004D2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4628 nVa93.exe 3656 blE79.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nVa93.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nVa93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blE79.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3060 wrote to memory of 4628 3060 9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe 83 PID 3060 wrote to memory of 4628 3060 9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe 83 PID 3060 wrote to memory of 4628 3060 9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe 83 PID 4628 wrote to memory of 3656 4628 nVa93.exe 84 PID 4628 wrote to memory of 3656 4628 nVa93.exe 84 PID 4628 wrote to memory of 3656 4628 nVa93.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe"C:\Users\Admin\AppData\Local\Temp\9f424187473489dfd121135e3e74ef4df04d901b368d62e0b45be95cf285274c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVa93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVa93.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\blE79.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\blE79.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5fa0bfe1a252f41793ae28b3bd3889bf3
SHA1cf791fd0b2aa044fab80ed123e389b261547c712
SHA2568188fe0ab597796124d8257cae92ba24ff4e6b1f41f2110a4c682bacb2679108
SHA5129c874d797bdf45fa0108b86be27c77759b5c6079e75d119ca34607180df57980d2f6504bed6842fdbd4a6cdbc468da8787f6a8e1175f47f752610af3cad7fa5e
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2