Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe
Resource
win10v2004-20241007-en
General
-
Target
dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe
-
Size
468KB
-
MD5
75ac03425f9444df619ba8534e571e91
-
SHA1
e7f44266a1f203ac03e38c9a1272f561c2a5fad7
-
SHA256
dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125
-
SHA512
de975f5cb36d2d8467f77e1911191aacd1493597e2aca819a1b5dd20f7b0c0cf7790c097a59a30cb114debac2fcb02105aeef6f1c5f91f8b10f27ea64e207fb1
-
SSDEEP
12288:sMr6y90/LHjud7Lz/rEQwSmKziC8gnXxQRhnqttIT:2yuHj0D/ZwKziZgneRxqvIT
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8a-12.dat family_redline behavioral1/memory/3680-15-0x0000000000140000-0x0000000000172000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3516 nRb50.exe 3680 bLA97.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nRb50.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nRb50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bLA97.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1420 wrote to memory of 3516 1420 dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe 83 PID 1420 wrote to memory of 3516 1420 dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe 83 PID 1420 wrote to memory of 3516 1420 dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe 83 PID 3516 wrote to memory of 3680 3516 nRb50.exe 84 PID 3516 wrote to memory of 3680 3516 nRb50.exe 84 PID 3516 wrote to memory of 3680 3516 nRb50.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe"C:\Users\Admin\AppData\Local\Temp\dde91cb951fc996634fabf94e98140487c966758c46f9b7ecef5c6a474f19125.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRb50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRb50.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLA97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLA97.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD506c293883353eacbc04705cc3bd7e29b
SHA131a560aaebeb20c4981f51e3ecec4107515a2336
SHA256969dcaa443bddd53f642d52b7a0f195b92564c2a0b3c91bdf7b910bad406b885
SHA512834de5ad524e88881e1b7a0a2996c099b290f186977a62aec1a044e207275876b81e07c241a6551591c930559a0e87e5ba123d7d0a481d033674885c588dc698
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2