Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe
Resource
win10v2004-20241007-en
General
-
Target
0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe
-
Size
539KB
-
MD5
c0d0d1be7fff86b4740e0178ce7b6cc0
-
SHA1
484370efb3a4d407025505bf50de5e920c3231b0
-
SHA256
0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b
-
SHA512
f25adbebe3dee60dfae9cfacfee26039a7e78b1bcacbe1a0d1132857975e3f0893888cceba225fa8152c69507e432c57bc753aff0bd3f94a8cd030b0c6e62686
-
SSDEEP
12288:VMrhy90B+aZAJPu/sY/wzLeqjR7NDUtMF7u3G2ag0oev:cy7P6ILeqjByEc2g01
Malware Config
Extracted
redline
fuka
193.233.20.11:4131
-
auth_value
90eef520554ef188793d77ecc34217bf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b66-12.dat family_redline behavioral1/memory/1644-15-0x0000000000AF0000-0x0000000000B22000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2596 dUr14.exe 1644 aSQ42.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dUr14.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aSQ42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dUr14.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2596 4692 0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe 83 PID 4692 wrote to memory of 2596 4692 0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe 83 PID 4692 wrote to memory of 2596 4692 0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe 83 PID 2596 wrote to memory of 1644 2596 dUr14.exe 84 PID 2596 wrote to memory of 1644 2596 dUr14.exe 84 PID 2596 wrote to memory of 1644 2596 dUr14.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe"C:\Users\Admin\AppData\Local\Temp\0fb9a3f942f565d4a80bc0995667cef998f47d8926da379f55d00fb6dd26a65b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dUr14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dUr14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aSQ42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aSQ42.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5fd8a8a1fae12c462d8dedfab426754b4
SHA1f0fe3ffa21857a758149168563044d2dc0b56c13
SHA256f814d7adba4ddca154e9a675606c5a480398c6c25615ca55624e8511ddb8d43b
SHA5122ea3582051e1e49d7ac3eb578a3d98e67d31ad53e476447aa5e051e39a9dd009f3335e0c1028572c32385ba8575bc9b65dd0de60da6d222c0695c6475ab88869
-
Filesize
175KB
MD54c35cfbd12826cedb7982ab4e1763a6a
SHA11496bd1d1981d8bf38cf98cdd4aa47020ffe9303
SHA2568020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2
SHA5125e55022ab3b5a49ba3695062b7db3fa920aa9e3653e52e5a556caeed2d8f217457ae472eb2cf3da32f4332fba52b9b1d4e8b42e09793c1f3bf970dcbce35566c