Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 01:09
General
-
Target
6ce79a5adc7a3134f87261297697557d1f92b5469410dd99e07d5b23fa32252c.exe
-
Size
564KB
-
MD5
0a661500c947a45ee021e00b932fb98b
-
SHA1
a5f35ccc237b0ac34568d0fd409b83abd32e5b2e
-
SHA256
6ce79a5adc7a3134f87261297697557d1f92b5469410dd99e07d5b23fa32252c
-
SHA512
ccf07558672ef6a4e572f3e675001dd1ed0e18f3a246fa156788d5312c9fd455eeb633bbee81eadb2e828c094f4e5d0613a8a3bf8d162d11fdbbd6b93a1755bc
-
SSDEEP
12288:iMr0y90SDqYE/0JXOCoJOa4fEZBLvUDRgy45Z8B7OsSlJNbEM:ayoYQ0JXOCna+WgWO7OsSnNb1
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ce79a5adc7a3134f87261297697557d1f92b5469410dd99e07d5b23fa32252c.exe"C:\Users\Admin\AppData\Local\Temp\6ce79a5adc7a3134f87261297697557d1f92b5469410dd99e07d5b23fa32252c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnK02yj80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnK02yj80.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eqs64wC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eqs64wC.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD50394f8828b730a875ad9628d3a14a080
SHA1cff11a1fbeed5e273ef4bdded09080f610cc85f6
SHA2561ff229375af7c97886d6be688925bdf1ee5363499d33959b17d81194ff2cca29
SHA51255959be91927c223ef853904ec834f65fc1e67f3635305000444c03576f7c7d6c904e9ced03d02e00454bbc3a994a628c8cdb4f19fa54700ce7aad33231744b1
-
Filesize
267KB
MD55c95e1356b158b8f7101c1ed0b5ca0c3
SHA1fa5bd1e797078ef3ad094879657aab80d4d339bc
SHA256e5642d5842867e0544eb5cf2d31b8970ad464fe431b40b598b69bb5386b19a1f
SHA51260e90dadd79dc9a8311d4311c39e289bc3a1a6029eeab918d8a0f160672a6343e6bfd95bdcd5747551c7525d1ebbd4b3a39fd8ee8ced6b723c0da28a4488e919
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB