Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
Resource
win10v2004-20241007-en
General
-
Target
a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
-
Size
479KB
-
MD5
c8874dfad5b5c66af668c96187e6442e
-
SHA1
ba160bd09471aaf8aaadb000c23887debec44db1
-
SHA256
a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23
-
SHA512
28d5e312dce7828a792f0bc124b3f56ea02595083c3af7e671d1d0e9ef932a11d8173b0e4afcaae5b9b51e19be0549bbaadc9e27bcaeb3c725eb664721ab2e7c
-
SSDEEP
12288:RMr7y90WBAsZriQ6EEG8HY+iL7v6aRWqu8JuV/xXW:ayzAsZm9g84Tj6k1FJuV/xXW
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c32-12.dat family_redline behavioral1/memory/4284-15-0x0000000000E30000-0x0000000000E5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1176 x4040055.exe 4284 g0016629.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4040055.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4040055.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0016629.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4812 wrote to memory of 1176 4812 a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe 83 PID 4812 wrote to memory of 1176 4812 a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe 83 PID 4812 wrote to memory of 1176 4812 a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe 83 PID 1176 wrote to memory of 4284 1176 x4040055.exe 84 PID 1176 wrote to memory of 4284 1176 x4040055.exe 84 PID 1176 wrote to memory of 4284 1176 x4040055.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe"C:\Users\Admin\AppData\Local\Temp\a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4040055.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4040055.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0016629.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0016629.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5123103a7278f51ee6d47939ea8f1b438
SHA157dd6efcbe80fd3750ee4a0c740aea279a1ffa8f
SHA25647722f8fcc7f3063ddf0181699214661ab30289089ac5a0ebeed504755e518ea
SHA51243d3f068c97daa0678a0f290314ad6b637be7d9acc940706d89dec834b16a920b75e2ae127331514c31c8838c7a145ba0c5c6475a53561b78d39730bdbfc8bbb
-
Filesize
168KB
MD53d42d0dc0396604e0381c15bddf1e6be
SHA10e51a1fbf14506b211e831ba968708564bbc31ae
SHA2561c37ee82aafe00aa63617f0739e4370f9868d721a1dd69e6cdf656df0818e93b
SHA512b8f947aec3e362bd2dacda91b1af98a89e11bb13729b63d6ddef53d2be1156b39260a9ff4c2ef9b30c560ceec30559ac956d0dba0ed4da2c650d78006bc02190