Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
Resource
win10v2004-20241007-en
General
-
Target
db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
-
Size
1.5MB
-
MD5
14bc2b2d5f1d564bce6ba169aa3d6193
-
SHA1
7d32252a30f6d9706786713ae8ef8677362100ff
-
SHA256
760cd792f50a692ddc7ef5672ac9786444a51319d4f595e66781d9da27c9905e
-
SHA512
8194e180e31c8c4bab1aa9710178c7e88f4217f585064adf6653d742c9ca60980b033b1567bb89c137911e54082e489470553a3aa237393edc0c1244b26888bd
-
SSDEEP
24576:fyiI3Kt5vJgir9Wy05CW1S3Ikn58qLQjrGq7cyezATdf6ROHjPRkNugXswZLb:qiI3A6S0y0oKS3Ik58sQjjRYA9BDYugV
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba7-33.dat family_redline behavioral1/memory/2724-35-0x0000000000140000-0x0000000000170000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 3672 i86219630.exe 2296 i23814102.exe 2840 i94343111.exe 1928 i95223336.exe 2724 a53719515.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i86219630.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i23814102.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i94343111.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i95223336.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i86219630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i23814102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i94343111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i95223336.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a53719515.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4680 wrote to memory of 3672 4680 db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe 83 PID 4680 wrote to memory of 3672 4680 db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe 83 PID 4680 wrote to memory of 3672 4680 db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe 83 PID 3672 wrote to memory of 2296 3672 i86219630.exe 85 PID 3672 wrote to memory of 2296 3672 i86219630.exe 85 PID 3672 wrote to memory of 2296 3672 i86219630.exe 85 PID 2296 wrote to memory of 2840 2296 i23814102.exe 86 PID 2296 wrote to memory of 2840 2296 i23814102.exe 86 PID 2296 wrote to memory of 2840 2296 i23814102.exe 86 PID 2840 wrote to memory of 1928 2840 i94343111.exe 88 PID 2840 wrote to memory of 1928 2840 i94343111.exe 88 PID 2840 wrote to memory of 1928 2840 i94343111.exe 88 PID 1928 wrote to memory of 2724 1928 i95223336.exe 89 PID 1928 wrote to memory of 2724 1928 i95223336.exe 89 PID 1928 wrote to memory of 2724 1928 i95223336.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe"C:\Users\Admin\AppData\Local\Temp\db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86219630.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86219630.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i23814102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i23814102.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94343111.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94343111.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i95223336.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i95223336.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53719515.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53719515.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD599b9cc27c5696f72a7b0ae99a25c0aa3
SHA19095a5501a9fd97c39443cce0084b11f1efcef4c
SHA256d6f236a5270865aa5ea6ae8a2b8d95894ed9de009228d96f2dcc575356849818
SHA512d3c5bd53ff56c19736130ebb3cbfb01806fe1544d902bced88dfb65ce1cf2622379f044de52df868f3caa156784299f45e8997a9c5ab572f7803989afaebc359
-
Filesize
1022KB
MD54bbd835404f10ae15894496c4608676e
SHA1984c35f92a4a888a33425c6fd33feaa0147fc180
SHA256cb537e08272d9392180199d266dadbdb6804628790be129a83a979c245da39d8
SHA5120139893a9635d61ae0487c700fbde164f6c0cdd4b16f6ec6a1dd95181f6473f83076cca6a12bd5201f2e5be13b1991d7789f6b0315092a0270e91be916bb8da5
-
Filesize
850KB
MD5933cd9746bd270cfa7be4c468efe8d24
SHA15f122cda14be87fffa8baec0009bb9cc7caed4e6
SHA2562188a79d5b53fcd7c574386e2799e607b023bc6bb5f7cb6904b863bd5a52b078
SHA51274a5c07d30a1d3cc71793a268306b03c6e38543be2f24bf0009f1bf2da184c9ce6e89c365f11f1cace1fd1a50e840a37ca35c7ca1d7b806fef01425318636cc5
-
Filesize
374KB
MD531b286b755ced54dbc979d8bb463fe5a
SHA19f929a8d90e4fdd59079e209748e368e14509be9
SHA256ba66e71e86dedb36a8424ce63da1e890befe0f7e51e0626ee29b59565f03674e
SHA5126114ff9df89c354bed9f272f0c9fecd26fee12df4ff3e56f59c187e7e405e02bce4650f30fee1e22035a87ac0fdf9c8d30b5645e3b93275e23ded550d0803e13
-
Filesize
169KB
MD574c3b1c0911a1806073802de5b04802a
SHA1da4c6308cb326edb3cfc48b92b18e9c23023a593
SHA2561a49611982fbdd2319d15786835ef7c218c52f225db33d1b84d02365e4c56368
SHA5120d66548cc0e90991c69606ecf904cc6c9878ab5fcfaba77c98cec45936bfec485dd3a3d0a6cde107f473792e589f220308fb2146fbab91b459199b569f207f90