Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe
Resource
win10v2004-20241007-en
General
-
Target
ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe
-
Size
850KB
-
MD5
059b328d369e1c3d9b0034a92076c723
-
SHA1
ebdb66121654329d3c8785916bd481289fe9177b
-
SHA256
ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4
-
SHA512
230c60c69857a1a4051d6d32c8629f1871a1ab624d2158ffd45383fcf601642b7c518b8d657d7f36eca2de96dbf5094d15f3be4265fdf355480c8edf093b625c
-
SSDEEP
24576:Tyaq8Rr8e6EE8Ch3W0ziCXEFP48QeFwkGPSakrpvq7:mQr8e9pgqCULTFh8Sakrpvq
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
danko
185.161.248.73:4164
-
auth_value
784d42a6c1eb1a5060b8bcd3696f5f1e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1932-2168-0x0000000005740000-0x0000000005772000-memory.dmp family_redline behavioral1/files/0x000b000000023a40-2173.dat family_redline behavioral1/memory/3084-2181-0x0000000000940000-0x000000000096E000-memory.dmp family_redline behavioral1/files/0x0031000000023b7f-2194.dat family_redline behavioral1/memory/4272-2195-0x0000000000300000-0x0000000000330000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation p99065329.exe -
Executes dropped EXE 4 IoCs
pid Process 3348 y76722079.exe 1932 p99065329.exe 3084 1.exe 4272 r23777148.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y76722079.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5060 1932 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y76722079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p99065329.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r23777148.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1932 p99065329.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 752 wrote to memory of 3348 752 ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe 83 PID 752 wrote to memory of 3348 752 ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe 83 PID 752 wrote to memory of 3348 752 ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe 83 PID 3348 wrote to memory of 1932 3348 y76722079.exe 84 PID 3348 wrote to memory of 1932 3348 y76722079.exe 84 PID 3348 wrote to memory of 1932 3348 y76722079.exe 84 PID 1932 wrote to memory of 3084 1932 p99065329.exe 88 PID 1932 wrote to memory of 3084 1932 p99065329.exe 88 PID 1932 wrote to memory of 3084 1932 p99065329.exe 88 PID 3348 wrote to memory of 4272 3348 y76722079.exe 92 PID 3348 wrote to memory of 4272 3348 y76722079.exe 92 PID 3348 wrote to memory of 4272 3348 y76722079.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe"C:\Users\Admin\AppData\Local\Temp\ebacaba15518ab84674beaef6fbb88fb978d3954394e47abc947202e3ec2abe4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76722079.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76722079.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p99065329.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p99065329.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 13804⤵
- Program crash
PID:5060
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r23777148.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r23777148.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1932 -ip 19321⤵PID:3060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD536cd36f08c3e5e8299f8e5fcb938b0fb
SHA19e048866b790fd2bc6a56c7f5d3e5d857a671ae4
SHA256dd73615ceec7e5cef2b839afa7cbdc7e119a18f5e331f472c0a16446111e8405
SHA5120d432e651abbeeff31e2c8de50b93eac759c79f487890722b872cb129738803c0063500c58d83eca7caaa957d1c5eb9a9788c428fd33eb5759cbc69793677e6f
-
Filesize
479KB
MD59b2212f28ea711d2cebf0747d25c1977
SHA1b5c881040c91c8cffb09533279c5fb6d5f583b40
SHA256f50f2c6bcc8ad45a30a11366c32244e9fd015d19c84e7d629a5dd80d566af4f0
SHA5126caf2b604c91c98544eeca10218f35d59bbadaff69d9e4eccfe6ea76c5e73cdd2d76030466c0d8c246a4037e8deca52407cdb101926fd804acdb368ae7c5e75d
-
Filesize
168KB
MD5d12a9b1850115d23618fbeeff5a8a322
SHA18a25157876e98e83b505b3c7f23eb645d11d2994
SHA256a8f2cde53aa5f08acd7d4b3477aa1e0813f553d8e5bf36e7e0aab52ff08c63d0
SHA51219932b4aba7388be9e56ee38a744e057e1ff0fbddaba33e6b2a4660330a4106b1df7c2ca6c05c752070cc93946880487f10da2aa4990107805500e05bbcad120
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf