Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 01:53
General
-
Target
14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe
-
Size
585KB
-
MD5
f8ece9f956afd698a5445754d820a3ee
-
SHA1
e7b69acf70f42c50a6cc0389173a4843592ece74
-
SHA256
14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52
-
SHA512
ac8d214930eeb38d1aed427649f8d660ff87cc4de5a21a6dee758909b736506d0c62856363be9b7ac95ee75505e24d505cb06aaad54350445cac328752401f21
-
SSDEEP
12288:ZMr2y90G5sayUzTPOmEQF7T13dmVhl97cycj8:vy3GaBtfF7T13dmt97/I8
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe"C:\Users\Admin\AppData\Local\Temp\14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkX80ux19.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkX80ux19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eWu49mT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eWu49mT.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD535b2dac3d82cd5b1893faa0f01da70e0
SHA1b82678e25611d5310a1c1588b7f2d6ac97f8ff06
SHA256db0d0c8479f54b6d61aa5ce4eaa1093e002c4d2034caf5d500bd6b2e120319b5
SHA5128c12bcb394c4db0ae3172b69890bc154e8498063d2b8067496b7862febc9fec92feae6e60ec4da9e14a9ac6d1927ce566a6776600e4a7307c4d5ff4d8702d372
-
Filesize
301KB
MD570d8bf8532b418baf50f1412d47418ac
SHA1d5587ffea27b1a65262d751196bda715d7c1952d
SHA256c31af8710c8ef62f71c4d30e0cf06dff6f5633d3d442ac79321df5f28c5fb009
SHA512c3193d7f29f16d67920fb01cfaed1ab497e07098dd24ef212e95bb6870b0f852f673121c05199840cad563cb8708d9e37274e567701d8ab87614fa8422f8a6a1
-
Filesize
312KB
-
Filesize
300KB
-
Filesize
1024KB
-
Filesize
2.2MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB