Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe
Resource
win10v2004-20241007-en
General
-
Target
14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe
-
Size
585KB
-
MD5
f8ece9f956afd698a5445754d820a3ee
-
SHA1
e7b69acf70f42c50a6cc0389173a4843592ece74
-
SHA256
14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52
-
SHA512
ac8d214930eeb38d1aed427649f8d660ff87cc4de5a21a6dee758909b736506d0c62856363be9b7ac95ee75505e24d505cb06aaad54350445cac328752401f21
-
SSDEEP
12288:ZMr2y90G5sayUzTPOmEQF7T13dmVhl97cycj8:vy3GaBtfF7T13dmt97/I8
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2956-19-0x0000000002630000-0x0000000002676000-memory.dmp family_redline behavioral1/memory/2956-21-0x0000000004C00000-0x0000000004C44000-memory.dmp family_redline behavioral1/memory/2956-47-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-85-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-83-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-81-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-79-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-77-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-75-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-73-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-71-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-69-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-67-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-65-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-63-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-59-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-57-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-56-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-54-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-51-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-49-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-45-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-43-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-41-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-39-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-37-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-35-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-33-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-31-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-29-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-27-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-61-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-25-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-23-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline behavioral1/memory/2956-22-0x0000000004C00000-0x0000000004C3E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 468 nkX80ux19.exe 2956 eWu49mT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nkX80ux19.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkX80ux19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eWu49mT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2956 eWu49mT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 220 wrote to memory of 468 220 14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe 84 PID 220 wrote to memory of 468 220 14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe 84 PID 220 wrote to memory of 468 220 14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe 84 PID 468 wrote to memory of 2956 468 nkX80ux19.exe 86 PID 468 wrote to memory of 2956 468 nkX80ux19.exe 86 PID 468 wrote to memory of 2956 468 nkX80ux19.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe"C:\Users\Admin\AppData\Local\Temp\14f423e294af0401ba7a9783c15568ceae38b4302e34caab0f17287382ddde52.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkX80ux19.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkX80ux19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eWu49mT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eWu49mT.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD535b2dac3d82cd5b1893faa0f01da70e0
SHA1b82678e25611d5310a1c1588b7f2d6ac97f8ff06
SHA256db0d0c8479f54b6d61aa5ce4eaa1093e002c4d2034caf5d500bd6b2e120319b5
SHA5128c12bcb394c4db0ae3172b69890bc154e8498063d2b8067496b7862febc9fec92feae6e60ec4da9e14a9ac6d1927ce566a6776600e4a7307c4d5ff4d8702d372
-
Filesize
301KB
MD570d8bf8532b418baf50f1412d47418ac
SHA1d5587ffea27b1a65262d751196bda715d7c1952d
SHA256c31af8710c8ef62f71c4d30e0cf06dff6f5633d3d442ac79321df5f28c5fb009
SHA512c3193d7f29f16d67920fb01cfaed1ab497e07098dd24ef212e95bb6870b0f852f673121c05199840cad563cb8708d9e37274e567701d8ab87614fa8422f8a6a1