Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:55

General

  • Target

    f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe

  • Size

    874KB

  • MD5

    904efa646fc488d033278c3f41c6b417

  • SHA1

    b4a48616721006d7410096cb30c43dd9e40448d4

  • SHA256

    f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3

  • SHA512

    7d6bb25d97af9df757a714e885ee2bb67c876b2e4b72b7b9704a25cd232af5252886bcafe5750327ac2b4276c6b505b2218a2929a1956e1ba6e14fd38e233ca8

  • SSDEEP

    12288:pMrRy90f0fYbkniFF6HCntDTGv6mneYqQE0ScsnUI7q2I3cAd3Mc2d82AwMDEk6b:4yo0PiFQHC5T2zEasBusu2d9AwMDtUr

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
    "C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe

    Filesize

    478KB

    MD5

    69e88c2ea5bf082cb306716997b360e5

    SHA1

    c781f4d1ec06f28a07af4d1bee93bd858960302c

    SHA256

    047f119faef59c0c01357f5ad5d516fae188a8e994e905d91d4ebc8304c844c8

    SHA512

    9d03473c029e2e215301b34d61d0fe44c2bf7172e31d0e64933641a675babd525661f98b6581832e84393219e019b8541c3c1783af80fec62482a1da1246f19a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe

    Filesize

    306KB

    MD5

    19130eaa61cbd72db23bad9e04ebfced

    SHA1

    752a75cf5919a332242b1b18da9657118eb356d2

    SHA256

    e104ce2163b0c7ab4df1e3ce429d4c9b4b2a948f1ae9d9bbfa97464a25fe487a

    SHA512

    8e870d5b5754778d957335479545bab2f2412d580ddac728426f51af559932c0cf6dac9b3555e1d1b4c7a94c644335688f82d7dd0a7fa1d9323e20a292b8a2ac

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe

    Filesize

    145KB

    MD5

    387ab8a0bdfbd57b7bd2ed64ce490a7e

    SHA1

    66abeb8ef2e93bb1d3ec1fbd92816ad8bc72da1c

    SHA256

    a9f30d2be1cadd3afc50b94647964fe4e77aece8a5fbd9f972a387d54c8eba53

    SHA512

    e7fc74d0420bd6653038ebff567cc8ff87f7dae21dc3221dfb1b1293d3711412966cf2ef1a487048c0349bb184e4a800e9a9243fa142c4f229625b6cc1640a95

  • memory/1936-21-0x0000000000BF0000-0x0000000000C1A000-memory.dmp

    Filesize

    168KB

  • memory/1936-22-0x0000000005B40000-0x0000000006158000-memory.dmp

    Filesize

    6.1MB

  • memory/1936-23-0x00000000056C0000-0x00000000057CA000-memory.dmp

    Filesize

    1.0MB

  • memory/1936-24-0x00000000055F0000-0x0000000005602000-memory.dmp

    Filesize

    72KB

  • memory/1936-25-0x0000000005650000-0x000000000568C000-memory.dmp

    Filesize

    240KB

  • memory/1936-26-0x00000000057D0000-0x000000000581C000-memory.dmp

    Filesize

    304KB