Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:55
Static task
static1
Behavioral task
behavioral1
Sample
f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
Resource
win10v2004-20241007-en
General
-
Target
f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
-
Size
874KB
-
MD5
904efa646fc488d033278c3f41c6b417
-
SHA1
b4a48616721006d7410096cb30c43dd9e40448d4
-
SHA256
f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3
-
SHA512
7d6bb25d97af9df757a714e885ee2bb67c876b2e4b72b7b9704a25cd232af5252886bcafe5750327ac2b4276c6b505b2218a2929a1956e1ba6e14fd38e233ca8
-
SSDEEP
12288:pMrRy90f0fYbkniFF6HCntDTGv6mneYqQE0ScsnUI7q2I3cAd3Mc2d82AwMDEk6b:4yo0PiFQHC5T2zEasBusu2d9AwMDtUr
Malware Config
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c79-19.dat family_redline behavioral1/memory/1936-21-0x0000000000BF0000-0x0000000000C1A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1376 x6152510.exe 2572 x4204127.exe 1936 f7328863.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6152510.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4204127.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7328863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x6152510.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4204127.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1560 wrote to memory of 1376 1560 f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe 83 PID 1560 wrote to memory of 1376 1560 f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe 83 PID 1560 wrote to memory of 1376 1560 f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe 83 PID 1376 wrote to memory of 2572 1376 x6152510.exe 84 PID 1376 wrote to memory of 2572 1376 x6152510.exe 84 PID 1376 wrote to memory of 2572 1376 x6152510.exe 84 PID 2572 wrote to memory of 1936 2572 x4204127.exe 85 PID 2572 wrote to memory of 1936 2572 x4204127.exe 85 PID 2572 wrote to memory of 1936 2572 x4204127.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe"C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478KB
MD569e88c2ea5bf082cb306716997b360e5
SHA1c781f4d1ec06f28a07af4d1bee93bd858960302c
SHA256047f119faef59c0c01357f5ad5d516fae188a8e994e905d91d4ebc8304c844c8
SHA5129d03473c029e2e215301b34d61d0fe44c2bf7172e31d0e64933641a675babd525661f98b6581832e84393219e019b8541c3c1783af80fec62482a1da1246f19a
-
Filesize
306KB
MD519130eaa61cbd72db23bad9e04ebfced
SHA1752a75cf5919a332242b1b18da9657118eb356d2
SHA256e104ce2163b0c7ab4df1e3ce429d4c9b4b2a948f1ae9d9bbfa97464a25fe487a
SHA5128e870d5b5754778d957335479545bab2f2412d580ddac728426f51af559932c0cf6dac9b3555e1d1b4c7a94c644335688f82d7dd0a7fa1d9323e20a292b8a2ac
-
Filesize
145KB
MD5387ab8a0bdfbd57b7bd2ed64ce490a7e
SHA166abeb8ef2e93bb1d3ec1fbd92816ad8bc72da1c
SHA256a9f30d2be1cadd3afc50b94647964fe4e77aece8a5fbd9f972a387d54c8eba53
SHA512e7fc74d0420bd6653038ebff567cc8ff87f7dae21dc3221dfb1b1293d3711412966cf2ef1a487048c0349bb184e4a800e9a9243fa142c4f229625b6cc1640a95