Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
Resource
win10v2004-20241007-en
General
-
Target
9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
-
Size
1.5MB
-
MD5
162ccdfb9e19260302599633fdf56143
-
SHA1
4b67350136aa7647b8be692dd10690a5d4af9573
-
SHA256
9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6
-
SHA512
27cbdda0fa384f0a4b8809330539887644af6438a09186f5dacfaa12ca5af1b0d4d148b3a80e1634013083b4f5bd167b35973673627e8a82f7679d4b5bc8c250
-
SSDEEP
24576:CyPXCPgnVJwlLdWaVdcW+7rvzAaS//lr1nbT1YSWXgxiGK/yKEPjTsNDom5V:pPyMVJELEoSQRNdTGcxiGMyKEPnU5
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bfd-33.dat family_redline behavioral1/memory/2208-35-0x0000000000C60000-0x0000000000C90000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4700 i22435028.exe 2156 i32167551.exe 3616 i55230344.exe 3716 i39138045.exe 2208 a59028844.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i22435028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i32167551.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i55230344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i39138045.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i22435028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i32167551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i55230344.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i39138045.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a59028844.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3644 wrote to memory of 4700 3644 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe 84 PID 3644 wrote to memory of 4700 3644 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe 84 PID 3644 wrote to memory of 4700 3644 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe 84 PID 4700 wrote to memory of 2156 4700 i22435028.exe 85 PID 4700 wrote to memory of 2156 4700 i22435028.exe 85 PID 4700 wrote to memory of 2156 4700 i22435028.exe 85 PID 2156 wrote to memory of 3616 2156 i32167551.exe 87 PID 2156 wrote to memory of 3616 2156 i32167551.exe 87 PID 2156 wrote to memory of 3616 2156 i32167551.exe 87 PID 3616 wrote to memory of 3716 3616 i55230344.exe 89 PID 3616 wrote to memory of 3716 3616 i55230344.exe 89 PID 3616 wrote to memory of 3716 3616 i55230344.exe 89 PID 3716 wrote to memory of 2208 3716 i39138045.exe 90 PID 3716 wrote to memory of 2208 3716 i39138045.exe 90 PID 3716 wrote to memory of 2208 3716 i39138045.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe"C:\Users\Admin\AppData\Local\Temp\9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22435028.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22435028.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i32167551.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i32167551.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i55230344.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i55230344.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i39138045.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i39138045.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a59028844.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a59028844.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55cdfd4f166154006d9d1509132c76666
SHA145979a9f2d0f1672c5f0483674e9d2c3fd6d4169
SHA256a40af26d881db79ba221c8f0e4e0da29466eed57da13a9e75db9de3633633fa1
SHA512b41a003cd7b81ad24631e246b5cca85c6429ae578cdf267d7e43236ce70b4182ce5f61256ffd55e4dcca7bc127b7713fc4e2d7f0d06804eab481786235cf5474
-
Filesize
1015KB
MD5a77dfbacf077c94e4b43ebafee8cc17f
SHA18839b875df85092594fa889156609f6fb384d62c
SHA256abdbe108d6553dc5debc4dbca452719cb2c075c46b8a074cdcc3246a2b4be4e1
SHA512bea6d6dd9246c691c26acb3580c2895d02c8657e5745bedfc3c25e45dfc74fe3ac9e4a81a203388e070ce4871a07765f50a3e348ad77d0cc88fb52a5c8970ff8
-
Filesize
843KB
MD5b313d7e7061b8cc5a022fdd9364cffc2
SHA1e36c73b556f62b4bff3e43b632084b1e85275670
SHA256b0dc4027d8a636f840def7d5e70b8332ef3f1bc408d4ba83fca576cf28f83042
SHA5126f198a593394176231a3290f7c820d1b93cc500533367e9ff27c407574f0da75af551d74f8762b971d42ecb1fd6a1caf668eb0f0772491d4f9c3c5b07b6410b6
-
Filesize
371KB
MD5a18e99c10b17e127c9e2f5bd081d2d9f
SHA1d5e1c05b660ec6a9ed024b1aa0b6b2090ea04248
SHA2560fe927b1b64fa54013625b5cfd8a659262a24238e64266c7d4035d924d563db2
SHA5120a2a38e1f2c7b1d16a3b4041367e5fdc064b8b13eccbed78f49ddfc6531fa434fafce1d4f25565b333d23d368b55c66662df7fa6d1fdd037b09736b43eb68cce
-
Filesize
169KB
MD5d1731ad1e898a516cec25b96ba474b31
SHA1597ebbf16438c1874249dbeec2ad5ee24fbef73e
SHA2569814ac96601928926ea572e59939f950e9efdcb5ba83ae8c75d991b51ce19be1
SHA512f27ace1b479999edaa29e7d2df0ed67eba4cf061f6ddd65a20fb69ead436c76987e65ab44c110f47c9ad0ea37d7ec13fd0543fee354d654bf7d686d594349519