Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:58

General

  • Target

    3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe

  • Size

    479KB

  • MD5

    c3bee8f6205cea445b6d4bff688a7c86

  • SHA1

    2e60eb8161dd24c073d73b62cf485dcee00cd6e3

  • SHA256

    3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26

  • SHA512

    d21b03111b0e70397b5af9e94c47060adca3e58f56898d6416777ff6691753b6e2a2f2f6f9f84121a5f5207ac1bdff3d918fc3016d957e353d953bab484f28e1

  • SSDEEP

    6144:Khy+bnr+Mp0yN90QEBsBdsFepZkeP93bUjqodCOcKyBIv1ijn0t8TlXwIpxZ54UW:DMrYy90bsBeKgdqKyU9t8xXwyrHWJLl

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
    "C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe

    Filesize

    307KB

    MD5

    7eba13a60814a7418dba53127b7ff414

    SHA1

    b07e5405219a1200dd7fdd2822245390f734088a

    SHA256

    9b96aa472959f67beb89020203c273c46ea4c613e3c7c09cb8a6520feb02b662

    SHA512

    9affd1556ad7ace39db17e294364c4e306f542c5241370f89165a6b4f0c7132952e34d0866b46adfd0a170ec1d17c685878fb0ea4b0fa943a1d7e00b192baf00

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe

    Filesize

    168KB

    MD5

    d70db3f8bdc6c5588913335d99b15713

    SHA1

    50a768f2a8e589d04c6578b5f6ec919df28dd36b

    SHA256

    cf798dc4dd5690baab0342eae5f7fecd39630b08b9bab9daaf1fa8008cde8433

    SHA512

    54c55be93e2b3ca511040da3c5df7351c0aad0414e504e9956cb8e81661a6610a4d49715730a5662dd7125bef31eb3222e8a1cad3a5ec30de6c9a06f84653b55

  • memory/3716-14-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

    Filesize

    4KB

  • memory/3716-15-0x00000000006C0000-0x00000000006F0000-memory.dmp

    Filesize

    192KB

  • memory/3716-16-0x00000000029E0000-0x00000000029E6000-memory.dmp

    Filesize

    24KB

  • memory/3716-17-0x0000000005820000-0x0000000005E38000-memory.dmp

    Filesize

    6.1MB

  • memory/3716-18-0x0000000005310000-0x000000000541A000-memory.dmp

    Filesize

    1.0MB

  • memory/3716-19-0x0000000005180000-0x0000000005192000-memory.dmp

    Filesize

    72KB

  • memory/3716-20-0x0000000005200000-0x000000000523C000-memory.dmp

    Filesize

    240KB

  • memory/3716-21-0x0000000073D20000-0x00000000744D0000-memory.dmp

    Filesize

    7.7MB

  • memory/3716-22-0x0000000005240000-0x000000000528C000-memory.dmp

    Filesize

    304KB

  • memory/3716-23-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

    Filesize

    4KB

  • memory/3716-24-0x0000000073D20000-0x00000000744D0000-memory.dmp

    Filesize

    7.7MB