Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
Resource
win10v2004-20241007-en
General
-
Target
3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
-
Size
479KB
-
MD5
c3bee8f6205cea445b6d4bff688a7c86
-
SHA1
2e60eb8161dd24c073d73b62cf485dcee00cd6e3
-
SHA256
3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26
-
SHA512
d21b03111b0e70397b5af9e94c47060adca3e58f56898d6416777ff6691753b6e2a2f2f6f9f84121a5f5207ac1bdff3d918fc3016d957e353d953bab484f28e1
-
SSDEEP
6144:Khy+bnr+Mp0yN90QEBsBdsFepZkeP93bUjqodCOcKyBIv1ijn0t8TlXwIpxZ54UW:DMrYy90bsBeKgdqKyU9t8xXwyrHWJLl
Malware Config
Extracted
redline
ditro
217.196.96.101:4132
-
auth_value
8f24ed370a9b24aa28d3d634ea57912e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b33-12.dat family_redline behavioral1/memory/3716-15-0x00000000006C0000-0x00000000006F0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2916 x4668442.exe 3716 g3699705.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4668442.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g3699705.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4668442.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4532 wrote to memory of 2916 4532 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe 84 PID 4532 wrote to memory of 2916 4532 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe 84 PID 4532 wrote to memory of 2916 4532 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe 84 PID 2916 wrote to memory of 3716 2916 x4668442.exe 86 PID 2916 wrote to memory of 3716 2916 x4668442.exe 86 PID 2916 wrote to memory of 3716 2916 x4668442.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe"C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD57eba13a60814a7418dba53127b7ff414
SHA1b07e5405219a1200dd7fdd2822245390f734088a
SHA2569b96aa472959f67beb89020203c273c46ea4c613e3c7c09cb8a6520feb02b662
SHA5129affd1556ad7ace39db17e294364c4e306f542c5241370f89165a6b4f0c7132952e34d0866b46adfd0a170ec1d17c685878fb0ea4b0fa943a1d7e00b192baf00
-
Filesize
168KB
MD5d70db3f8bdc6c5588913335d99b15713
SHA150a768f2a8e589d04c6578b5f6ec919df28dd36b
SHA256cf798dc4dd5690baab0342eae5f7fecd39630b08b9bab9daaf1fa8008cde8433
SHA51254c55be93e2b3ca511040da3c5df7351c0aad0414e504e9956cb8e81661a6610a4d49715730a5662dd7125bef31eb3222e8a1cad3a5ec30de6c9a06f84653b55