Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe
Resource
win10v2004-20241007-en
General
-
Target
8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe
-
Size
780KB
-
MD5
56e5fd7e255dc7bb88bff655503e6341
-
SHA1
dd85cc70c874e3bd5b54fdeb691094a48d5f3728
-
SHA256
8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab
-
SHA512
576a551aab259774f704995b80d49b3106519c6ee67ad095022642a7adc114df4b68bc979213fb6cc4044f443d8c25fd9f8ebc0124c94cb8d8dfc0975c468f32
-
SSDEEP
12288:qMrJy90mDwBbpRAdu2vv3ZCRd5pwqyz+8XtUmxneZ:LyHDId2tjBC89USneZ
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2680-22-0x0000000004D20000-0x0000000004D66000-memory.dmp family_redline behavioral1/memory/2680-24-0x0000000005350000-0x0000000005394000-memory.dmp family_redline behavioral1/memory/2680-34-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-88-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-86-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-84-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-82-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-80-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-78-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-76-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-74-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-72-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-68-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-66-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-64-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-62-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-60-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-58-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-56-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-54-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-52-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-50-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-48-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-46-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-44-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-42-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-40-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-38-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-36-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-32-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-30-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-28-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-70-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-26-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/2680-25-0x0000000005350000-0x000000000538E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2404 vaX54.exe 2012 vQe35.exe 2680 dor78.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vaX54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vQe35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaX54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vQe35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dor78.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 dor78.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4232 wrote to memory of 2404 4232 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe 83 PID 4232 wrote to memory of 2404 4232 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe 83 PID 4232 wrote to memory of 2404 4232 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe 83 PID 2404 wrote to memory of 2012 2404 vaX54.exe 84 PID 2404 wrote to memory of 2012 2404 vaX54.exe 84 PID 2404 wrote to memory of 2012 2404 vaX54.exe 84 PID 2012 wrote to memory of 2680 2012 vQe35.exe 85 PID 2012 wrote to memory of 2680 2012 vQe35.exe 85 PID 2012 wrote to memory of 2680 2012 vQe35.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe"C:\Users\Admin\AppData\Local\Temp\8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vaX54.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vaX54.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQe35.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQe35.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dor78.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dor78.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
677KB
MD50fe557f831089f1b4a244f74901e665b
SHA192d4a1b9f4b74e2bc3aacf0814c31ddccd89da28
SHA25687bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d
SHA5122d34b7c4f2b1c501914e4d221db27c0a350934486112481a9c0146c1d8b78cb1f5c76f1bec9ff655f14b6435500901f2cd29781a957375bb373dd8c910a710ec
-
Filesize
532KB
MD5902ad6d46dbf9f919371d0f48762fd36
SHA147a00953fdc6c48beda44dbc29a703bf5f6cf043
SHA2562ac5a41a155a6181c713b92362c3346ace5693b4ff726c67a658c7cdd7cdc9b9
SHA5122d6c1c84fc455b8c8a08572936a5eb67f7719f173f6f4ecf89a38c32d3733349fe077e7bd987588b639c3632e0ae4d5379f0138c52536120954ea7476a50d948
-
Filesize
338KB
MD5cb2d93db92499f0d807e5de936216415
SHA16599f128b4914dfa7085a114f765f28ab2383366
SHA2568b784da006ef6549b3db738ed63352e81be6cf5941330388e02b72ec188c41f6
SHA512af7c64d82e6d728cbbaf73e39f3f5203a6a575e06dd8e847f937460df83aeadc1599d45e6edc1af35bef60ac899e369f96b181932e25bce850fe179a05e6ba66