Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe
Resource
win10v2004-20241007-en
General
-
Target
545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe
-
Size
838KB
-
MD5
e961eaaaa2ed61c1d3ceca54dc64f6cf
-
SHA1
2685bc99554d40576ea40cd399fc94d549a8aa36
-
SHA256
545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d
-
SHA512
5021f276035f805da7ca6eb9bed70270a017689ced08f681c30d8343a68d0eac0cd5dd168fe9733da88bccc3a56b422f75c8182347f45b3dfc4aa6a9001f4e0d
-
SSDEEP
12288:IMrby90ZHIAODx+mdlO64aFACY3IX938FEd0JhQDx54D41YSrws7nZn/iDhZ3s+Z:DyDRx+AKHCYq38FlQ3PDZ/Qh521B+
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3020-22-0x0000000002280000-0x00000000022C6000-memory.dmp family_redline behavioral1/memory/3020-24-0x0000000002350000-0x0000000002394000-memory.dmp family_redline behavioral1/memory/3020-78-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-88-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-86-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-84-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-82-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-80-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-76-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-74-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-72-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-70-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-68-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-66-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-64-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-62-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-60-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-56-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-54-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-52-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-50-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-48-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-46-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-42-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-40-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-38-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-36-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-34-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-32-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-30-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-28-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-26-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-58-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-44-0x0000000002350000-0x000000000238E000-memory.dmp family_redline behavioral1/memory/3020-25-0x0000000002350000-0x000000000238E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1036 vvO92.exe 2708 vrT83.exe 3020 dXj46.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vvO92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vrT83.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrT83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dXj46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvO92.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 dXj46.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 856 wrote to memory of 1036 856 545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe 88 PID 856 wrote to memory of 1036 856 545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe 88 PID 856 wrote to memory of 1036 856 545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe 88 PID 1036 wrote to memory of 2708 1036 vvO92.exe 89 PID 1036 wrote to memory of 2708 1036 vvO92.exe 89 PID 1036 wrote to memory of 2708 1036 vvO92.exe 89 PID 2708 wrote to memory of 3020 2708 vrT83.exe 90 PID 2708 wrote to memory of 3020 2708 vrT83.exe 90 PID 2708 wrote to memory of 3020 2708 vrT83.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe"C:\Users\Admin\AppData\Local\Temp\545d800c76bbed5d4667974dac4680cda15a7910406a4163c391320010f2e78d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vvO92.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vvO92.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vrT83.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vrT83.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXj46.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXj46.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
734KB
MD5a5d9c6e94444afa3465a7d8167e885c0
SHA1ebf0c181d04d6fa8a596397d28342b08a36b38f2
SHA2569c71afe28546466886020ad44b27b3db711e212f646cc583a44bb4272d1afb61
SHA512f9c278e5b14aeb5f6744856007651da7174ad25627c322c83179c4f64e1594f7f641b961edf0c6c37634ec04f334c3fd12436b0aaff4f96087c06490574c7ee8
-
Filesize
589KB
MD5757743097007a482a3d0b0849db6fbda
SHA193cb91fe4efdf4661064a56112080289f596da4f
SHA2566afbc4a0ead7270cbfb96c76588c071c901dd406cb93c5a8227ef228340dbbf6
SHA5129564e5860b61a7b7507f2837a5f06696add7854665955ba9f6836ee2d06c3c69c216ef54b5ec74c631afa0186e2215e89c88ff9b75ae7de6e5a6ff2c57b0c6f1
-
Filesize
481KB
MD5cad110ca2f60ecd3c9c16e973b59d3f1
SHA193c455fbd0f645c6cf56208eb34489f889866913
SHA2564e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
SHA5123bf5bd8c9ce7f45d8c517e28df9bee44a4521d942ccfe44153ff8b4b1e55137e76c229a0a04c5b77a93ee13b397fd59883fec06ac81d93bb82645af6ee6af983