Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
Resource
win10v2004-20241007-en
General
-
Target
f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
-
Size
837KB
-
MD5
bd757df01ad12051ee4bf47fd16becf0
-
SHA1
7809fed8bb79a099bab0219f2df3cefff2f860c6
-
SHA256
f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9
-
SHA512
3434d6dbed017ebedb6908672327ad0a84d5de7d01b43319b05bf788547148bfe95d90fa18ccc25339aafc60ac06ee897d7575e6dedaab0b6f4fabd44dd36c9b
-
SSDEEP
12288:aMr2y90eSKuds/8wHYasRU+HVEbdsUDeEqxstQJPDQaxx3tNHnerD:AyuKuds/8wHYasRU+H6h30sKhDtV0D
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3456-22-0x00000000026C0000-0x0000000002706000-memory.dmp family_redline behavioral1/memory/3456-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp family_redline behavioral1/memory/3456-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/3456-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3532 vxq98.exe 100 vow79.exe 3456 dXq48.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vxq98.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vow79.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxq98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vow79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dXq48.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3456 dXq48.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1668 wrote to memory of 3532 1668 f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe 83 PID 1668 wrote to memory of 3532 1668 f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe 83 PID 1668 wrote to memory of 3532 1668 f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe 83 PID 3532 wrote to memory of 100 3532 vxq98.exe 84 PID 3532 wrote to memory of 100 3532 vxq98.exe 84 PID 3532 wrote to memory of 100 3532 vxq98.exe 84 PID 100 wrote to memory of 3456 100 vow79.exe 85 PID 100 wrote to memory of 3456 100 vow79.exe 85 PID 100 wrote to memory of 3456 100 vow79.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD5808720598383f6ce34866d1386a7497d
SHA150a5d2b6549d59616fb9067ca02ee1fd80ce15f7
SHA2565d9ee4faeabbe5bd559f7bc0758da46f5375013fc86946ed5e4605fa3383e7ca
SHA512b571abeb700c7017e697d64ee7fadfbc6030327c05c097cb16476ff4952a259381afb96a413e7132c5d3f04569448e33b9a88ac318e645ed4d936ee7c94fa163
-
Filesize
588KB
MD536f593c113598104f57f4e0cfe958f3c
SHA1db6379d6c4734045b827fb3d87a11b1aba75d94d
SHA256da242dce74bdeaaa9429453a2b470dbc5722b13e151aa704e41be744468f2070
SHA5126b22f3976546f5ffdf4ba1ca487eec3ae0d0c4b3b192f2878bed5c69fdac9cc5d2db477bdb0363687f73f7e9be42dced0d57e24bfafa7e03b3efd0b35a51a665
-
Filesize
479KB
MD5285075759e1fdcae6a0deb572b9f2deb
SHA18ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b
SHA256b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1
SHA51254338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02