Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
Resource
win10v2004-20241007-en
General
-
Target
2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
-
Size
767KB
-
MD5
12be7143c25631d3b4389d1f7a7abe80
-
SHA1
601722c7cb1a000707fa9bfb98892255de976564
-
SHA256
2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e
-
SHA512
92f7e3bc4ccd40b19a2b97bde16d4afa416561122fc377641157900a42a363f7962cebf21e793b7cd9a14e899403ae2d2eef0a57667695a355b1fb710df61fb9
-
SSDEEP
12288:bMrly90CXgr104DZh5vFbz26fTMLTgWIF3Xv85tiOuEsKd+e4AMaqvChQMFsXY/6:ayhwK49LNDf8CBf8Ne6hQMhth+
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5036-22-0x00000000025B0000-0x00000000025F6000-memory.dmp family_redline behavioral1/memory/5036-24-0x00000000026C0000-0x0000000002704000-memory.dmp family_redline behavioral1/memory/5036-74-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-88-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-86-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-84-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-82-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-80-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-78-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-76-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-72-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-70-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-69-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-66-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-64-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-62-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-60-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-58-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-56-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-54-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-52-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-48-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-46-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-44-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-42-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-40-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-38-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-36-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-35-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-33-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-30-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-28-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-26-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-25-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/5036-50-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2228 vcP52.exe 1472 vBJ01.exe 5036 dlm77.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vcP52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vBJ01.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlm77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcP52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vBJ01.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5036 dlm77.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3712 wrote to memory of 2228 3712 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe 84 PID 3712 wrote to memory of 2228 3712 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe 84 PID 3712 wrote to memory of 2228 3712 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe 84 PID 2228 wrote to memory of 1472 2228 vcP52.exe 86 PID 2228 wrote to memory of 1472 2228 vcP52.exe 86 PID 2228 wrote to memory of 1472 2228 vcP52.exe 86 PID 1472 wrote to memory of 5036 1472 vBJ01.exe 87 PID 1472 wrote to memory of 5036 1472 vBJ01.exe 87 PID 1472 wrote to memory of 5036 1472 vBJ01.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662KB
MD5d9e739d9ff85a85d4ae6c0707ebef68b
SHA12082d945a785a3003b03d3e33a6e26c2f4d5ac24
SHA25697e68cc6719f514f36fbb806bd5bd017325dbe9b6584c30fa8c6105bb22d1289
SHA5126849ed07e32b620baadd68324266e12c691269ccd3da4ac24be69847be5536fbf953cd56ef39b072358f2637818ed77fe2045183ae5938d0736298b4b5c2d008
-
Filesize
517KB
MD5be3c2a6f36d8411f58580b0b2283046e
SHA177ac282e7ac1bd4be9cbf7b0c8dd797774433a72
SHA2568f1bcb263e5bc70216a07df0fad50357e0dbf77d33417e212142e4d6eced875c
SHA51217e8339b23db2955db972797d436618f521f3376a58ad1e6c26177c9288c15a21aa5e252199db1a69aba19f43f7ebed8fa35b5a319b7bddf1c9c95a5207011fa
-
Filesize
296KB
MD596cb25fef251057fd9f24f0c8cb90831
SHA1dc393dceb9194a4814c42b87eb392ff37fca6c68
SHA256d78d94ee7f5e64a25f292d51afee7a7a8f383a9a48a7d54135e9fdfc0fe7fdac
SHA5126ad5d18632523607c9d7ec5bbc0dee2664755740a24b475bfc5f56b2707bef2343e12d3d2c6c0d5c7cf2239e245d6a8c6246ddeaf97ba4eba61a123cccaacaa0