Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe
Resource
win10v2004-20241007-en
General
-
Target
6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe
-
Size
765KB
-
MD5
d78ae547fd24ad6009e0e8801c3fef69
-
SHA1
383a24ed5c07644acd49caaf64bbac9cc5c3db01
-
SHA256
6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167
-
SHA512
db3ab0a8c73f02a633c21b3dc8e722beb8436f9a960ee073068f2b48f0e1d56b0bdf5f108dade8a25d44b6c6085eb5a0b8aad499ef4d7fd67973da3a2b6cee83
-
SSDEEP
12288:vMruy90EkkocTOvswWccFmlebqWHHbdpBYoGqGlVwyeGhiV53cvt0e0zgA/OEk94:Jyhr/T2swemgHppijqG0vGhtvr0sFEk2
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1148-22-0x0000000002770000-0x00000000027B6000-memory.dmp family_redline behavioral1/memory/1148-24-0x0000000002820000-0x0000000002864000-memory.dmp family_redline behavioral1/memory/1148-42-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-60-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-88-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-84-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-82-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-80-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-78-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-76-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-74-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-72-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-70-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-66-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-65-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-62-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-58-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-56-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-54-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-52-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-50-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-48-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-46-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-44-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-40-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-38-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-36-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-34-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-32-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-28-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-86-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-68-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-31-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-26-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/1148-25-0x0000000002820000-0x000000000285E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3140 vlR73.exe 2712 vzT93.exe 1148 dyK91.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vlR73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vzT93.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlR73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzT93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyK91.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1148 dyK91.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4156 wrote to memory of 3140 4156 6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe 83 PID 4156 wrote to memory of 3140 4156 6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe 83 PID 4156 wrote to memory of 3140 4156 6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe 83 PID 3140 wrote to memory of 2712 3140 vlR73.exe 84 PID 3140 wrote to memory of 2712 3140 vlR73.exe 84 PID 3140 wrote to memory of 2712 3140 vlR73.exe 84 PID 2712 wrote to memory of 1148 2712 vzT93.exe 85 PID 2712 wrote to memory of 1148 2712 vzT93.exe 85 PID 2712 wrote to memory of 1148 2712 vzT93.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe"C:\Users\Admin\AppData\Local\Temp\6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlR73.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlR73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vzT93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vzT93.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyK91.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyK91.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD5fe06b392541f8269c639a73df38bcc11
SHA1060e938c02adffa90122e4e14d0a088e0eb74617
SHA256cf979786b7f5e8ec4988c783d0d1d1337c32c2fb596c4602a6134c0883385edb
SHA512ac10d502e43bbfb4ddac22fe19fe059750c9377da93f795e348218bb7b6327026c590fafcc283060124432dec39544214a621bd4714b50a26dba07129c45cd86
-
Filesize
516KB
MD5e6ce69867b35f314cd2099f158fb931c
SHA1228ce3fcedd3be15eb16111108bae42e97f10312
SHA2562d36277f5ee2a7d0ff05c2f304e39b51a174fc5dbf13a82c2839ed5e393a0060
SHA51260f7637c16d6600b5bcd3f97d2764a9f8f6c8ff63b1d49fd9f0caba8bd5ca7c03cceb245fdd019a86e47f2b331263ae75a5bd6f1d487e4a72baa1c919b1c0576
-
Filesize
296KB
MD539a31c690c4b02de4f1a661ffad29d08
SHA1fe6268fe60696e0b85015784fe0b77d1cffc7e3d
SHA256acb28abfb93e3a5e8c6686b995c13c07a40d77d8989d8bdf5ce92a23576583b1
SHA5123aabe421382a7b91e66e954490f9ca74d158d1d74c6ed3ff61c5f88a24de3e260619d7404f1b62f049d6f7611f89f0db17a5d30f8c76de8fb5ed9ee2ae16604c