Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 09:48
Static task
static1
Behavioral task
behavioral1
Sample
42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
Resource
win10v2004-20241007-en
General
-
Target
42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
-
Size
769KB
-
MD5
f7dd5aac5c26446bd98e1f0fbed4500a
-
SHA1
d874414c1e54589814bf05510ab364c355678f4d
-
SHA256
42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8
-
SHA512
6a0964b00960b1ee78d4bd7ae33ed8895b05c51ae9fe8360e963998576a27dfb3ccf745d6d5e846cf9d42e6d6a919da74122cad2777d1b34634e694dfedc78e8
-
SSDEEP
12288:yMrQy907pHtPNg4hdDwiIOjog5qbhnWtdxhYselL8Pc+u9:SygpNq6BwiI9gY9nkheB6u9
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/968-25-0x0000000004AA0000-0x0000000004AE6000-memory.dmp family_redline behavioral1/memory/968-27-0x0000000005130000-0x0000000005174000-memory.dmp family_redline behavioral1/memory/968-37-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-43-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-91-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-89-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-87-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-85-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-83-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-81-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-79-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-75-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-73-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-71-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-70-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-67-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-65-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-63-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-61-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-59-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-57-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-55-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-51-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-49-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-47-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-45-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-41-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-39-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-35-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-33-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-77-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-53-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-31-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-29-0x0000000005130000-0x000000000516E000-memory.dmp family_redline behavioral1/memory/968-28-0x0000000005130000-0x000000000516E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 632 vqV84.exe 1340 viL62.exe 968 dDN02.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" viL62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vqV84.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language viL62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dDN02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqV84.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 968 dDN02.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1652 wrote to memory of 632 1652 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe 83 PID 1652 wrote to memory of 632 1652 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe 83 PID 1652 wrote to memory of 632 1652 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe 83 PID 632 wrote to memory of 1340 632 vqV84.exe 84 PID 632 wrote to memory of 1340 632 vqV84.exe 84 PID 632 wrote to memory of 1340 632 vqV84.exe 84 PID 1340 wrote to memory of 968 1340 viL62.exe 85 PID 1340 wrote to memory of 968 1340 viL62.exe 85 PID 1340 wrote to memory of 968 1340 viL62.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe"C:\Users\Admin\AppData\Local\Temp\42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqV84.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqV84.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\viL62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\viL62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN02.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN02.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
665KB
MD50e669d897d6e2fab91bdf4e905a71dc2
SHA179908d1ce0a4099cd1e9fcb3271c0f1a182a1190
SHA256d590f520bad01600cad362cb60fecbaf9a5d184c7047cf6f83801d1995c11bef
SHA512163ffdf4dcb3c1b2256aa04c1d2a9c5483d0d8166ce9aa3a471e3b5c7a542284be86c4dfa38d15bb77c3a640e133f9e6cfb152000f108491683fcc7577c7b5ab
-
Filesize
520KB
MD585981e0ba7c6074f36e62f2c9f6ded72
SHA1cd02b804787df99b842de593b4d975a076bf1494
SHA256993ccf68de5e9d141242a51936c9dc14dd99c83b6cd7503d1fd138224f735523
SHA512f25cafa4baa784fcb22acd382bccea3ce9ea838e59cfca2982eb6461b90af5861279b941091d43d22d18c6c1e28c1a76d601793a253c476157b579db9e04ee4d
-
Filesize
305KB
MD52912e4ea81ea3271b0533d672791b1ad
SHA1b5ef6b062c57da9614baf0faa3270eb6778a940c
SHA256171384e592b4da9bac78fbcb0feb4d46de8e302c960ed3464a399bb3c023253c
SHA51265be335994bb6bb1bb636001afcefd0d3a1052ef4e863f0613a0ba352e6af62dc469d09cdfc3a559e8e6a2cbebf92cc74cc11b5f39c1cb19cec82f6c77b859a2