Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe
Resource
win10v2004-20241007-en
General
-
Target
f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe
-
Size
838KB
-
MD5
2d54822bef361a60742d22bee4f0f8e2
-
SHA1
c9100ec23ec72c9ed65aacf39c2bed2d8a9958db
-
SHA256
f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda
-
SHA512
22e1bd64e7acc3de90133a0656e3ef0afd78842e0cf22fccede5464d0ac813964826f2ad13271e5b7fdabf97c465b4b0ec15d6e74dfd961c40434f74817d5900
-
SSDEEP
24576:hyvwbMhw3dVIT0DUhCQItLUhFjnCx4AF6H:UvwGw3dOfxItLUhFj04C
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4880-23-0x0000000002300000-0x0000000002346000-memory.dmp family_redline behavioral1/memory/4880-25-0x0000000002790000-0x00000000027D4000-memory.dmp family_redline behavioral1/memory/4880-29-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-45-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-89-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-87-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-85-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-83-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-81-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-79-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-77-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-75-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-71-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-69-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-67-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-65-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-63-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-61-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-59-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-57-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-55-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-53-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-51-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-49-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-43-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-41-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-39-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-37-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-35-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-33-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-31-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-73-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-47-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-27-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/4880-26-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2120 vOm27.exe 1988 vPa35.exe 4880 dbx59.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vPa35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vOm27.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vOm27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vPa35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbx59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4880 dbx59.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4808 wrote to memory of 2120 4808 f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe 83 PID 4808 wrote to memory of 2120 4808 f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe 83 PID 4808 wrote to memory of 2120 4808 f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe 83 PID 2120 wrote to memory of 1988 2120 vOm27.exe 84 PID 2120 wrote to memory of 1988 2120 vOm27.exe 84 PID 2120 wrote to memory of 1988 2120 vOm27.exe 84 PID 1988 wrote to memory of 4880 1988 vPa35.exe 87 PID 1988 wrote to memory of 4880 1988 vPa35.exe 87 PID 1988 wrote to memory of 4880 1988 vPa35.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe"C:\Users\Admin\AppData\Local\Temp\f18cfa4ee22d8f95e6b272fd14647b81d2995b13d01ab564b6bc6052eb4d4bda.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOm27.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOm27.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPa35.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPa35.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbx59.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbx59.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
734KB
MD5042ec4b789a0227f058a43c6bd155d79
SHA1ab6b4ed41a1874b488da0c54fcd068561fcd80a6
SHA256107b017c9a17492f7f3041174ff12c0c75ce74fbeed8a8c806006584a66270fd
SHA5122311d1df3bd29aa6201f708a9e24994781915a6c85758f6fa1961a7037b5fe4b3f97bb498d0b9a4b70e8fad930e290d5b205e0ccca3b9330d870ec660d3bf6ac
-
Filesize
589KB
MD5bbc12c9305e31ee9a75280e9d8e142ff
SHA1efa29918a949e5f44ff82c777d6a3abac6e27b6f
SHA2564a5d2cac01aec049bb73821596b3616a8856e70720cf1cd7945eecd5f50be0e2
SHA512c72d5e7bc22f382db9c0c71598e293cdc0ca9be3cc99c09a6b851f311fe8410d35b957e7bff70ccf8c7ee1d60a44e7942b8366401bf9bc61dd10a3b3e81b35c7
-
Filesize
485KB
MD5b6bb42f4aa9721285b43a6adc19072b5
SHA1dedc3f102b1fe01f7dbf458b93d0515e8ea23031
SHA25675ca46cc315ec8fa53a488a1508573649f03ee7668568b6dcac411811addac59
SHA512effa55712327b441c34025ecd2ea095aef7d6dbcb09de5891b2a4a1ee29af89a5827ba02ffb57bd77c6c680e8eca906ea68ecdd7f94fa6752dddadbcc20d8e64