Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
Resource
win10v2004-20241007-en
General
-
Target
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
-
Size
764KB
-
MD5
92af0a5b9b2347ef6727a4afdc1b3411
-
SHA1
605672f554084e18f54182fd6417ab55a4917e76
-
SHA256
bb6472593d0116059f976a544317be720ce932e16a7a6f5244017aeb091f3e90
-
SHA512
15714eddf58713c03c1ac25aeb3951a16f0eda93b7dcf707fada1d63bd4000e3c0d1f5185c7622d91de2d99cb50700e0d15b1ea40c05839f8049d07dc159c679
-
SSDEEP
12288:RMr1y90eBOZx9EADWO06D4TnL83mYJN7O1JyAtzFTLz6olmjBAG0rtsZsPd:cywZx9j6O0kYnL8BfoUAlN/ulA/1Pd
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3232-22-0x0000000002660000-0x00000000026A6000-memory.dmp family_redline behavioral1/memory/3232-24-0x0000000002920000-0x0000000002964000-memory.dmp family_redline behavioral1/memory/3232-25-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-40-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-88-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-86-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-84-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-80-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-78-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-77-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-74-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-72-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-70-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-68-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-66-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-64-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-60-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-58-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-56-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-54-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-52-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-50-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-46-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-44-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-42-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-38-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-36-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-34-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-32-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-30-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-28-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-26-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-82-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-62-0x0000000002920000-0x000000000295E000-memory.dmp family_redline behavioral1/memory/3232-48-0x0000000002920000-0x000000000295E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1352 vHP13.exe 1336 vaK52.exe 3232 dVU43.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vHP13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vaK52.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaK52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dVU43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vHP13.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3232 dVU43.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3920 wrote to memory of 1352 3920 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 3920 wrote to memory of 1352 3920 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 3920 wrote to memory of 1352 3920 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 1352 wrote to memory of 1336 1352 vHP13.exe 84 PID 1352 wrote to memory of 1336 1352 vHP13.exe 84 PID 1352 wrote to memory of 1336 1352 vHP13.exe 84 PID 1336 wrote to memory of 3232 1336 vaK52.exe 85 PID 1336 wrote to memory of 3232 1336 vaK52.exe 85 PID 1336 wrote to memory of 3232 1336 vaK52.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe"C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD593860c2c2672eacddfc695b8312650b1
SHA134cf958777cbfe1668475dded84c535c452979cf
SHA2562cd7da4c69d1511e1113be693474eff0eca51706bccee5ee68fa1a362c7b6b8b
SHA5124c8d1811d355990e4a7ddcf6f4a6cd0e03534a6ebeecc86e31549c7e8cf5fa23de896014cf25c0b730385bd41473c7a15533e763f05d5dad16f1c23c6433038b
-
Filesize
515KB
MD57ec5066b38d5b604c7fc69b4a631bf4f
SHA1ab662c22af32755be901e08ef023113011167767
SHA256763697e0615cd208407ca80dd06aee987f65280ab2a89c2d700ae7cd022f5fa5
SHA5121ce1ddc0eb4b117765ff8909fbf4dd6048a3734c06c2281feb29ee441cb9d4024f0e66154184cd150555534c093482c33890f4e6694db015fcd4ae87814a1830
-
Filesize
296KB
MD5b8c8132fcf9800ed3598f7cb2e9a5057
SHA193f3d94687f59a038d407dae0d80e6a573be1874
SHA256d8e83015464713166e2a7580cf8c04d346c72624affc3839ae204093548fd9b4
SHA5123688bcf4cb99717716e34cf6c2607f974e6662ad8c1a980da3bad66b8ae6f7cfa957ea58937f3a1927ccd5844c10fb9566e715869d766b70dbc16dc8c0bec6e6