Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 21:20
Static task
static1
Behavioral task
behavioral1
Sample
38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe
Resource
win10v2004-20241007-en
General
-
Target
38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe
-
Size
677KB
-
MD5
c3142122f921f58ae8924254f5ee12fd
-
SHA1
9ca990a60895be8a23c87fefe429fdd8c36875fb
-
SHA256
38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1
-
SHA512
8f4668661f9bfde28f489d6bf0c6c7cecb4b3f2702b42fe3f3c397a6cd646c02065e5637b6d9fc1a031daaf8ef626bd7f547273f38c9b674f2a7f55fe84bfcb7
-
SSDEEP
12288:rMrqy902F157ZSS1ajQgNp6gI3XEgVTsRJYJMN3/f2+2z/:VyNF1pZSQe36x0ghsRJYg32d/
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2520-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp family_redline behavioral1/memory/2520-21-0x0000000004D90000-0x0000000004DD4000-memory.dmp family_redline behavioral1/memory/2520-23-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-41-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-39-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-37-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-35-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-33-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-85-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-83-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-79-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-77-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-74-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-71-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-67-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-65-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-63-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-61-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-59-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-57-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-53-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-51-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-49-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-47-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-45-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-43-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-31-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-29-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-81-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/2520-22-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2720 vrW84.exe 2520 dTi36.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vrW84.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrW84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dTi36.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2520 dTi36.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1136 wrote to memory of 2720 1136 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe 83 PID 1136 wrote to memory of 2720 1136 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe 83 PID 1136 wrote to memory of 2720 1136 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe 83 PID 2720 wrote to memory of 2520 2720 vrW84.exe 84 PID 2720 wrote to memory of 2520 2720 vrW84.exe 84 PID 2720 wrote to memory of 2520 2720 vrW84.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe"C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD53958dd8ac2a8746b927e9ac278aa66fd
SHA1c44b9d160613628015256846309f2a6fdf666944
SHA256152d9b91a6b37cbdb0bff999e8e2fdb21c5428a0aea7c8eb5f447c887fd0250c
SHA5123d376334d19f6ed2589cf2e67e85613f1a1ae3ed856318ebe123e005b67b94678d43b4a94c72ae61e2453aea75419a90debc599b8fbfdeb355468a2488277c3e
-
Filesize
338KB
MD524c46754103adc1ecce0a7e177f03bf2
SHA172f06bb8c21d8da858a16399e2cd86be84f2e987
SHA2560130db5ed9a6d75757e9232d13d56033239b00afc7eeade437f96e377353181c
SHA51255ec531b17b8c7f193f918ff2042b72c18f6e4a081acb6daffdc5801c0083d2fa582e06ca495dcd3c2b624f4b291f2fae61b4364452b45f1c8635d41acb70eef