Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 11:08
Static task
static1
Behavioral task
behavioral1
Sample
9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
Resource
win10v2004-20241007-en
General
-
Target
9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
-
Size
764KB
-
MD5
ad92dc1ed912b6d203438b1b033da987
-
SHA1
a68edb9a4e93c79ac3c99649ac91471c781ef17e
-
SHA256
9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc
-
SHA512
4e9b12e41abc150e88e242cf7294950611f01e3b8f75808def12f826d6e8bb57fda87bd9d995ab94d11d46463fadd9662c2046b8ff63c47895a907713c05b998
-
SSDEEP
12288:RMr1y90eBOZx9EADWO06D4TnL83mYJN7O1JyAtzFTLz6olmjBAG0rtsZsPg:cywZx9j6O0kYnL8BfoUAlN/ulA/1Pg
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3504-22-0x00000000027A0000-0x00000000027E6000-memory.dmp family_redline behavioral1/memory/3504-24-0x0000000002950000-0x0000000002994000-memory.dmp family_redline behavioral1/memory/3504-84-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-88-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-86-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-82-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-80-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-78-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-76-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-74-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-73-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-68-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-66-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-64-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-62-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-60-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-58-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-56-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-54-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-52-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-50-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-46-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-44-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-42-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-40-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-38-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-36-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-34-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-32-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-30-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-28-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-26-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-25-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-70-0x0000000002950000-0x000000000298E000-memory.dmp family_redline behavioral1/memory/3504-48-0x0000000002950000-0x000000000298E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3172 vHP13.exe 3528 vaK52.exe 3504 dVU43.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vHP13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vaK52.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vHP13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaK52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dVU43.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3504 dVU43.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 636 wrote to memory of 3172 636 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe 83 PID 636 wrote to memory of 3172 636 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe 83 PID 636 wrote to memory of 3172 636 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe 83 PID 3172 wrote to memory of 3528 3172 vHP13.exe 85 PID 3172 wrote to memory of 3528 3172 vHP13.exe 85 PID 3172 wrote to memory of 3528 3172 vHP13.exe 85 PID 3528 wrote to memory of 3504 3528 vaK52.exe 87 PID 3528 wrote to memory of 3504 3528 vaK52.exe 87 PID 3528 wrote to memory of 3504 3528 vaK52.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe"C:\Users\Admin\AppData\Local\Temp\9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD593860c2c2672eacddfc695b8312650b1
SHA134cf958777cbfe1668475dded84c535c452979cf
SHA2562cd7da4c69d1511e1113be693474eff0eca51706bccee5ee68fa1a362c7b6b8b
SHA5124c8d1811d355990e4a7ddcf6f4a6cd0e03534a6ebeecc86e31549c7e8cf5fa23de896014cf25c0b730385bd41473c7a15533e763f05d5dad16f1c23c6433038b
-
Filesize
515KB
MD57ec5066b38d5b604c7fc69b4a631bf4f
SHA1ab662c22af32755be901e08ef023113011167767
SHA256763697e0615cd208407ca80dd06aee987f65280ab2a89c2d700ae7cd022f5fa5
SHA5121ce1ddc0eb4b117765ff8909fbf4dd6048a3734c06c2281feb29ee441cb9d4024f0e66154184cd150555534c093482c33890f4e6694db015fcd4ae87814a1830
-
Filesize
296KB
MD5b8c8132fcf9800ed3598f7cb2e9a5057
SHA193f3d94687f59a038d407dae0d80e6a573be1874
SHA256d8e83015464713166e2a7580cf8c04d346c72624affc3839ae204093548fd9b4
SHA5123688bcf4cb99717716e34cf6c2607f974e6662ad8c1a980da3bad66b8ae6f7cfa957ea58937f3a1927ccd5844c10fb9566e715869d766b70dbc16dc8c0bec6e6