Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe
Resource
win10v2004-20241007-en
General
-
Target
035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe
-
Size
836KB
-
MD5
51fb4da3668fe02eee63b050dc363b65
-
SHA1
5fa940c5d29ac74bf5db9a7806983360472dfea4
-
SHA256
035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc
-
SHA512
ace1a4c919144f58589da9c85de8194ea8d6836bdb5a69e0dde08af708fdb721d4fa0338cebf67d745ec2a5628b6c84c504ea9b3b03d63e77f680b0d788aab89
-
SSDEEP
12288:ZMroy90xBBMUu+Byp61FDO21Qb4h1+2+QV4bRyBblvoxetQwPDQbuvo/SjF9Y98Y:JyJdP01Fj1V+2+QWl0aeK22/SjF9o5
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4608-22-0x00000000025F0000-0x0000000002636000-memory.dmp family_redline behavioral1/memory/4608-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp family_redline behavioral1/memory/4608-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/4608-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4400 vOq28.exe 5000 vRo37.exe 4608 dWB40.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vOq28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vRo37.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vOq28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vRo37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dWB40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 dWB40.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1116 wrote to memory of 4400 1116 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe 83 PID 1116 wrote to memory of 4400 1116 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe 83 PID 1116 wrote to memory of 4400 1116 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe 83 PID 4400 wrote to memory of 5000 4400 vOq28.exe 85 PID 4400 wrote to memory of 5000 4400 vOq28.exe 85 PID 4400 wrote to memory of 5000 4400 vOq28.exe 85 PID 5000 wrote to memory of 4608 5000 vRo37.exe 87 PID 5000 wrote to memory of 4608 5000 vRo37.exe 87 PID 5000 wrote to memory of 4608 5000 vRo37.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe"C:\Users\Admin\AppData\Local\Temp\035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOq28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOq28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRo37.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRo37.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWB40.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWB40.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
732KB
MD55f4fe8abf621dd67f321f8fa92a1862f
SHA1899ec15e84d0e47aa1013dda775ad3c4baf1b8e8
SHA256694f7303a14f116babe76061e36b613f792c36f43f906c58dce5243836b52d42
SHA512263f280e50a4797ed77f4fbc430882add8d40d51d59f8dd1174189471357c6d936e70e02b19212acec011dba3427c0540a9697f98c332cf31a3783ee004502f4
-
Filesize
588KB
MD52599cbb69aacf9ab17772707ce9ec480
SHA19e16c4648857e63cdeb8458f2cea984a412fa4ca
SHA2569140d27c6134bf374f9ef6242ad2a3f9c18c7bd98eb6418bf4f02426e3354176
SHA5124cd6df855b000503f85d89ee6736db17414504f3b07579f7ef228469eea61c2d81ad4428ca4a6af7ab5728f2a521b320f479c329239e78c23c922a06ae3bc155
-
Filesize
479KB
MD5285075759e1fdcae6a0deb572b9f2deb
SHA18ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b
SHA256b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1
SHA51254338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02