Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/11/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe
Resource
win10v2004-20241007-en
General
-
Target
bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe
-
Size
656KB
-
MD5
b84479d71308186489a5d49af94b472c
-
SHA1
db220f7dc8091658e8e8586978f6fbc8e56b63b6
-
SHA256
bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3
-
SHA512
4b45d038cddf43de688957ea532f049c757ff0e1a7ad72cbc3101e7569c3af58d5f804e2851dd8bcce54d0c57068f76d9b107ffc2c2ba4dcb4569302dc28d7ff
-
SSDEEP
12288:nMrVy90M6zVTI7iRtep2E7j0nsmncnDYev7TQV9qZR6ppSYm:SyKzVTjfvE7j0nsmmDDv7M3qZROpSYm
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/736-19-0x0000000004D80000-0x0000000004DC6000-memory.dmp family_redline behavioral1/memory/736-21-0x00000000053E0000-0x0000000005424000-memory.dmp family_redline behavioral1/memory/736-85-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-83-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-25-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-81-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-79-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-78-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-75-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-73-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-72-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-69-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-67-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-66-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-61-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-59-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-57-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-55-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-54-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-51-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-49-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-48-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-45-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-43-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-42-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-39-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-35-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-33-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-31-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-29-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-28-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-23-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-63-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-37-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline behavioral1/memory/736-22-0x00000000053E0000-0x000000000541E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3940 vxo97.exe 736 dJx19.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vxo97.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxo97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dJx19.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 736 dJx19.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3912 wrote to memory of 3940 3912 bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe 83 PID 3912 wrote to memory of 3940 3912 bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe 83 PID 3912 wrote to memory of 3940 3912 bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe 83 PID 3940 wrote to memory of 736 3940 vxo97.exe 84 PID 3940 wrote to memory of 736 3940 vxo97.exe 84 PID 3940 wrote to memory of 736 3940 vxo97.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe"C:\Users\Admin\AppData\Local\Temp\bba58d9aaa6140d48022c0ce88b88b614546c4fdc539ad49a8a8d71ee1cb31e3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxo97.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxo97.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJx19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dJx19.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
511KB
MD571f0465622cefe2141bcce9124d1a5a6
SHA1f6efeb107767f53318c908465efa29a6c66d94d6
SHA2565d1970e5b2769f40c6d938403e35d83872171ca4248fda77e5db021b93a23bf7
SHA51239ecdc02c4ff15b9d9c514d9f2ff3f17358a658d5e439f544ba7abf0797ce929f38be936f1c5c751ce756fb18618cf3a0cbdf530eee758875c767d55214e47c6
-
Filesize
287KB
MD5d8188b6e91a330ef924426abe7f1f9f8
SHA1980dad68e6d92724d8f3762ee094943390ed444a
SHA256b45b88fca18a6ca918d989de54ef418f9c4bc147df9c88f7d10fe8b85962f227
SHA51271e78e3d5ea8c1607c508ba8baa40ee66776530c452fd73e7fdbe30c6d0a738d28f9ddfb5f6cd8d6c8a9eabb3ebe9aa4aef269779b3b77cd908911e3ddcfb5b4