Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe
Resource
win10v2004-20241007-en
General
-
Target
1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe
-
Size
661KB
-
MD5
168ffb57d902e84131e9c6fa58864164
-
SHA1
8101c55e5349f17a9f16b8c7ba79d18ba6e4953a
-
SHA256
1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600
-
SHA512
a5932dfae85b0cad87fabf2982db3eae2ef4714cb555028149a0c007e1a76dece3a0e35e2f436eb109586ea8ec0172326573ab1021927fdf6c867b0efa64599b
-
SSDEEP
12288:7MrDy90yKA2u6MURYyWXmribg7+yo0WwMSbK6oNyXk1gLDNyTiKwp+s:EyouPbg7+ihHog0aZyThxs
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3532-19-0x0000000002780000-0x00000000027C6000-memory.dmp family_redline behavioral1/memory/3532-21-0x00000000053A0000-0x00000000053E4000-memory.dmp family_redline behavioral1/memory/3532-29-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-33-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-86-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-83-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-82-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-79-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-77-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-75-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-73-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-69-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-67-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-65-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-64-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-61-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-59-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-57-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-56-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-51-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-49-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-47-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-45-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-41-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-39-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-37-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-36-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-71-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-53-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-43-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-31-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-27-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-25-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-23-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline behavioral1/memory/3532-22-0x00000000053A0000-0x00000000053DE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3692 vDa05.exe 3532 dLT23.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vDa05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vDa05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dLT23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3532 dLT23.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5084 wrote to memory of 3692 5084 1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe 83 PID 5084 wrote to memory of 3692 5084 1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe 83 PID 5084 wrote to memory of 3692 5084 1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe 83 PID 3692 wrote to memory of 3532 3692 vDa05.exe 85 PID 3692 wrote to memory of 3532 3692 vDa05.exe 85 PID 3692 wrote to memory of 3532 3692 vDa05.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe"C:\Users\Admin\AppData\Local\Temp\1379fe87cb3ca041da91bbb29502d78038ef1ad3043031992cfb3e58c5a57600.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDa05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDa05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLT23.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLT23.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5d1a9779f3849be97f602613c3437b6de
SHA17f46f5fe2a5bc68cf6c60f0f74d4aed852ff3578
SHA25682137a5873220c2f6118fb9eb3b7dac5afe742bcd32038ba1a35e99e9b926276
SHA512ec879e1a3389ab56edafc4e7e2a918427ffe004bf14b67a0bb9152601dd5ad62c65b23d869bf3d1bb2f6010bf1bf2aed5f99474e706a64acf54f7528abcb4d0f
-
Filesize
297KB
MD54e5f11ab053ba84afdb53d293e3f0451
SHA10b1943f24b6beb1b6c5244655ef6931b79e476f8
SHA25651b6d7f9d900542f8c4329503c112c27a51be10e817762f732db63d6553831df
SHA51202b0bacc7c76e151794ae77c59bb1be3cb522f2694eda553b6bfcfddb4a6732e27799e6cb80ef378dc732bdf64fd787c0ab71a2cd043af6c685c36fc5adb8549