Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    105s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 11:57

General

  • Target

    c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe

  • Size

    479KB

  • MD5

    ad6c0a2eca92c1be9b24ea6032a05b40

  • SHA1

    9aa93878e9585e5e65e02684a8c003358f47b31a

  • SHA256

    c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977

  • SHA512

    7e4961f8eefb3f739838ec4ad43838551d7c5ceafe66d1083893580b5d10bc84fffee4bf8f395a16f366d0249c8d52cf3584061b675d32ac9abd4d1a2df64138

  • SSDEEP

    6144:Kqy+bnr+Xp0yN90QEsxaYDmanepEg1jlp5Lvm4x478WTcWVpGFXlykRLvp06gY/M:SMrHy90cyaYjb5C647He5O6ge9mqU

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe
    "C:\Users\Admin\AppData\Local\Temp\c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7006539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7006539.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9800385.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9800385.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7006539.exe

    Filesize

    307KB

    MD5

    8fd2fb8e2aa9d59ee292f4f1d50fe59e

    SHA1

    29150232b7df2e924044bb42e8515037b4215a82

    SHA256

    8df923c79d202ad78aa79c68cde4b573d15d80c3185faa1e4f7e43fd67dc9a11

    SHA512

    46de686cba2315d5d67fa33645724719238358c792e63f6740be0f4f81be20fc932c56919705557194cc559d3a3df918af08e19636bd2c1abbc3f7c35590df7c

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9800385.exe

    Filesize

    168KB

    MD5

    62e4659314e525d2bb061f2ae25d45d3

    SHA1

    5351fd577590b35c40aec3cd632ba45b026be3b3

    SHA256

    70a1604ae200ab0c62462555d7f09433c0e9af094d707b918bafa2c06ef169ee

    SHA512

    14af0d597f74b0dfcc44b8e56a8a45e2aa35fd497c24fa468b32e10e14fe803b78be1d87638eec3c6f5211815beb78067be4607fc419282f827e318559caba46

  • memory/1624-14-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

  • memory/1624-15-0x0000000000310000-0x0000000000340000-memory.dmp

    Filesize

    192KB

  • memory/1624-16-0x0000000004C30000-0x0000000004C36000-memory.dmp

    Filesize

    24KB

  • memory/1624-17-0x00000000053E0000-0x00000000059F8000-memory.dmp

    Filesize

    6.1MB

  • memory/1624-18-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

    Filesize

    1.0MB

  • memory/1624-19-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

    Filesize

    72KB

  • memory/1624-21-0x0000000004E40000-0x0000000004E7C000-memory.dmp

    Filesize

    240KB

  • memory/1624-20-0x0000000073F60000-0x0000000074710000-memory.dmp

    Filesize

    7.7MB

  • memory/1624-22-0x0000000004E80000-0x0000000004ECC000-memory.dmp

    Filesize

    304KB

  • memory/1624-23-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

  • memory/1624-24-0x0000000073F60000-0x0000000074710000-memory.dmp

    Filesize

    7.7MB