Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2024, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe
Resource
win10v2004-20241007-en
General
-
Target
c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe
-
Size
479KB
-
MD5
ad6c0a2eca92c1be9b24ea6032a05b40
-
SHA1
9aa93878e9585e5e65e02684a8c003358f47b31a
-
SHA256
c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977
-
SHA512
7e4961f8eefb3f739838ec4ad43838551d7c5ceafe66d1083893580b5d10bc84fffee4bf8f395a16f366d0249c8d52cf3584061b675d32ac9abd4d1a2df64138
-
SSDEEP
6144:Kqy+bnr+Xp0yN90QEsxaYDmanepEg1jlp5Lvm4x478WTcWVpGFXlykRLvp06gY/M:SMrHy90cyaYjb5C647He5O6ge9mqU
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca4-12.dat family_redline behavioral1/memory/1624-15-0x0000000000310000-0x0000000000340000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2176 x7006539.exe 1624 g9800385.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7006539.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x7006539.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g9800385.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2176 2304 c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe 82 PID 2304 wrote to memory of 2176 2304 c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe 82 PID 2304 wrote to memory of 2176 2304 c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe 82 PID 2176 wrote to memory of 1624 2176 x7006539.exe 83 PID 2176 wrote to memory of 1624 2176 x7006539.exe 83 PID 2176 wrote to memory of 1624 2176 x7006539.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe"C:\Users\Admin\AppData\Local\Temp\c48e9141d981e2b282a889aab671a5201927c8d532fb7c82a6e11f7f5ced3977N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7006539.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7006539.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9800385.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9800385.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD58fd2fb8e2aa9d59ee292f4f1d50fe59e
SHA129150232b7df2e924044bb42e8515037b4215a82
SHA2568df923c79d202ad78aa79c68cde4b573d15d80c3185faa1e4f7e43fd67dc9a11
SHA51246de686cba2315d5d67fa33645724719238358c792e63f6740be0f4f81be20fc932c56919705557194cc559d3a3df918af08e19636bd2c1abbc3f7c35590df7c
-
Filesize
168KB
MD562e4659314e525d2bb061f2ae25d45d3
SHA15351fd577590b35c40aec3cd632ba45b026be3b3
SHA25670a1604ae200ab0c62462555d7f09433c0e9af094d707b918bafa2c06ef169ee
SHA51214af0d597f74b0dfcc44b8e56a8a45e2aa35fd497c24fa468b32e10e14fe803b78be1d87638eec3c6f5211815beb78067be4607fc419282f827e318559caba46