Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
SoftwareSetupFile.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SoftwareSetupFile.exe
Resource
win10v2004-20220901-en
General
-
Target
SoftwareSetupFile.exe
-
Size
2.5MB
-
MD5
7106bab16ae64b7f9bed1b90a2bbf03f
-
SHA1
ac6fae9627cf58654bc167bd63432111be9fd71e
-
SHA256
2a0e09e83a2f7198f6a9595d957dfcf0dcdf86a1c65ef4211c50eb15dd4ad598
-
SHA512
01cc49a5e6df8c6dfe197d4b638e60313b11f0efb016be29c457dc00ea5690c8d047c56cbff9f0c4a4a9c1b1b135dd2f7d2ccf4ca53856d398444d47368176e5
-
SSDEEP
24576:pI3cT50k2PYbtJcLQ/KpE2lcpZCyphghPUuZLxNjcFttg7qFCMSrOfBFJm4kazYc:E3qCs/AE2lhhsa1N8/FKeFJm4vAKjv
Malware Config
Extracted
redline
jiguli2
78.47.191.142:63772
-
auth_value
8885b314866def6ca43d3df3c4c20819
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1800-136-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4848 set thread context of 1800 4848 SoftwareSetupFile.exe 89 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe 4848 SoftwareSetupFile.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4848 SoftwareSetupFile.exe Token: SeDebugPrivilege 1800 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4368 4848 SoftwareSetupFile.exe 88 PID 4848 wrote to memory of 4368 4848 SoftwareSetupFile.exe 88 PID 4848 wrote to memory of 4368 4848 SoftwareSetupFile.exe 88 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89 PID 4848 wrote to memory of 1800 4848 SoftwareSetupFile.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe2⤵PID:4368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-