Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2023, 20:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20231023-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20231020-en
7 signatures
150 seconds
General
-
Target
Setup.exe
-
Size
7.1MB
-
MD5
655c9ab59afafdcc3c3ea06fe256c716
-
SHA1
f9689d55005562013f98fbbc9cbb92d2c6016033
-
SHA256
ed53c20f0d55834a573d7303e9ed64242568ae139b06cdbcac9bd173d0d23c0a
-
SHA512
a563a21f1266566a7b85de12912a9fb69ef8c602c73764632a745fae7407de5f876c30ca7b21864488f089fee32c3418d36590e0e631835085bc8563762366c5
-
SSDEEP
49152:q7Nx5ZBZQgqykOKQrb/TvvO90d7HjmAFd4A64nsfJIkLPXdsvn30By+GaF9lhLQT:LgqeKxPXco3/Xxt1EF+CqLj4Vv
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1064-5-0x0000000001330000-0x000000000138A000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2828 set thread context of 1064 2828 Setup.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1064 jsc.exe 1064 jsc.exe 1064 jsc.exe 1064 jsc.exe 1064 jsc.exe 1064 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1064 jsc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1064 2828 Setup.exe 94 PID 2828 wrote to memory of 1064 2828 Setup.exe 94 PID 2828 wrote to memory of 1064 2828 Setup.exe 94 PID 2828 wrote to memory of 1064 2828 Setup.exe 94 PID 2828 wrote to memory of 1064 2828 Setup.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-