Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17/02/2024, 18:34
Static task
static1
General
-
Target
Easy_L0ader.rar
-
Size
35.7MB
-
MD5
8e4cbe4e5ecabd01fa483dca6ec16537
-
SHA1
9307be3b07f992965dc430aaedd78ca6bbf2f33e
-
SHA256
970c25a64e64286009cec1758ea21643f2327361b66262768489cc9a77c9d6bd
-
SHA512
7407adb0765c5e2a75ef0a8d8a9f5c51d69cd50315f7a49d9334e325cc57e2b9e58ab79a1f8c4b401767c32c95c4dbd824a5f07291db72151b5fffa3be88ceab
-
SSDEEP
786432:KUnIK3Yvyn+3tF52WjM3QEgCjI4PqNwp/7Nm5bUKVrGc9Cn2AT78vi:FnIKOynEt2aOIrY/7SbPVrGck2A78K
Malware Config
Extracted
redline
@l0rd667
45.15.156.167:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/32-21-0x0000000000400000-0x0000000000454000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2980 loa_der.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2980 set thread context of 32 2980 loa_der.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3236 7zFM.exe 3236 7zFM.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 32 RegAsm.exe 32 RegAsm.exe 32 RegAsm.exe 32 RegAsm.exe 3408 taskmgr.exe 32 RegAsm.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3236 7zFM.exe 3236 7zFM.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3236 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 3236 7zFM.exe Token: 35 3236 7zFM.exe Token: SeSecurityPrivilege 3236 7zFM.exe Token: SeDebugPrivilege 32 RegAsm.exe Token: SeDebugPrivilege 3408 taskmgr.exe Token: SeSystemProfilePrivilege 3408 taskmgr.exe Token: SeCreateGlobalPrivilege 3408 taskmgr.exe Token: 33 3408 taskmgr.exe Token: SeIncBasePriorityPrivilege 3408 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3236 7zFM.exe 3236 7zFM.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe 3408 taskmgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4516 wrote to memory of 3236 4516 cmd.exe 86 PID 4516 wrote to memory of 3236 4516 cmd.exe 86 PID 3236 wrote to memory of 2980 3236 7zFM.exe 88 PID 3236 wrote to memory of 2980 3236 7zFM.exe 88 PID 3236 wrote to memory of 2980 3236 7zFM.exe 88 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90 PID 2980 wrote to memory of 32 2980 loa_der.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Easy_L0ader.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Easy_L0ader.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\7zO4ACA9887\loa_der.exe"C:\Users\Admin\AppData\Local\Temp\7zO4ACA9887\loa_der.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3408
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5177965a39c0b1efe801563768221b1aa
SHA109c663a6ab38bfdc61e0a9f7c361fe4d03a525d7
SHA2561fb32b18b838f3b596d64cf41ce12afd58c031cb05cf1b5fc5b5bd26aaa862cf
SHA512d26f2dba58a655fa183ed942ff0b0f5f7e516c0acb3e9d1f6e531795cab4a77bdc8cc434f0182a051a22652c3cdef8190521e572324cc104d04d6ab8162a91df