Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
Resource
win10v2004-20240412-en
General
-
Target
4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe
-
Size
1.8MB
-
MD5
b744a970020e1fdbae5c7763f30ed604
-
SHA1
5235946db0eafb6079f016a15e8e2c5f7cae432d
-
SHA256
4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3
-
SHA512
9df5a75b117cb8bfc62a32af0fba5ded8b259df2f4bc3309cf5a160a3cbae56a0113fe42bc4c1a1bfc197d8b3ee1a5fd4ecc77dbafc124d47191160c02a407c6
-
SSDEEP
24576:YlHbqU3MRKGTZgqCrSikD/HO0yJHYUHRbNxmindZM/Tg24PPH9F7F7OH0R0o8ocX:Yl7rAhCrSD/HOjJ4yROinAgPTEHW0o8
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
Traffic
b-stamps.gl.at.ply.gg:30946
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00090000000233f1-35.dat family_redline behavioral1/memory/3936-49-0x0000000000710000-0x000000000072E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/files/0x00090000000233f1-35.dat family_sectoprat behavioral1/memory/3936-49-0x0000000000710000-0x000000000072E000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 52 3928 rundll32.exe 53 4696 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation chrosha.exe -
Executes dropped EXE 2 IoCs
pid Process 3224 chrosha.exe 3936 build12.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Wine 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe Key opened \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Wine chrosha.exe -
Loads dropped DLL 3 IoCs
pid Process 2292 rundll32.exe 3928 rundll32.exe 4696 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3008 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe 3224 chrosha.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\chrosha.job 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3008 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe 3008 4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe 3224 chrosha.exe 3224 chrosha.exe 3936 build12.exe 3936 build12.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 3928 rundll32.exe 684 powershell.exe 684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3936 build12.exe Token: SeDebugPrivilege 684 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3224 wrote to memory of 3936 3224 chrosha.exe 94 PID 3224 wrote to memory of 3936 3224 chrosha.exe 94 PID 3224 wrote to memory of 3936 3224 chrosha.exe 94 PID 3224 wrote to memory of 2292 3224 chrosha.exe 99 PID 3224 wrote to memory of 2292 3224 chrosha.exe 99 PID 3224 wrote to memory of 2292 3224 chrosha.exe 99 PID 2292 wrote to memory of 3928 2292 rundll32.exe 100 PID 2292 wrote to memory of 3928 2292 rundll32.exe 100 PID 3928 wrote to memory of 1316 3928 rundll32.exe 101 PID 3928 wrote to memory of 1316 3928 rundll32.exe 101 PID 3928 wrote to memory of 684 3928 rundll32.exe 103 PID 3928 wrote to memory of 684 3928 rundll32.exe 103 PID 3224 wrote to memory of 4696 3224 chrosha.exe 105 PID 3224 wrote to memory of 4696 3224 chrosha.exe 105 PID 3224 wrote to memory of 4696 3224 chrosha.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe"C:\Users\Admin\AppData\Local\Temp\4e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\1000188001\build12.exe"C:\Users\Admin\AppData\Local\Temp\1000188001\build12.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\177723727746_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD54cfd179519524269052023e10de6b866
SHA11e92ba2322e341b979d53422cf0e044c4f3b1846
SHA256a24a85156ce1a077403b4fffe4c4e1c592df412d6495fba921771c59456b43af
SHA5126477c8dc2ba0f754716ee074be131bc14a7d616c877210e0a3fbed7ea3fd132f2833518c52211757a8a875018061ae56fcdd7c30b8149ebe91c33763057ed8b9
-
Filesize
1.8MB
MD5b744a970020e1fdbae5c7763f30ed604
SHA15235946db0eafb6079f016a15e8e2c5f7cae432d
SHA2564e0d613543707a6e9628306bb683f5d21bb91e9260fc33e6f9d17efed53a0cc3
SHA5129df5a75b117cb8bfc62a32af0fba5ded8b259df2f4bc3309cf5a160a3cbae56a0113fe42bc4c1a1bfc197d8b3ee1a5fd4ecc77dbafc124d47191160c02a407c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
100KB
MD5455ab9618e6698ef673aa0f106114fdd
SHA188dc5a73fdb92d1b49dfda20b2c67aafbbaebcf9
SHA2567d756e0f89492214381da99d9a1f22110078a22da64b131a711022faec2937f3
SHA512f7ffdc519927eaed3a8552fd85092934f8bb3f5bee09ec4ce551f2ed8c7e7a4dc449c06e87d4c5aa1a69dd72ac7a2a0d10c879ff2c65dfaa0f214ac007db08fc
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705