Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 17:36
Behavioral task
behavioral1
Sample
54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe
Resource
win10v2004-20240419-en
General
-
Target
54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe
-
Size
260KB
-
MD5
816eca8281427fb942e2aa991411cc46
-
SHA1
c6f7ec6ea98dcdc10d069f041993a327f7179fb5
-
SHA256
54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b
-
SHA512
83059181f2a8cd69dbaeacd25cf7722cbee8760f7319953a11a10afae37118f7d9d0ec405240816750939a5a5881a5a69dc723dcc4457e74480e36eeab4aef67
-
SSDEEP
3072:sI0qv0/tb3349JB3ZvYIisC2BRWcCeB6PMbVY3s6x9REw29uJaI9CCN0kRcEa6UT:Gqv0/tb3GJzC5P0Ct29IaRcw
Malware Config
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2424-1-0x0000000001200000-0x0000000001244000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1724-19-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1724-14-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1724-11-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1724-8-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1724-7-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 pastebin.com 2 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2424 set thread context of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe 1724 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1724 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28 PID 2424 wrote to memory of 1724 2424 54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe"C:\Users\Admin\AppData\Local\Temp\54db892f3b197776a0a7e9dca3fad125b662416f0762a19937d537b7d524d38b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-