Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 10:37

General

  • Target

    https://ryosx.cc/

Malware Config

Extracted

Family

redline

C2

194.26.232.43:20746

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ryosx.cc/
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffbbd9ab58,0x7fffbbd9ab68,0x7fffbbd9ab78
      2⤵
        PID:3548
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:2
        2⤵
          PID:4940
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
          2⤵
            PID:3248
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
            2⤵
              PID:3604
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:1
              2⤵
                PID:5012
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:1
                2⤵
                  PID:2308
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
                  2⤵
                    PID:1020
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
                    2⤵
                      PID:3752
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3904 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:1
                      2⤵
                        PID:1564
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
                        2⤵
                          PID:1812
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1872,i,15091174327468107583,11009672389525182509,131072 /prefetch:8
                          2⤵
                            PID:4332
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:1184
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
                            1⤵
                              PID:3560
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:4952
                              • C:\Windows\system32\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S 0 l a r a BETA V3.1\README.txt
                                1⤵
                                  PID:1216
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S 0 l a r a BETA V3.1\SolaraBETA3\" -spe -an -ai#7zMap29554:128:7zEvent20062
                                  1⤵
                                  • Suspicious use of FindShellTrayWindow
                                  PID:4360
                                • C:\Users\Admin\Downloads\S 0 l a r a BETA V3.1\SolaraBETA3\Solara_Launcher.exe
                                  "C:\Users\Admin\Downloads\S 0 l a r a BETA V3.1\SolaraBETA3\Solara_Launcher.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  PID:3592
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1716
                                • C:\Windows\system32\taskmgr.exe
                                  "C:\Windows\system32\taskmgr.exe" /4
                                  1⤵
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:3624

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  288B

                                  MD5

                                  c01a43bd34a4ed4c17d38069044d51c3

                                  SHA1

                                  fc19ed86f09d022e31691836a458697cb725d10e

                                  SHA256

                                  24728225469645dcca29c14b1e62316198a6bca69bb53652aa695f7c9da6eabb

                                  SHA512

                                  078b26e752d877bc614a48be4628076869cc78e9380033c9babb0e5277ce28b03c616ef7fcc0e9c36c6a0655cc7419a0b2f801335f7e0391e4bbc6d0f12ee4ae

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

                                  Filesize

                                  20KB

                                  MD5

                                  fcc46a881670b0dea918df623549057d

                                  SHA1

                                  45c35f299d0811294459f0ffc1c143b13530c04e

                                  SHA256

                                  0c0d46b6f4cf6fb17a6d5775cff76b06319b4bbe2d168b7ae42e2dd6df92459d

                                  SHA512

                                  3a19753007b15e878eec91389802185af883377aa09a0ae3ec59e4ee2b936954a2e82beece3ea3c039db8394ff426fa0bf7af32d491664597aec1d78b0858282

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                  Filesize

                                  5KB

                                  MD5

                                  2bb07463726110bf710a1bba763cbe46

                                  SHA1

                                  147f398d35d311231809d3b173444c96b73aa5b1

                                  SHA256

                                  42e1dce515ebc80b2b8e49ef14ed92694c3e84f4d6c8c57b79867b31b9fdb614

                                  SHA512

                                  0925daebb500aa0643df4191643639eb58edcd88ba252f186fa35e22e9a12851b96bb5a2add29b1efd87f96fe34d16b5c4c72d646221d8d3f39ed6ec83185b93

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  524B

                                  MD5

                                  bb2a1e83106666461bd45d23c1a08041

                                  SHA1

                                  37be56c28e6be082c3f5be0bd2fcd2e5bd57404f

                                  SHA256

                                  46edfb2051b5485a35d8effc126540918acbcf11e16fb1256931446f09a9c927

                                  SHA512

                                  7f94a07cbe334fe4f3e44bb9fa83091f6ad8384837c60e1eb75fdc6b372281610845f52b0d8caa1c68b06f903f51480314d32e140ea03d265b5a17a00323389d

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  352fb88b9e733ea98b481b13d46ac0ca

                                  SHA1

                                  68b99d326afd17e7d34d06c39055326dc8be5baf

                                  SHA256

                                  acdedbc8f1578ee8d1c4df8f9ad25a75ab9fdf818b980be9be9f9ca6376d5932

                                  SHA512

                                  0f366fdc7026f0b67ebad8131552519985d67e840c5eb807cc3d2eee0c834257625acbee51100d98682fc3f0f8027602ace3459aceb56f46946ba85d92685ccc

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  7KB

                                  MD5

                                  0a712793f66f6c1261a60a95b2a25fe1

                                  SHA1

                                  f1ebac6fee11735fa9945821560d25977a808f8f

                                  SHA256

                                  2ffedd237c681d4aedd34ab466d80a34c715e1e8ac74c41582b8f36e745d782f

                                  SHA512

                                  07a09048137f99a27b3b249de71d4132801459203b352667270fb803fc23ed83f72e0a4e089f24421e79668c146f4dc3ce85516c6a67e8b2e0c283ab4be021a5

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  7KB

                                  MD5

                                  8091d50fa8e6dbf2d48722b3f84cdfd1

                                  SHA1

                                  5e2bd5d03107aea6c00fc621bb21af47e3297528

                                  SHA256

                                  4f931064a19f793045fd6a88afa11168170a1ea548f22b8272f42685987c8c09

                                  SHA512

                                  56b52b564e41a8c4280226380663ca7c895aca9b1a22aab592c2727b74af2c0579a80ebee3e42e67c99f7113cb1e0b924aa0f557cab769c8ec5682cce059485b

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  7KB

                                  MD5

                                  bb83355a2bad9ecc4018b8b03527f93f

                                  SHA1

                                  bd89a3fba56e3b66221dd4935e07908557519e87

                                  SHA256

                                  a8f7db99b67b78a2ea67b30dabe373088eb1ab079f0c41040706f128bed69f1f

                                  SHA512

                                  a0f5c85cab2169a7369e4994346aa65ea937fd8e4f6b8ca5888ccbc430ade9e5ec3c50c12c25d976e8df5f8b147f7959793471688aa07ad9bb03a8126dad3f6a

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  255KB

                                  MD5

                                  db5202e8f582b0f4d78884f12ef8f002

                                  SHA1

                                  dbf21f89c5cc5af512c08151450aef9a6936bacb

                                  SHA256

                                  b96ef69279314a851c2756f24eab60f439dbfb208573f0191074b55263bd5ce0

                                  SHA512

                                  a31249353b8a427bd176fb7b37fbd828487102477071249518f327f580ce3aaf47a143a450a9fc31fe1e32d2937359cf0de66d3c9337fb6076ebe8f17f772a73

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  255KB

                                  MD5

                                  22be28ca09100bbd0e54aea3c9910a79

                                  SHA1

                                  ba61b4ff301e49287fa4893fc78ceff595244088

                                  SHA256

                                  a921a87be73ea08bef001fe50d89931b35defd4a9e57a2032e15fac6e1c57f6f

                                  SHA512

                                  553b0568ee863c3cac81d22052728d7f5211b6d5a8dff9aef4d339a2b292283990c86e4f7805c22d3bb2920eaf412537981737aee808a3c519d08c27edc675ef

                                • C:\Users\Admin\AppData\Local\Temp\Tmp189F.tmp

                                  Filesize

                                  2KB

                                  MD5

                                  1420d30f964eac2c85b2ccfe968eebce

                                  SHA1

                                  bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                  SHA256

                                  f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                  SHA512

                                  6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                • C:\Users\Admin\AppData\Roaming\d3d9.dll

                                  Filesize

                                  404KB

                                  MD5

                                  3daeae42f33f7a9422b603b47ec8ed5c

                                  SHA1

                                  81488dfda1303e9aca9ad54675525a2e18ce32a7

                                  SHA256

                                  21448d6058ac5ed364ae902dde6a9f29dfa514e48a371d12df74ad765813cc63

                                  SHA512

                                  293b0cc29a81c8e68136b3665ad6b0e2bd770fec818063264b4f36b86f64bf6e9bc768f9cf9cff65aed5ff78ffac75b613161557284f9032d4dc531e6d7335ae

                                • C:\Users\Admin\Downloads\S 0 l a r a BETA V3.1\SolaraBETA3\workspace\.tests\isfile.txt

                                  Filesize

                                  7B

                                  MD5

                                  260ca9dd8a4577fc00b7bd5810298076

                                  SHA1

                                  53a5687cb26dc41f2ab4033e97e13adefd3740d6

                                  SHA256

                                  aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

                                  SHA512

                                  51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

                                • memory/1716-224-0x00000000058D0000-0x0000000005946000-memory.dmp

                                  Filesize

                                  472KB

                                • memory/1716-236-0x00000000066A0000-0x00000000066F0000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/1716-206-0x0000000004A70000-0x0000000004B02000-memory.dmp

                                  Filesize

                                  584KB

                                • memory/1716-207-0x0000000004B20000-0x0000000004B2A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/1716-203-0x0000000000500000-0x0000000000552000-memory.dmp

                                  Filesize

                                  328KB

                                • memory/1716-239-0x0000000007A00000-0x0000000007F2C000-memory.dmp

                                  Filesize

                                  5.2MB

                                • memory/1716-225-0x00000000060B0000-0x00000000060CE000-memory.dmp

                                  Filesize

                                  120KB

                                • memory/1716-228-0x00000000066F0000-0x0000000006D08000-memory.dmp

                                  Filesize

                                  6.1MB

                                • memory/1716-229-0x0000000006240000-0x000000000634A000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/1716-230-0x0000000006180000-0x0000000006192000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1716-231-0x00000000061E0000-0x000000000621C000-memory.dmp

                                  Filesize

                                  240KB

                                • memory/1716-232-0x0000000006350000-0x000000000639C000-memory.dmp

                                  Filesize

                                  304KB

                                • memory/1716-233-0x0000000006490000-0x00000000064F6000-memory.dmp

                                  Filesize

                                  408KB

                                • memory/1716-205-0x0000000005020000-0x00000000055C4000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/1716-238-0x0000000007300000-0x00000000074C2000-memory.dmp

                                  Filesize

                                  1.8MB

                                • memory/3592-196-0x0000000007920000-0x0000000007926000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/3592-195-0x0000000000BF0000-0x0000000000C94000-memory.dmp

                                  Filesize

                                  656KB

                                • memory/3624-243-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-244-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-242-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-248-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-254-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-253-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-252-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-251-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-250-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3624-249-0x0000022530540000-0x0000022530541000-memory.dmp

                                  Filesize

                                  4KB