Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe
Resource
win10v2004-20240508-en
General
-
Target
bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe
-
Size
444KB
-
MD5
7001870699ed7414326f4ebb3843e740
-
SHA1
0085850fa84f6a4733e8e95c897ee8a175154e80
-
SHA256
bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0
-
SHA512
024b9e3b8e6bb16e2cc323ed44e49285a8e1c806bc3ceb8dc4ab4d15c683a0d7c05618b30fc9a77f05ceac826ba1aad2fa38e38f0c7a722dae2c1310a4f78620
-
SSDEEP
12288:4zCC9kBFqYO/Qg4K6mnkMSZWlPmdHng1mMt4ijh2jOCQl:4LKBgeKlkBZWlPm9g1Btph2Kv
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/856-1-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3592 set thread context of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 856 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 856 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3592 wrote to memory of 3624 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 83 PID 3592 wrote to memory of 3624 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 83 PID 3592 wrote to memory of 3624 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 83 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84 PID 3592 wrote to memory of 856 3592 bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe"C:\Users\Admin\AppData\Local\Temp\bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-