Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 14:05

General

  • Target

    99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe

  • Size

    2.5MB

  • MD5

    4d7e397e97d759700ff3d0f2ed5e7192

  • SHA1

    b59053909d84ed942c864a683888701ede42caed

  • SHA256

    b4d3bc33f79cea60a3908517408f24d9937a9a3416e36526a1465e7bf91d5f34

  • SHA512

    70258a68abaec07393127b696b1959cb743429b002a378661fd86eb6d6e46b62ee5254097d2bd113ac751191c5099088bd332d3934a5d76531326e256a092966

  • SSDEEP

    49152:Iqgyd/DgXBgnqPi3W0EfLckEjO+EER8Jbn:KKAIs9

Malware Config

Extracted

Family

redline

C2

185.29.9.108:15135

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe
    "C:\Users\Admin\AppData\Local\Temp\99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3368-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/3368-1-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/3368-2-0x00000000053D0000-0x0000000005974000-memory.dmp

    Filesize

    5.6MB

  • memory/3368-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

    Filesize

    584KB

  • memory/3368-4-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/3368-5-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

    Filesize

    40KB

  • memory/3368-6-0x0000000005FA0000-0x00000000065B8000-memory.dmp

    Filesize

    6.1MB

  • memory/3368-7-0x0000000005980000-0x0000000005A8A000-memory.dmp

    Filesize

    1.0MB

  • memory/3368-8-0x0000000004F60000-0x0000000004F72000-memory.dmp

    Filesize

    72KB

  • memory/3368-9-0x0000000005220000-0x000000000525C000-memory.dmp

    Filesize

    240KB

  • memory/3368-10-0x0000000005260000-0x00000000052AC000-memory.dmp

    Filesize

    304KB

  • memory/3368-11-0x0000000005A90000-0x0000000005AF6000-memory.dmp

    Filesize

    408KB

  • memory/3368-12-0x00000000069D0000-0x0000000006A20000-memory.dmp

    Filesize

    320KB

  • memory/3368-13-0x0000000006E70000-0x0000000007032000-memory.dmp

    Filesize

    1.8MB

  • memory/3368-14-0x00000000080A0000-0x00000000085CC000-memory.dmp

    Filesize

    5.2MB

  • memory/3368-16-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB