Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
399629 00 E...05.exe
windows10-2004-x64
10AMMonitori...er.dll
windows10-2004-x64
1EppManifest.dll
windows10-2004-x64
1ImagingBase.dll
windows7-x64
1ImagingBase.dll
windows10-2004-x64
1MpAsDesc.dll
windows10-2004-x64
1MpAzSubmit.dll
windows10-2004-x64
1MpClient.dll
windows7-x64
10MpClient.dll
windows10-2004-x64
10MpCommu.dll
windows10-2004-x64
1MpDetours.dll
windows10-2004-x64
1MpDetoursC...or.dll
windows10-2004-x64
1MpEvMsg.dll
windows10-2004-x64
1MpOAV.dll
windows10-2004-x64
1MpProvider.dll
windows10-2004-x64
1MpRtp.dll
windows10-2004-x64
1MpSvc.dll
windows10-2004-x64
1MsMpCom.dll
windows10-2004-x64
1MsMpLics.dll
windows10-2004-x64
1Protection...nt.dll
windows10-2004-x64
1endpointdlp.dll
windows10-2004-x64
1Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
AMMonitoringProvider.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
EppManifest.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
ImagingBase.dll
Resource
win7-20240611-en
Behavioral task
behavioral5
Sample
ImagingBase.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
MpAsDesc.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
MpAzSubmit.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
MpClient.dll
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
MpClient.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
MpCommu.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
MpDetours.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
MpDetoursCopyAccelerator.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
MpEvMsg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
MpOAV.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
MpProvider.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
MpRtp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
MpSvc.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
MsMpCom.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
MsMpLics.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
ProtectionManagement.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
endpointdlp.dll
Resource
win10v2004-20240611-en
General
-
Target
99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe
-
Size
2.5MB
-
MD5
4d7e397e97d759700ff3d0f2ed5e7192
-
SHA1
b59053909d84ed942c864a683888701ede42caed
-
SHA256
b4d3bc33f79cea60a3908517408f24d9937a9a3416e36526a1465e7bf91d5f34
-
SHA512
70258a68abaec07393127b696b1959cb743429b002a378661fd86eb6d6e46b62ee5254097d2bd113ac751191c5099088bd332d3934a5d76531326e256a092966
-
SSDEEP
49152:Iqgyd/DgXBgnqPi3W0EfLckEjO+EER8Jbn:KKAIs9
Malware Config
Extracted
redline
185.29.9.108:15135
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3368-0-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1412 set thread context of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3368 regasm.exe 3368 regasm.exe 3368 regasm.exe 3368 regasm.exe 3368 regasm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe Token: SeDebugPrivilege 3368 regasm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82 PID 1412 wrote to memory of 3368 1412 99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe"C:\Users\Admin\AppData\Local\Temp\99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-