Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
Software for cs2/Cheat.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
Software for cs2/If doesnt work open it.exe
Resource
win10v2004-20240709-en
General
-
Target
Software for cs2/If doesnt work open it.exe
-
Size
596KB
-
MD5
5d1b4eb88282270a57fba0e83c77559f
-
SHA1
04e738fd0103a5b3e1289808c158f476097786e3
-
SHA256
2153ed03b0c7fae1e0474bdd1147030ae04360434440af3a34c6adfe04e75be1
-
SHA512
9e26b00ddbb5c0113f3cde379275ba84cdd820ccfde4b449b53b3b43bf6e9ce636d09c25dd77bc05b441975748058a063e4e53c839c5349dcbb966cef0862862
-
SSDEEP
12288:M/28tVT20+j68WzEWD4848SWfZCdnnufyfWyw1oQ6kIBpm3L609OUpLDz6cLyorf:Mu8tN20tzEW8diS
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/832-8-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 1980 If doesnt work open it.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1980 set thread context of 832 1980 If doesnt work open it.exe 85 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 832 MSBuild.exe 832 MSBuild.exe 832 MSBuild.exe 832 MSBuild.exe 832 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 832 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85 PID 1980 wrote to memory of 832 1980 If doesnt work open it.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD503b5bbf02fdd03c31f004e05ac095912
SHA1b5e5992080cf5667fe35415c34610a7e1188f18e
SHA256a9ccd777bcefff67f3c97d107d7b7a297f55fbbdaf03391ed7a2a4fca946dfdf
SHA5125cdd684f9634cc05ef66957bf8e0a2c3feb6d0b1f922b6bbb29349c93e6271099f95229a8dae255c2ee162d3af683bbb2bd1f4dac657de5671feb9767de8a964