Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
Resource
win11-20240709-en
General
-
Target
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
-
Size
707KB
-
MD5
8028eac372a280b4233b529aaf4c2130
-
SHA1
724bd4b840d3c0285b51ef4f41d2c6a59fe25930
-
SHA256
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf
-
SHA512
e0a1b6405032086fbf823806dc9e9c8be61f21114a5b940c59c16bc15da5269f704e5aab80ad7d62891cc763f2a6d9ba2e7b2e1104306dd0805e1df4e6156704
-
SSDEEP
12288:cg7AIDQUi379dhSmITfn6bKVfUWB0ba0rgzjGa7uTNv257uFDrr5:cKBDQr3pdhkL6bKVMW6ha7aNvGyFDrF
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/368-0-0x0000000000400000-0x0000000000484000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4704 set thread context of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe 368 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeBackupPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe Token: SeSecurityPrivilege 368 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88 PID 4704 wrote to memory of 368 4704 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368
-