Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 02:57

General

  • Target

    8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe

  • Size

    707KB

  • MD5

    8028eac372a280b4233b529aaf4c2130

  • SHA1

    724bd4b840d3c0285b51ef4f41d2c6a59fe25930

  • SHA256

    8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf

  • SHA512

    e0a1b6405032086fbf823806dc9e9c8be61f21114a5b940c59c16bc15da5269f704e5aab80ad7d62891cc763f2a6d9ba2e7b2e1104306dd0805e1df4e6156704

  • SSDEEP

    12288:cg7AIDQUi379dhSmITfn6bKVfUWB0ba0rgzjGa7uTNv257uFDrr5:cKBDQr3pdhkL6bKVMW6ha7aNvGyFDrF

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
    "C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/368-6-0x0000000005220000-0x00000000052B2000-memory.dmp

    Filesize

    584KB

  • memory/368-10-0x0000000007FF0000-0x0000000008002000-memory.dmp

    Filesize

    72KB

  • memory/368-2-0x000000007425E000-0x000000007425F000-memory.dmp

    Filesize

    4KB

  • memory/368-3-0x0000000074250000-0x0000000074A00000-memory.dmp

    Filesize

    7.7MB

  • memory/368-4-0x00000000050E0000-0x0000000005100000-memory.dmp

    Filesize

    128KB

  • memory/368-5-0x00000000056F0000-0x0000000005C94000-memory.dmp

    Filesize

    5.6MB

  • memory/368-0-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/368-8-0x0000000008560000-0x0000000008B78000-memory.dmp

    Filesize

    6.1MB

  • memory/368-14-0x0000000074250000-0x0000000074A00000-memory.dmp

    Filesize

    7.7MB

  • memory/368-9-0x00000000080B0000-0x00000000081BA000-memory.dmp

    Filesize

    1.0MB

  • memory/368-7-0x00000000052C0000-0x00000000052CA000-memory.dmp

    Filesize

    40KB

  • memory/368-11-0x0000000008050000-0x000000000808C000-memory.dmp

    Filesize

    240KB

  • memory/368-12-0x00000000081C0000-0x000000000820C000-memory.dmp

    Filesize

    304KB

  • memory/368-13-0x000000007425E000-0x000000007425F000-memory.dmp

    Filesize

    4KB

  • memory/4704-1-0x00000000011D0000-0x00000000011D1000-memory.dmp

    Filesize

    4KB