Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/07/2024, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
Resource
win11-20240709-en
General
-
Target
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
-
Size
707KB
-
MD5
8028eac372a280b4233b529aaf4c2130
-
SHA1
724bd4b840d3c0285b51ef4f41d2c6a59fe25930
-
SHA256
8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf
-
SHA512
e0a1b6405032086fbf823806dc9e9c8be61f21114a5b940c59c16bc15da5269f704e5aab80ad7d62891cc763f2a6d9ba2e7b2e1104306dd0805e1df4e6156704
-
SSDEEP
12288:cg7AIDQUi379dhSmITfn6bKVfUWB0ba0rgzjGa7uTNv257uFDrr5:cKBDQr3pdhkL6bKVMW6ha7aNvGyFDrF
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4020-1-0x0000000000400000-0x0000000000484000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1880 set thread context of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe 4020 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeBackupPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe Token: SeSecurityPrivilege 4020 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83 PID 1880 wrote to memory of 4020 1880 8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-