Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/07/2024, 02:57

General

  • Target

    8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe

  • Size

    707KB

  • MD5

    8028eac372a280b4233b529aaf4c2130

  • SHA1

    724bd4b840d3c0285b51ef4f41d2c6a59fe25930

  • SHA256

    8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf

  • SHA512

    e0a1b6405032086fbf823806dc9e9c8be61f21114a5b940c59c16bc15da5269f704e5aab80ad7d62891cc763f2a6d9ba2e7b2e1104306dd0805e1df4e6156704

  • SSDEEP

    12288:cg7AIDQUi379dhSmITfn6bKVfUWB0ba0rgzjGa7uTNv257uFDrr5:cKBDQr3pdhkL6bKVMW6ha7aNvGyFDrF

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe
    "C:\Users\Admin\AppData\Local\Temp\8c21ce25425296e84d2a6f591d80ba7e308672d0da43dfd8ce96c8a2e00f8adf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1880-0-0x0000000000D60000-0x0000000000D61000-memory.dmp

    Filesize

    4KB

  • memory/4020-1-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/4020-2-0x000000007425E000-0x000000007425F000-memory.dmp

    Filesize

    4KB

  • memory/4020-3-0x0000000074250000-0x0000000074A01000-memory.dmp

    Filesize

    7.7MB

  • memory/4020-4-0x0000000005880000-0x00000000058A0000-memory.dmp

    Filesize

    128KB

  • memory/4020-5-0x0000000006240000-0x00000000067E6000-memory.dmp

    Filesize

    5.6MB

  • memory/4020-6-0x0000000005D30000-0x0000000005DC2000-memory.dmp

    Filesize

    584KB

  • memory/4020-7-0x0000000005CE0000-0x0000000005CEA000-memory.dmp

    Filesize

    40KB

  • memory/4020-8-0x0000000008F90000-0x00000000095A8000-memory.dmp

    Filesize

    6.1MB

  • memory/4020-10-0x0000000008A00000-0x0000000008A12000-memory.dmp

    Filesize

    72KB

  • memory/4020-9-0x0000000008AC0000-0x0000000008BCA000-memory.dmp

    Filesize

    1.0MB

  • memory/4020-11-0x0000000008A60000-0x0000000008A9C000-memory.dmp

    Filesize

    240KB

  • memory/4020-12-0x0000000008BD0000-0x0000000008C1C000-memory.dmp

    Filesize

    304KB

  • memory/4020-13-0x000000007425E000-0x000000007425F000-memory.dmp

    Filesize

    4KB

  • memory/4020-14-0x0000000074250000-0x0000000074A01000-memory.dmp

    Filesize

    7.7MB