Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/01/2025, 15:11
250117-sk4kzssrhv 1017/01/2025, 15:09
250117-sjgd3asrbs 1017/01/2025, 15:07
250117-shlbmasqgv 1017/01/2025, 14:27
250117-rsndas1pgx 1016/01/2025, 17:37
250116-v7e71s1ncy 1016/01/2025, 17:30
250116-v27eba1lew 1016/01/2025, 17:29
250116-v232ws1let 316/01/2025, 17:29
250116-v21lrs1ldz 316/01/2025, 17:27
250116-v1g32a1qfk 1016/01/2025, 09:47
250116-lsajjsvrgn 10Analysis
-
max time kernel
54s -
max time network
70s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/01/2025, 15:09
Static task
static1
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
stealc
Voov3
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3532-25-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Redline family
-
Stealc family
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4656 vorpgkadeg.exe 4204 cock.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 7 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4204 set thread context of 3532 4204 cock.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vorpgkadeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1096 4363463463464363463463463.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1096 wrote to memory of 4656 1096 4363463463464363463463463.exe 81 PID 1096 wrote to memory of 4656 1096 4363463463464363463463463.exe 81 PID 1096 wrote to memory of 4656 1096 4363463463464363463463463.exe 81 PID 1096 wrote to memory of 4204 1096 4363463463464363463463463.exe 82 PID 1096 wrote to memory of 4204 1096 4363463463464363463463463.exe 82 PID 1096 wrote to memory of 4204 1096 4363463463464363463463463.exe 82 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84 PID 4204 wrote to memory of 3532 4204 cock.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cock.exe"C:\Users\Admin\AppData\Local\Temp\Files\cock.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:3188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5bd909fb2282ec2e4a11400157c33494a
SHA1ab693a29a38b705be8c3b29172c6ac1374463f62
SHA2569941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392
SHA51281857f502dc0a3d922bd74a0fdde3958c05a743c50dc8281b5db74b593a020e5d1d65677e645a2a262bb873c523765ba7274b359ec9eaf7442db7caf5e5fdf28
-
Filesize
239KB
MD54d58df8719d488378f0b6462b39d3c63
SHA14cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA51273a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738