Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    50s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2022, 11:32

General

  • Target

    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe

  • Size

    361KB

  • MD5

    b6608633aed154db58c9430b6e4d26c5

  • SHA1

    9b9d0d7cb57b48b8e6db6c8fb292e5322f19dec9

  • SHA256

    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11

  • SHA512

    58408b452f99eb74ab7443e8946e45f6bce62c57cef11de0e2fa9123b17d859dcf5edc8a3637d623e4f54790079cad6bf4baf86e9942649f4dc60e059af4e550

  • SSDEEP

    6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv

Malware Config

Extracted

Family

redline

Botnet

0002

C2

13.72.81.58:13413

Attributes
  • auth_value

    866ce0ed8cfe2be77fb43a4912677698

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
    "C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • \Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • memory/752-54-0x0000000000800000-0x0000000000860000-memory.dmp

    Filesize

    384KB

  • memory/752-55-0x00000000003B0000-0x00000000003B6000-memory.dmp

    Filesize

    24KB

  • memory/752-56-0x0000000075841000-0x0000000075843000-memory.dmp

    Filesize

    8KB

  • memory/1944-61-0x0000000000CB0000-0x0000000000D10000-memory.dmp

    Filesize

    384KB