Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
1.1MB
-
MD5
fe83e979df7ebf1ce0eb2e8309154ebc
-
SHA1
5c3528d56036033a77880d06e30734351e8dc328
-
SHA256
6a6ed1777e8edb9ccd43c48335dfabfaf1daeb8c2de0c28ca69b79ab050d39fe
-
SHA512
8fd49690802c7d8a269b1158b55db7aa561c320a689a31e307f0ef20a73b66cf012f2fcbaaf5788e607d6feed97ee1a201b0771d88aa5a657f1ce01ad7eba2bf
-
SSDEEP
24576:sttbQsmZvjUrRjJnY5ucoo3LkNt3Q0NXt25:stqDqJwu83ANFdXk
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1248-58-0x00000000024F0000-0x0000000002538000-memory.dmp family_redline behavioral1/memory/1248-59-0x0000000002540000-0x0000000002586000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1248 file.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1248 file.exe 1248 file.exe 1248 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1248 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248