Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Resubmissions

18/10/2022, 04:32

221018-e51g6seeb8 10

18/10/2022, 04:06

221018-epj59aedd6 7

18/10/2022, 03:34

221018-d417mseefj 10

Analysis

  • max time kernel
    300s
  • max time network
    304s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2022, 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe

  • Size

    521KB

  • MD5

    c0318aa61a314fed79c87be28f0db3ba

  • SHA1

    361e5206d2e0aeb88174c524e6c7cfb90c94670d

  • SHA256

    be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b

  • SHA512

    619ad72faaa694d7dd141288c8f99738d3110fb2e08ea9a5feda3777d4d32456feca66a2e0da96a0610f475e358cb9bb99fc54a179fb98674f91cb205ff7a586

  • SSDEEP

    12288:bjNYGB77lC5eQoyLKWRIvwr222Zy+CQI1Cr2H:bjN99J2eOWF22ZaTe

Score
10/10
redlinebirjro1discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

BirjRo1

C2

79.137.197.136:23532

Attributes
  • auth_value

    278e5c62cf6a9bb4e0ab732b17b0368e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe
    "C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net user %username%
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\net.exe
        net user Admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin
          4⤵
            PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Set-ExecutionPolicy bypass -Force
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell.exe C:\Windows\SvcManager\las.ps1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe C:\Windows\SvcManager\las.ps1
          3⤵
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /export /cfg tempexport.inf
            4⤵
            • Drops file in Windows directory
            PID:1124
          • C:\Windows\SysWOW64\SecEdit.exe
            "C:\Windows\system32\SecEdit.exe" /import /db secedit.sdb /cfg .\tempimport.inf
            4⤵
              PID:1560
            • C:\Windows\SysWOW64\SecEdit.exe
              "C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb
              4⤵
                PID:1848
              • C:\Windows\SysWOW64\gpupdate.exe
                "C:\Windows\system32\gpupdate.exe" /force
                4⤵
                  PID:1184
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del /f C:\Windows\SvcManager\las.ps1
              2⤵
                PID:1820
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:1460
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\extra.exe
                  2⤵
                  • Loads dropped DLL
                  PID:2032
                  • C:\Users\Admin\AppData\Local\Temp\extra.exe
                    C:\Users\Admin\AppData\Local\Temp\\extra.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:740
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\be9d0c8a2051d70d4434e034647c8b675a38c1f08252c94c1620fbe663bd853b.exe"
                  2⤵
                  • Deletes itself
                  PID:584
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 1.1.1.1 -n 1 -w 3000
                    3⤵
                    • Runs ping.exe
                    PID:1408
              • C:\Windows\SvcManager\svcmgr.exe
                C:\Windows\SvcManager\svcmgr.exe
                1⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:876
              • C:\Windows\SvcManager\svcmgr.exe
                C:\Windows\SvcManager\svcmgr.exe
                1⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1532
              • C:\Windows\SvcManager\svcmgr.exe
                C:\Windows\SvcManager\svcmgr.exe
                1⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1780

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\extra.exe
                Filesize

                137KB

                MD5

                0072395e192397b4f98bbb6852d1d495

                SHA1

                8246494746644b90380a4458e9248e7f3341ad8f

                SHA256

                f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c

                SHA512

                1c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\extra.exe
                Filesize

                137KB

                MD5

                0072395e192397b4f98bbb6852d1d495

                SHA1

                8246494746644b90380a4458e9248e7f3341ad8f

                SHA256

                f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c

                SHA512

                1c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                Filesize

                7KB

                MD5

                41db09b7ededffc3f18ebc3a66bf94a0

                SHA1

                74f3a9bd7e063d71511e4616e7a621fb7f249348

                SHA256

                ebde9b677b929d76c91960c6f61540f9729d2289612b5923e7e647e5580c420a

                SHA512

                652db88bcfbd42334c6a00ecf872be922a26c7808d27a6f8cb0aac86831951ef0a1394cf556ab5df58f83f1a9727cd2bf792ecac0f0907a39fa665c99d07eb7b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                Filesize

                7KB

                MD5

                41db09b7ededffc3f18ebc3a66bf94a0

                SHA1

                74f3a9bd7e063d71511e4616e7a621fb7f249348

                SHA256

                ebde9b677b929d76c91960c6f61540f9729d2289612b5923e7e647e5580c420a

                SHA512

                652db88bcfbd42334c6a00ecf872be922a26c7808d27a6f8cb0aac86831951ef0a1394cf556ab5df58f83f1a9727cd2bf792ecac0f0907a39fa665c99d07eb7b

                Download Submit

              • C:\Windows\SvcManager\las.ps1
                Filesize

                1KB

                MD5

                9a6fbc01aa4147aa5aa91fca92ef6dfd

                SHA1

                f8b47020022626abef69f2032d22e89b95b994a8

                SHA256

                f63923ddc20574ca230a3b51bf7a6bf158a53f84494e2081071c3469abb068ca

                SHA512

                a80c89c1daa41d8c1f5c71ec06db7eaf6f686f4726ef5cce8d8854371fec4dfa88b4649ee7f78c59ff4f1f00a7296a917696a760228ce59206c09d3d7e954990

                Download Submit

              • C:\Windows\SvcManager\svcmgr.exe
                Filesize

                788KB

                MD5

                621074969d8ccca5585201b6268e2faf

                SHA1

                252f556025ec03884edfd793da95179e31b055e5

                SHA256

                e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe

                SHA512

                0806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a

                Download Submit

              • C:\Windows\SvcManager\svcmgr.exe
                Filesize

                788KB

                MD5

                621074969d8ccca5585201b6268e2faf

                SHA1

                252f556025ec03884edfd793da95179e31b055e5

                SHA256

                e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe

                SHA512

                0806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a

                Download Submit

              • C:\Windows\SvcManager\svcmgr.exe
                Filesize

                788KB

                MD5

                621074969d8ccca5585201b6268e2faf

                SHA1

                252f556025ec03884edfd793da95179e31b055e5

                SHA256

                e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe

                SHA512

                0806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a

                Download Submit

              • C:\Windows\SvcManager\svcmgr.exe
                Filesize

                788KB

                MD5

                621074969d8ccca5585201b6268e2faf

                SHA1

                252f556025ec03884edfd793da95179e31b055e5

                SHA256

                e707fad41b65d06c3b6e7b2a61aa616c8256546cd9fae1acf5fa0e07d62034fe

                SHA512

                0806a33113d2586014abbd9725443a95836ca3ae4a8e9e6d08537dd6059d4ac38112b53f7da5a548c89e6331f2bf6ffb386cb5714491f86975a9f852a7781a3a

                Download Submit

              • C:\Windows\SvcManager\tempexport.inf
                Filesize

                16KB

                MD5

                4f9d9a31b38978d0a23c60f67fdbeedb

                SHA1

                7886fec6c38f0bff79930a97c4e75ceaba17ce32

                SHA256

                85773e2c05d587ae800deae43ab836164aab7d35118cf4b2c0029a11fd17c8ee

                SHA512

                12465d2898a70335cc411dc3862c43cda1b19b4f36bd6a64f188401426f2d1153801cb6c74ab64ee212a34000928a1d6794b3bbe4924986e80b24bc7338c66bb

                Download Submit

              • \Users\Admin\AppData\Local\Temp\extra.exe
                Filesize

                137KB

                MD5

                0072395e192397b4f98bbb6852d1d495

                SHA1

                8246494746644b90380a4458e9248e7f3341ad8f

                SHA256

                f6eb83f11c4e97e037def9bcca9685beaf38e7a172f4b60e28ba9b479657db2c

                SHA512

                1c5cba2c03ccb36faf837a69f89789f854e5625a428990427d2fca796864420b5648889157ef79efc10b6873a59e640aa6ac4a6ced1652927f3f9eab0b7d9e5d

                Download Submit

              • memory/740-96-0x0000000000080000-0x00000000000A8000-memory.dmp

                Filesize

                160KB

                Download

              • memory/876-90-0x0000000000D90000-0x0000000000E5C000-memory.dmp

                Filesize

                816KB

                Download

              • memory/876-98-0x0000000000CA0000-0x0000000000D46000-memory.dmp

                Filesize

                664KB

                Download

              • memory/944-65-0x00000000739A0000-0x0000000073F4B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/944-62-0x0000000075451000-0x0000000075453000-memory.dmp

                Filesize

                8KB

                Download

              • memory/944-64-0x00000000739A0000-0x0000000073F4B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1404-54-0x0000000000698000-0x00000000006F5000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1404-82-0x00000000002D0000-0x0000000000371000-memory.dmp

                Filesize

                644KB

                Download

              • memory/1404-83-0x0000000000698000-0x00000000006F5000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1404-84-0x0000000000400000-0x00000000005DF000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1404-55-0x0000000000698000-0x00000000006F5000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1404-100-0x0000000000698000-0x00000000006F5000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1404-101-0x0000000000400000-0x00000000005DF000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1404-56-0x00000000002D0000-0x0000000000371000-memory.dmp

                Filesize

                644KB

                Download

              • memory/1404-63-0x0000000000400000-0x00000000005DF000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/1532-104-0x0000000000F20000-0x0000000000FEC000-memory.dmp

                Filesize

                816KB

                Download

              • memory/1832-70-0x0000000073180000-0x000000007372B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1872-77-0x0000000072BD0000-0x000000007317B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1872-85-0x0000000072BD0000-0x000000007317B000-memory.dmp

                Filesize

                5.7MB

                Download