Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2022, 22:17

General

  • Target

    68e6ebf21ae59e1cfd0c2400c26b53582ccbc36a7652ba82697f6adb40e31d72.exe

  • Size

    375KB

  • MD5

    6b08290db449dd1ce27124f883df266d

  • SHA1

    818d17f48ed640626ee66852999af3949075450a

  • SHA256

    68e6ebf21ae59e1cfd0c2400c26b53582ccbc36a7652ba82697f6adb40e31d72

  • SHA512

    d0c8b3e3195280b79877b9bc336c4bfb50c84b65b0c6054b6436802502aa46fcb063106a2770387abdc476d5cee31f5615862ba1b911546fc60a2f65f54a714b

  • SSDEEP

    6144:vkdLmcWUDiPeeSgbzld1WuV2Vh+t+H0LhJIp5mrhbZY:vkdicWsiGedzj1WSht+I

Malware Config

Extracted

Family

redline

Botnet

sport

C2

31.41.244.98:4063

Attributes
  • auth_value

    82cce55eeb56b322651e98032c09d225

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e6ebf21ae59e1cfd0c2400c26b53582ccbc36a7652ba82697f6adb40e31d72.exe
    "C:\Users\Admin\AppData\Local\Temp\68e6ebf21ae59e1cfd0c2400c26b53582ccbc36a7652ba82697f6adb40e31d72.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2040-55-0x0000000000220000-0x000000000026B000-memory.dmp

    Filesize

    300KB

  • memory/2040-54-0x000000000064B000-0x000000000067A000-memory.dmp

    Filesize

    188KB

  • memory/2040-56-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

  • memory/2040-57-0x0000000001FA0000-0x0000000001FE6000-memory.dmp

    Filesize

    280KB

  • memory/2040-58-0x0000000001FE0000-0x0000000002024000-memory.dmp

    Filesize

    272KB

  • memory/2040-59-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

  • memory/2040-60-0x000000000064B000-0x000000000067A000-memory.dmp

    Filesize

    188KB

  • memory/2040-61-0x000000000064B000-0x000000000067A000-memory.dmp

    Filesize

    188KB

  • memory/2040-62-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB