Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/01/2023, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
Resource
win10v2004-20220901-en
General
-
Target
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
-
Size
6.2MB
-
MD5
7854eb17b45359996f52750494cb074c
-
SHA1
287573018d6b07b5b32fcffc63b9aa017740e4bf
-
SHA256
7a62100d2ed5e4d93d235b30136ef5bad3ab08d0618354aacb521206ff268ff7
-
SHA512
b21d2e62e0d1c9da1ee084d2dfd137540493d1974a962853a40b95854c5c37ccfe1ae5ad29adbf0341afaeedd86ffceff81f0aaa608f41e4c8a7cb9ac17a3830
-
SSDEEP
98304:hPVjSBqqI7eS4zgoy8KiB7+7G/spBBjYjoECUqbtMv:Tr4y8DxAG/sBBj9HUOK
Malware Config
Extracted
redline
UniverseCity101
80.89.228.168:5007
-
auth_value
638ab234d171305d6eb5c29368e6c632
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1532 set thread context of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 836 InstallUtil.exe 836 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 836 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28 PID 1532 wrote to memory of 836 1532 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-