Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
2.1MB
-
MD5
d1433f5b2eada044678af57d87ee31e5
-
SHA1
0493152ee8d18335fa5043be0f80d12331f2ea00
-
SHA256
95702883e883a7fa3f7f20ecf6713b03cd00469644d777b73f36351db97ef3c2
-
SHA512
80dcff2d4e4001d8adb4eff0963921e4335c80bde476492996e74762918663bc84627ae9ca73023f75f799143d3101939ce0a599fafa164f9750481e4bb680c2
-
SSDEEP
49152:V5OaOl3UYvrbFueD40EJbAXOUghn/WsAXZ//t:V59Q3UYvrBusTM8OUgNLY
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 1088 123.exe 1804 321.exe -
Loads dropped DLL 12 IoCs
pid Process 1988 file.exe 1988 file.exe 1988 file.exe 1988 file.exe 1988 file.exe 1988 file.exe 1684 WerFault.exe 1684 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 1684 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1088 set thread context of 1564 1088 123.exe 30 PID 1804 set thread context of 1744 1804 321.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1684 1088 WerFault.exe 26 1044 1804 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1564 vbc.exe 1564 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1564 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1088 1988 file.exe 26 PID 1988 wrote to memory of 1088 1988 file.exe 26 PID 1988 wrote to memory of 1088 1988 file.exe 26 PID 1988 wrote to memory of 1088 1988 file.exe 26 PID 1988 wrote to memory of 1804 1988 file.exe 28 PID 1988 wrote to memory of 1804 1988 file.exe 28 PID 1988 wrote to memory of 1804 1988 file.exe 28 PID 1988 wrote to memory of 1804 1988 file.exe 28 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1564 1088 123.exe 30 PID 1088 wrote to memory of 1684 1088 123.exe 31 PID 1088 wrote to memory of 1684 1088 123.exe 31 PID 1088 wrote to memory of 1684 1088 123.exe 31 PID 1088 wrote to memory of 1684 1088 123.exe 31 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1744 1804 321.exe 32 PID 1804 wrote to memory of 1044 1804 321.exe 33 PID 1804 wrote to memory of 1044 1804 321.exe 33 PID 1804 wrote to memory of 1044 1804 321.exe 33 PID 1804 wrote to memory of 1044 1804 321.exe 33 PID 1744 wrote to memory of 1688 1744 vbc.exe 34 PID 1744 wrote to memory of 1688 1744 vbc.exe 34 PID 1744 wrote to memory of 1688 1744 vbc.exe 34 PID 1744 wrote to memory of 1688 1744 vbc.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 483⤵
- Loads dropped DLL
- Program crash
PID:1684
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe4⤵PID:1688
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 483⤵
- Loads dropped DLL
- Program crash
PID:1044
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
1.0MB
MD5ae771c1de075bbc19c94c282dd0d700f
SHA101e03ffabc07e03a87e0153e7f0f473a17180d6a
SHA256ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3
SHA5121a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b
-
Filesize
3.4MB
MD5ef82992004a4ecb5d8d938253afce558
SHA1358ff0331fc36fc1871225bc11a5011f72949d7c
SHA25611d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7
SHA51259f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b