Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe
Resource
win10v2004-20230220-en
General
-
Target
4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe
-
Size
4.2MB
-
MD5
446215913dd436aae1317ad90bf75677
-
SHA1
6f9c887f3fe17b16045fd2fa2d754c744447a4d2
-
SHA256
4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513
-
SHA512
dd1b3f89efb92245640289b43ceedbf3bb562578286966d3a72bd03ff145f36054788353d39804489174c6f9018624820f54cad560394be7cf09f5127188acb3
-
SSDEEP
98304:scyyd+oHduCY3f3rFQtAjgyzZdGxHeqWF0KfgOjCH:sAswQFQtLUGFeqlm
Malware Config
Extracted
bitrat
1.38
185.246.220.122:1488
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Extracted
redline
185.246.220.122:7164
-
auth_value
bc36aaf1c6447fa611401422deaa29dd
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 1 IoCs
pid Process 596 rr.exe -
Loads dropped DLL 1 IoCs
pid Process 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 936 vbc.exe 936 vbc.exe 936 vbc.exe 936 vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1532 set thread context of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 596 set thread context of 320 596 rr.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 936 vbc.exe Token: SeShutdownPrivilege 936 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 936 vbc.exe 936 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 936 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 28 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 1532 wrote to memory of 596 1532 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe 29 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30 PID 596 wrote to memory of 320 596 rr.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\rr.exe"C:\Users\Admin\AppData\Local\Temp\rr.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:320
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD53f2f9975e1964be99f7e51ddc30f8c07
SHA11e6d873c70d4ac66daf350087a50409050eeeaff
SHA256843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA51289848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d
-
Filesize
328KB
MD53f2f9975e1964be99f7e51ddc30f8c07
SHA11e6d873c70d4ac66daf350087a50409050eeeaff
SHA256843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA51289848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d
-
Filesize
328KB
MD53f2f9975e1964be99f7e51ddc30f8c07
SHA11e6d873c70d4ac66daf350087a50409050eeeaff
SHA256843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA51289848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d