Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22/05/2023, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
ElectronicDepositCopypdf.exe
Resource
win7-20230220-en
General
-
Target
ElectronicDepositCopypdf.exe
-
Size
1.8MB
-
MD5
f252f506f84914c3886e791dc984c9e0
-
SHA1
62dab96df46604f04cd14ee24f27e32840809722
-
SHA256
055e57a625038b3082161f3e2148a5fafc6f767298cd9ae67f5c1cac9ab71dad
-
SHA512
90ae68bfb3ceacd5fa86ed784f3f3ea5f809b703ac35e041adb336eb813bef953421b36b6e7ad77b5c3b2d7a21dd5f975f3c4891a17d7fd1502c60320d73ccb6
-
SSDEEP
6144:cG5aR292nLhb3ZDcJbmiRBAOb9W4YbPg02ytpRlt:vaR2knLhJWBvWxMFAXlt
Malware Config
Extracted
redline
4
147.124.217.33:22650
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/1512-55-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1512-61-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1512-62-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral1/memory/1512-55-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1512-61-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1512-62-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1408 set thread context of 1512 1408 ElectronicDepositCopypdf.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 920 1408 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1512 RegSvcs.exe 1512 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1512 RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 1512 1408 ElectronicDepositCopypdf.exe 29 PID 1408 wrote to memory of 920 1408 ElectronicDepositCopypdf.exe 30 PID 1408 wrote to memory of 920 1408 ElectronicDepositCopypdf.exe 30 PID 1408 wrote to memory of 920 1408 ElectronicDepositCopypdf.exe 30 PID 1408 wrote to memory of 920 1408 ElectronicDepositCopypdf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ElectronicDepositCopypdf.exe"C:\Users\Admin\AppData\Local\Temp\ElectronicDepositCopypdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 362⤵
- Program crash
PID:920
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD569b8d13c4e4ec564e98ce44cf52a904e
SHA1299f30cf457794a5310b3604ce074c46b7dba353
SHA256d1dadcd3e1ed1693374068e92062c18d9136295d7b4685f6e564e92242a21905
SHA5124bf2906b5dc87483f479de4a4a180193085e35a615f537c2900498b40a90d7f1af81a7dfb79182dd8793b9fda51dc210834cc2cdacdac34f73f19344c505096c