Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
06/07/2023, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
DawnLand6.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
DawnLand6.exe
Resource
win10v2004-20230703-en
General
-
Target
DawnLand6.exe
-
Size
10.0MB
-
MD5
9fa3180810afbbb9f999e5239027fdec
-
SHA1
3c3610842d1bb832cf8a422714da529708a8e6ec
-
SHA256
6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650
-
SHA512
04e411cd7114b0904576f33bcb02d876136a035fcbed5ec71728e426d0fbd37d8ee0896113036745bc452482771df918885b6b0e829c49b17bf46687bc9c47d8
-
SSDEEP
3072:hca9VP4bW3TRHuTMGidsptIGT31qrIf//3x5cJKy9g/kdLUVgKuOiyb:hxP44Huwc31qrw/fx5uRdLAgKu58
Malware Config
Extracted
redline
DAwnLand
212.113.116.143:23052
-
auth_value
8fc5b8d18171bebfcf117ba0aad639d2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1020 set thread context of 2720 1020 powershell.exe 35 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1020 powershell.exe 2720 AppLaunch.exe 2720 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2720 AppLaunch.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2292 2368 DawnLand6.exe 29 PID 2368 wrote to memory of 2292 2368 DawnLand6.exe 29 PID 2368 wrote to memory of 2292 2368 DawnLand6.exe 29 PID 2368 wrote to memory of 2292 2368 DawnLand6.exe 29 PID 2292 wrote to memory of 1020 2292 cmd.exe 30 PID 2292 wrote to memory of 1020 2292 cmd.exe 30 PID 2292 wrote to memory of 1020 2292 cmd.exe 30 PID 2292 wrote to memory of 1020 2292 cmd.exe 30 PID 1020 wrote to memory of 892 1020 powershell.exe 31 PID 1020 wrote to memory of 892 1020 powershell.exe 31 PID 1020 wrote to memory of 892 1020 powershell.exe 31 PID 1020 wrote to memory of 892 1020 powershell.exe 31 PID 892 wrote to memory of 3008 892 csc.exe 32 PID 892 wrote to memory of 3008 892 csc.exe 32 PID 892 wrote to memory of 3008 892 csc.exe 32 PID 892 wrote to memory of 3008 892 csc.exe 32 PID 1020 wrote to memory of 2032 1020 powershell.exe 33 PID 1020 wrote to memory of 2032 1020 powershell.exe 33 PID 1020 wrote to memory of 2032 1020 powershell.exe 33 PID 1020 wrote to memory of 2032 1020 powershell.exe 33 PID 2032 wrote to memory of 2184 2032 csc.exe 34 PID 2032 wrote to memory of 2184 2032 csc.exe 34 PID 2032 wrote to memory of 2184 2032 csc.exe 34 PID 2032 wrote to memory of 2184 2032 csc.exe 34 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35 PID 1020 wrote to memory of 2720 1020 powershell.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe"C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icise5du.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC42FA.tmp"5⤵PID:3008
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\coe0giwo.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A0C.tmp"5⤵PID:2184
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fb50647587fa7b53d35753eddb07b88f
SHA1f63bb4f064348af51f129192e94e35d0d297838a
SHA25621128d2a4d75a668a8175c11f1b4145274ccf0d2260bee7940e901003cb97811
SHA5123d97abdd75196a1e74f23d060493c0b297bb803c32aea93c685777e6b029033a26c259c1d016510bba54976527b5ec790818d783b744fb05063c8bf6f26f23cf
-
Filesize
1KB
MD5215789c7196fa775d59b334d6ae6a18a
SHA1bc8e06f6f8ac545ff9a269e497c4e422d94eea49
SHA25613911c9aa4dcfd6b791659a1a5be751105216f7624ae2896a686ef361ba89fb1
SHA51265a5c73c027723b8225bc68f28d5ac8a123c1eb48c5fa0a4882cfe0d59cb83e0b30b2edfe9c172c0f6452e7218d9f3ef09437a46e24e10c2f3aef32a05054ccd
-
Filesize
3KB
MD5e5a1473eda2ff6b3d74cdba3c480a277
SHA1ab1132b89e3e854cdb7df7483e052f2b79c53252
SHA2569b00e61865e3fe5056cb2ea791e1a05823830d7430f98de9ef010a47bc4c0b69
SHA5125d7a41f42799cdb367ea1e4a33c5fe22d58181e3a5fd8f0c1787dea7baaa162ba9d7c49a23d50616722973e6d6c8a5c8427af58612c51838adbb1dc77b91cc2a
-
Filesize
7KB
MD5bf1613128f42834ff9be468097310531
SHA159c242597db3641c244893eb60878d028feab970
SHA256312e231885d327a4557647517cc99589dc8e3ecae250f6a9d9041941f3171c5d
SHA5126c4c6d883ff95e62969dbaa1b97e9743e771055a94e2c60b57a112c5f388a231b21c3e8af03b42e3a17ffcbce3738c1a8433628cd45bee614ec28e98dc593c33
-
Filesize
3KB
MD5942b07f4446fcaba4af5d29bd1641eb1
SHA1d7bfbba778a3e5ec3663a1db72539f5865584ab4
SHA2568faaa10b00412d16d66169ef7b6658ed17e3ef25672f7fd03b1166d5dd8bd4a2
SHA5127308ff1bdd63bc7898e284835e9dc12033ccaf088f875d230fb2d09978cfc2f056fbfbd361e44d15bb044a37d6ebb909ace4fb46a0f1de6b286af4a64589bca4
-
Filesize
7KB
MD5d4857ed4f44fd33f484b2ea5416b4633
SHA16aae031712707247cfcc862351789362553c108d
SHA25684470e2cd0c73ee904a398e1e6d44a638798331c367e3e056cfbb2f64d0ce46f
SHA51299ea6b093e80fc10773e2e91ec45cdfbd604dc11d81dd887f24d9e111ade3928be587d13cd57462cb17ccdf403b8d5bd6b7280376da049525d22f3dc35ade4ba
-
Filesize
652B
MD565f14a03ba95366441b142b9521cd5e7
SHA1e07c98555514d937474638d10659e02bf6b765af
SHA25610533c00a0c295dba428bf7f972e34413547857bd740b60e9ec7a324bc5aad5f
SHA512a1115d824d42b0bcf808d19409bfe5a2a6aaecb1ea3b80d6053ad8f168e0a6fc89ef79a5b66763923af2780f7bc65a3635de29e9393a34e6de9633008a077dd2
-
Filesize
652B
MD580796b53d3ed9ecdfeeeabe62e94fa60
SHA13a65f54497ac35f4f8c5a4c646239410af35d02b
SHA25688525915c6b47339af0521fcd8912533e55137fcdd45d2a4e31aa39e5957f77c
SHA5127d9ea88eb55ac558083238543f9c191ae5030cd9f54c8f4eca18c216387b03915a37c1f81ff3874e1aae7c99d7e0136ac1dd2c3e6a478907c1939c10b5681911
-
Filesize
373B
MD581f2cd44c0cf05f5141da2857e6b0e72
SHA1fd0c86cb0621b477b33ec750069d54433fe62d3e
SHA256f64419c35813e37ea5833c9114b972924a1a4c873bb6e22369935cba9f1374c5
SHA512d82ef733de8758b5e9c709cb32feb3cb4b1f0b6bba5af68c923f81886788b845805dfbb9fc74806b2e9356b0b490813e4183f37674e3dae272424e9d4996bdba
-
Filesize
309B
MD54dd47700205acedc23de736ac08218b3
SHA1ecbef7bbe33bfe3fdf753a6e7027ca1fa6d2f297
SHA256598217472e5df220c6e6203413f2779b56b2867c91c5eb126b28dd8f92939b35
SHA512ce3b1efb1532e7d249e68bb17f55567621c486d8a5333a45c9912eac0b0c5afbf7767675da723f01dddc75de08ab7547a2df7d8e7467ed9930d5c1cea8773aaa
-
Filesize
446B
MD56222ceb9baf34d2ef373ff3b44ca20d4
SHA121497b445fb7b2d43a2c4c7f561bc6394ca15eae
SHA25669b06d760168977beb426d9cc88b64f2244fd6e09e1a1a7b99b04bbad1aa45ed
SHA512dbb8ed50c9fba26b9f5049ed72caad624a4f02a5bebd7790c9b89246df0a40a0532219ed9629a1756748e4d5dd2911170840c08c51f02dc346ad083e75bfcf3f
-
Filesize
309B
MD5aafe3c8c2b11c8e8160f982b40136fd8
SHA1b1202bfdfd72f93b087cb6ab07540802c961fb78
SHA25638e432084acd00f23271f1331227b29a87fcd673ae4cbea73746640b35353a2c
SHA5121283a276e3282945bf37b2828e2fd39ce0cc5168fe04025e9ac29ee85195d6b8206a6f4ed52f36be695265e17e5d01cfbeaccb5d7d0b764473f37b9e5c95ee28