Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/07/2023, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
5bec555084177862a21eba17b75d068f.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
5bec555084177862a21eba17b75d068f.exe
Resource
win10v2004-20230703-en
General
-
Target
5bec555084177862a21eba17b75d068f.exe
-
Size
1.6MB
-
MD5
5bec555084177862a21eba17b75d068f
-
SHA1
5492298dc817a9d9cf2af44b7c228770541da2ce
-
SHA256
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
-
SHA512
cd5809d3f40e944177e0e8d64a2df71d60872cbe41cab8b530eacecfa2615646dbd53ad035659e384ac1bdad9841e7495c5cb44bd17698863bc3efab0514abb9
-
SSDEEP
12288:hzFb61WSg1Hf4J/gjbrVkH0HprhYkfDFQJ2i1Z/cqOWehbDFuDjR8j97OM+fwQ:tr1HfY/gjbrVrB8/cqOWaDHkbfw
Malware Config
Extracted
redline
1red1
77.246.110.195:8599
-
auth_value
743c159c0234992dee4975bf5855347b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1856 set thread context of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1968 1856 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2548 AppLaunch.exe 2548 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2548 AppLaunch.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 2548 1856 5bec555084177862a21eba17b75d068f.exe 29 PID 1856 wrote to memory of 1968 1856 5bec555084177862a21eba17b75d068f.exe 30 PID 1856 wrote to memory of 1968 1856 5bec555084177862a21eba17b75d068f.exe 30 PID 1856 wrote to memory of 1968 1856 5bec555084177862a21eba17b75d068f.exe 30 PID 1856 wrote to memory of 1968 1856 5bec555084177862a21eba17b75d068f.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bec555084177862a21eba17b75d068f.exe"C:\Users\Admin\AppData\Local\Temp\5bec555084177862a21eba17b75d068f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 962⤵
- Program crash
PID:1968
-