Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
085b11ab52a6865e3b14734f517cac42.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
085b11ab52a6865e3b14734f517cac42.exe
Resource
win10v2004-20231215-en
General
-
Target
085b11ab52a6865e3b14734f517cac42.exe
-
Size
7.3MB
-
MD5
085b11ab52a6865e3b14734f517cac42
-
SHA1
02770b5a346b7bea9703cf1a0647934d4642ca76
-
SHA256
dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8
-
SHA512
e4edb2abc1c74905332bc7d0d535eb2b46e8b6e8434e4fbfd418fe4dfd01f44e17747cf208309511907c9e3e8852c4a97d51c1f2c6c9aaeb7bd7c2e2e8873d00
-
SSDEEP
196608:XPGZKb8Eo5RnrX33haMwT97EKgDVD0Yet1wJcskt:+oo3nThPm7ExVrJcX
Malware Config
Extracted
redline
AUGMY
185.140.53.142:82
Signatures
-
Babadeda Crypter 3 IoCs
resource yara_rule behavioral1/files/0x000400000001c8e8-551.dat family_babadeda behavioral1/memory/2788-552-0x0000000002950000-0x0000000005950000-memory.dmp family_babadeda behavioral1/memory/2788-557-0x0000000002950000-0x0000000005950000-memory.dmp family_babadeda -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp family_redline behavioral1/memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp family_sectoprat behavioral1/memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp family_sectoprat -
Executes dropped EXE 2 IoCs
pid Process 2772 irsetup.exe 2788 lunassets.exe -
Loads dropped DLL 11 IoCs
pid Process 2220 085b11ab52a6865e3b14734f517cac42.exe 2220 085b11ab52a6865e3b14734f517cac42.exe 2220 085b11ab52a6865e3b14734f517cac42.exe 2220 085b11ab52a6865e3b14734f517cac42.exe 2772 irsetup.exe 2772 irsetup.exe 2772 irsetup.exe 2772 irsetup.exe 2772 irsetup.exe 2772 irsetup.exe 2788 lunassets.exe -
resource yara_rule behavioral1/files/0x000d0000000122c0-3.dat upx behavioral1/memory/2220-5-0x0000000002D60000-0x0000000003148000-memory.dmp upx behavioral1/memory/2772-17-0x0000000001350000-0x0000000001738000-memory.dmp upx behavioral1/memory/2772-548-0x0000000001350000-0x0000000001738000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2788 lunassets.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2772 irsetup.exe 2772 irsetup.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2220 wrote to memory of 2772 2220 085b11ab52a6865e3b14734f517cac42.exe 28 PID 2772 wrote to memory of 2788 2772 irsetup.exe 29 PID 2772 wrote to memory of 2788 2772 irsetup.exe 29 PID 2772 wrote to memory of 2788 2772 irsetup.exe 29 PID 2772 wrote to memory of 2788 2772 irsetup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe"C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
Filesize
3KB
MD5cedef94f5701b0f14e5d358caf023480
SHA1fc717140a9dd390068bad40a70f55e502f7c66e8
SHA25654327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a
SHA512bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5
-
Filesize
5KB
MD59325aee138a4d9a15d651920fb403ffc
SHA119eb57cd989571fa8cd426cbd680430c0e006408
SHA2569c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8
-
Filesize
56KB
MD5520077fd6d03c64c735258d4d87921d8
SHA11b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA2566faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA5128ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de
-
Filesize
87KB
MD577db64e395175649374d32e386fd1033
SHA11e26bbd5055d3717e7f57219f2b7c1a305f84678
SHA2567d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163
SHA512238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0
-
Filesize
40KB
MD56bb017fd0eb36d878eeb2b517dbdd2d4
SHA1a19baf92c23af80461f9d3df65c631e77033b6fa
SHA256ec8b1f09f5bdc681a517c3d456c6def4f96e22306ad32e4e498df3da90cbc34a
SHA512357caf2c863aeda03a1dd230479205f697fade1f760805ee63f3e909820fb9528be2e7a99e73321f4d91a0f3b6bca1a4eefce4d64ddc68ad1ef659b46464492a
-
Filesize
48KB
MD58b1be6fd7fd378c367d148dfd467ecc7
SHA1e443c97169c255b8ce210cebd170031b002a65a3
SHA25699bc31b06fc1855a98cf0b0a39e2b338ddb3209ee199d014747f72f588c97cf2
SHA5127ccc65eb2280231ffaa3cd869889443d2a0fa7399b3cd807158bc42f3549823864498fbe7cbf7bd05cca6f397142fd67c8038cdbe8a2f54a4af0e3f0a47a8bef
-
Filesize
320KB
MD5232a9b18e9d2bffdd1fb5f636331d936
SHA18d0770c54a3d0a05735c36fe1b879bd7de0bb8dc
SHA256f94f936883a8ea7c4c49e136eea16a22f5354ef58689b0cfcc138918b05960cb
SHA512ea30653033ce37719bb42019f8f284b9e289f376ddf2334cd0b45b06e71f281f636eebb82eaa1d16d1212b67861511eaa9c6f250bdd62ae1b20c31fbf56e8926
-
Filesize
2.9MB
MD5b3618a806089c54e05511e7708201842
SHA1970e5cb2d1bc00fc8f8453b3ea5cd5a00d412a97
SHA25613d70fd4e7d28dad80e25308f32f034b4053dfff737b8f336f872f68ae33669b
SHA512f6d805092b966c4837c9d8b692ff046d9992a15ee42f9c5862b4e3ee0f54a81c0d49fb34f64405444e982a7f53f1259edc575e236e52fbd0535bd675e339d41a
-
Filesize
1.3MB
MD567e3de63a83fe58f1d7b83197324d071
SHA1a2fbe5b95f4428c585ad718d4e983ba36111a495
SHA256f3f5880ac2058ba3730ef5920118b05d6feb2e0af5411daff3bb50fbaf885a7a
SHA51252dcfc054ea9d9386bea1f8298d58f851c436a11ea211de81a016925420bdc18197f00840cd9519578051677b5ca8dfc8228a74a03edd5301bef3ca643a828c8
-
Filesize
304KB
MD55d67aa7bae8d8e7e18c7dcf36a1c676c
SHA16a07aa8262bb378a8a643b191bd3a1deb0c6c461
SHA256a28e1667ef79438cd9ad0bdafa495727c8a67eddf48f8c99c20e75f3c35ad1c9
SHA512f45395b1a3495eaf4c74c01c76f24d159ed9792b273b2d44ea12806391d3adc6756ed2348aa43e7a2e178d39ceba5419ea9cb16912b283737803602dae459302
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.6MB
MD5cd5f7a36c869ec4c3beb68777b1c1c84
SHA1e6eaea2763e5409e2289d42beb5c891ca978b403
SHA256073d93ff0e38aad002d697d3a3cf494f0bd69ee6a1827b40321e31b9fac3484f
SHA5126edaf5c17334cb353019d20ae8954e498709429f9e7b6570e53a12703df25acee4f2292f4f702d06362e097531dadceab8d50312cb86089518503593eb58da00
-
Filesize
576KB
MD54a4b365835f66abd4384f34f20b05388
SHA12044b61947e2b1ca7985af5b5dec38bca64959e6
SHA2562d659d7401e8a8ad797bb0dd67d54c7f2b6107d76b67771c8deae3901f7dbce2
SHA512007e030767a1b12019a630ecdda8a01e4617e6993fcf1387eb412fe045e0d2a8d2a1d11327c5771c1892da35a12df52671e7b4f6e1b68ba2f2bd72f0b7f5f854
-
Filesize
2.1MB
MD5b77eb61d1c2ac930a29181721d826c15
SHA167a902ea14f29d2b9cff3e9db5c9175ba94a3301
SHA2560eee7d66cc0e2f307e4887797438037deb6b8f79364fc2b1d8c348a2847726aa
SHA512dabba7fe84b768ca3fa7af52721d528bbc8b8269f8eab24cda401270aadf6d405847e80f8036d7aba2b97e4af7e2cf45ca9b5741183e4d3015bb1bd40274c1ef
-
Filesize
2.3MB
MD53989192312e7c6f4c092b24edee547f7
SHA1e6964ed839a155faa8989395f9693a7583981a79
SHA256987298b1b45ccc87ce319fa6b0fb7b1216dc3302563a4c660202ddddac5f7e51
SHA51223d84b1ce2c60ab950de4e4a83fbd0d1d4feebb2f44f8d325c0a615e73e00c28b71d7e4ef5f731bcaa8f2429a7dd828d19a9e800bae673dc178511e4aa9bcdcf