Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

winPEASx64.exe

windows10-2004-x64

10

Resubmissions

13/01/2024, 21:43

240113-1ky99sfff4 10

09/01/2024, 23:22

240109-3cxgtaacbp 10

Analysis

  • max time kernel
    1155s
  • max time network
    1160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winPEASx64.exe

  • Size

    2.3MB

  • MD5

    7defdd1c67017a91e79405eac2d1ccfa

  • SHA1

    fc9af9a4994203c4edb8a63a2a4583cb1bf925d8

  • SHA256

    c8cbded62a574f562801ab063cae6550caad82bd1e36556dfb2b1f9b594ec642

  • SHA512

    bdb85c3b23fe46d3664b0286da52f6afdea200014f9883d898e60b503476e6eebda1d39ec185d320813ac41d7555cde1c1c946fa04e235fcbad51823b0c8d987

  • SSDEEP

    24576:0cjmcTjtzOkZ/YAhL8vx/KPqti36hBKNKkThXHf5gULzs:zmcFHtY4L8vk+xQ4kBHf5gi

Score
10/10
redlinediscoveryevasioninfostealerspywarestealertrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe
    "C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"
    1⤵
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SYSTEM32\systeminfo.exe
      "systeminfo.exe"
      2⤵
      • Gathers system information
      PID:3912
    • C:\Windows\SYSTEM32\netsh.exe
      "netsh" wlan show profiles
      2⤵
        PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgv4doja.yfe.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2164-4-0x000001D93D9A0000-0x000001D93D9B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-1-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2164-3-0x000001D93D920000-0x000001D93D96A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2164-0-0x000001D9232F0000-0x000001D92353C000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2164-10-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2164-11-0x000001D93D9A0000-0x000001D93D9B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-2-0x000001D93D9A0000-0x000001D93D9B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-155-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2164-12-0x000001D93D9A0000-0x000001D93D9B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-29-0x000001D93E940000-0x000001D93EB02000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4272-21-0x0000014009380000-0x00000140093A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4272-13-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4272-28-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4272-15-0x0000014021A90000-0x0000014021AA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4272-14-0x0000014021A90000-0x0000014021AA0000-memory.dmp

      Filesize

      64KB

      Download