Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1155s -
max time network
1160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 21:43
General
-
Target
winPEASx64.exe
-
Size
2.3MB
-
MD5
7defdd1c67017a91e79405eac2d1ccfa
-
SHA1
fc9af9a4994203c4edb8a63a2a4583cb1bf925d8
-
SHA256
c8cbded62a574f562801ab063cae6550caad82bd1e36556dfb2b1f9b594ec642
-
SHA512
bdb85c3b23fe46d3664b0286da52f6afdea200014f9883d898e60b503476e6eebda1d39ec185d320813ac41d7555cde1c1c946fa04e235fcbad51823b0c8d987
-
SSDEEP
24576:0cjmcTjtzOkZ/YAhL8vx/KPqti36hBKNKkThXHf5gULzs:zmcFHtY4L8vk+xQ4kBHf5gi
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winPEASx64.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: winPEASx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winPEASx64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winPEASx64.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3912 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe 2164 winPEASx64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2164 winPEASx64.exe Token: SeDebugPrivilege 4272 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2164 wrote to memory of 3912 2164 winPEASx64.exe 95 PID 2164 wrote to memory of 3912 2164 winPEASx64.exe 95 PID 2164 wrote to memory of 1912 2164 winPEASx64.exe 102 PID 2164 wrote to memory of 1912 2164 winPEASx64.exe 102 PID 2164 wrote to memory of 4272 2164 winPEASx64.exe 104 PID 2164 wrote to memory of 4272 2164 winPEASx64.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SYSTEM32\systeminfo.exe"systeminfo.exe"2⤵
- Gathers system information
PID:3912
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" wlan show profiles2⤵PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82