Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

winPEASx64.exe

windows7-x64

10

winPEASx64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winPEASx64.exe

  • Size

    2.3MB

  • MD5

    1f7f204d5ca9437dbb364b7d28eb71a5

  • SHA1

    5d79c1d2e799596f32a28bb68d966b4efcd608c8

  • SHA256

    39210402176e6bf813dbff36370978a66505dc7a25008841e5225603ccbcb8e6

  • SHA512

    b0782e6c4302fdc5349266adbfcd0865735dbff4874c69e0773deec2afea6062bb37df04d6db9ce46626b9e6fb4474c2e7858556ef6af09a45ca9d1a2d9890be

  • SSDEEP

    24576:ocQmqUZRcomnDIi/W7m/EsH1LsPlNKkThXHL5gZm3T:kmDXmn8i/WaE+El4kBHL5gk

Score
10/10
redlinediscoveryevasioninfostealerspywarestealertrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe
    "C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"
    1⤵
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\SYSTEM32\systeminfo.exe
      "systeminfo.exe"
      2⤵
      • Gathers system information
      PID:1848
    • C:\Windows\SYSTEM32\netsh.exe
      "netsh" wlan show profiles
      2⤵
        PID:3632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldn42qdq.ae5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/332-10-0x000001A9E2280000-0x000001A9E22A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3984-0-0x0000026714590000-0x00000267147DC000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3984-1-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3984-2-0x000002672EDE0000-0x000002672EDF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3984-3-0x0000026716410000-0x000002671645A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/3984-4-0x000002672EDE0000-0x000002672EDF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3984-17-0x000002672FA40000-0x000002672FC02000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3984-23-0x00007FFCC1640000-0x00007FFCC2101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3984-24-0x000002672EDE0000-0x000002672EDF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3984-25-0x000002672EDE0000-0x000002672EDF0000-memory.dmp

      Filesize

      64KB

      Download