Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe
Resource
win7-20240508-en
General
-
Target
e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe
-
Size
898KB
-
MD5
2185ecde5380054ad075b7a25ae0ea51
-
SHA1
caa1b832574fc3050af5f97b6deabc21398b5c47
-
SHA256
e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199
-
SHA512
f31d6c4fc0b4533c0538975518a1ff703c9a62ffdb072570942245725d375b9ef27f0d65a37e3ed07cd52a11def9893c8c3e7d0edc884c5c9b602af61ad8e211
-
SSDEEP
24576:bCdL4E+j8SmRREbtuLD4DIvu18fplg+zQWxu5y0:bcL4/ruqbtuLMDQh58
Malware Config
Extracted
redline
cheat
45.137.22.67:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1960-51-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1960-48-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1960-46-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1960-53-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1960-54-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/1960-51-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1960-48-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1960-46-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1960-53-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1960-54-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2680 powershell.exe 2516 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1040 PO.exe 1960 PO.exe -
Loads dropped DLL 6 IoCs
pid Process 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 1040 PO.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1040 set thread context of 1960 1040 PO.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1040 PO.exe 1040 PO.exe 1040 PO.exe 1040 PO.exe 2680 powershell.exe 2516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1040 PO.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 1960 PO.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2140 DllHost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1040 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 29 PID 2420 wrote to memory of 1040 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 29 PID 2420 wrote to memory of 1040 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 29 PID 2420 wrote to memory of 1040 2420 e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe 29 PID 1040 wrote to memory of 2680 1040 PO.exe 30 PID 1040 wrote to memory of 2680 1040 PO.exe 30 PID 1040 wrote to memory of 2680 1040 PO.exe 30 PID 1040 wrote to memory of 2680 1040 PO.exe 30 PID 1040 wrote to memory of 2516 1040 PO.exe 32 PID 1040 wrote to memory of 2516 1040 PO.exe 32 PID 1040 wrote to memory of 2516 1040 PO.exe 32 PID 1040 wrote to memory of 2516 1040 PO.exe 32 PID 1040 wrote to memory of 2136 1040 PO.exe 34 PID 1040 wrote to memory of 2136 1040 PO.exe 34 PID 1040 wrote to memory of 2136 1040 PO.exe 34 PID 1040 wrote to memory of 2136 1040 PO.exe 34 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36 PID 1040 wrote to memory of 1960 1040 PO.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe"C:\Users\Admin\AppData\Local\Temp\e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJzHYZtQIb.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6058.tmp"3⤵
- Creates scheduled task(s)
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5e83ccb51ee74efd2a221be293d23c69a
SHA14365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA5120252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46
-
Filesize
1KB
MD57c5e3933f0b7f4c4ce1fe70253447920
SHA1adcaab89c42467e067e20edfd6df8157874330c9
SHA2569b2eb0a6f742d67bad8685fe8bed9c077f29997e0adc3aaa2fcd7011de61f3d2
SHA512c5de2a5d768c1e00ca05c3d47756eaf0c53baf4aed6e143e55df2f7586180bc6f4f85746e8f828603312929d23e6bb3746ec21eff03dd24be8c3cb07654f7bb1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ea1d7872f7eabcbc1f818548b6d5b6f8
SHA1868dac529e05a2e62ce0e22587e5e94682f98b8f
SHA256fd81e811fbbdf87af1abded849cfd14aad002368fd3963fc5f20d5c42375ae0b
SHA5124f519d85be54a6fa3f2407887885b0f4deab372bed82ac65385273f71eae69fc18bd496fd81cbb64c67784f52833870de574d4b3ffdcae9b7da440467bab4788
-
Filesize
726KB
MD586f98523ceb67df5cc3431a839f63134
SHA1160a60824e1adc4c0ffd5959341c6dae4da2e76b
SHA2560e43d560502493dfade28c5822081232ee47fd42c233f9ff473c467e51297e27
SHA512cd6d79dbf6e8ec3663570f584760db9ac50e190b4cc6e12630cb31796a88912b26556b08e01e803d3ec06874263fbdeb9ac73c8c5cd67e2749d32eba7a23c7b7