Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e1a01751d2...99.exe

windows7-x64

10

e1a01751d2...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe

  • Size

    898KB

  • MD5

    2185ecde5380054ad075b7a25ae0ea51

  • SHA1

    caa1b832574fc3050af5f97b6deabc21398b5c47

  • SHA256

    e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199

  • SHA512

    f31d6c4fc0b4533c0538975518a1ff703c9a62ffdb072570942245725d375b9ef27f0d65a37e3ed07cd52a11def9893c8c3e7d0edc884c5c9b602af61ad8e211

  • SSDEEP

    24576:bCdL4E+j8SmRREbtuLD4DIvu18fplg+zQWxu5y0:bcL4/ruqbtuLMDQh58

Score
10/10
redlinesectopratcheatexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.67:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe
    "C:\Users\Admin\AppData\Local\Temp\e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AJzHYZtQIb.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6058.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2136
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
    Filesize

    48KB

    MD5

    e83ccb51ee74efd2a221be293d23c69a

    SHA1

    4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

    SHA256

    da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

    SHA512

    0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6058.tmp
    Filesize

    1KB

    MD5

    7c5e3933f0b7f4c4ce1fe70253447920

    SHA1

    adcaab89c42467e067e20edfd6df8157874330c9

    SHA256

    9b2eb0a6f742d67bad8685fe8bed9c077f29997e0adc3aaa2fcd7011de61f3d2

    SHA512

    c5de2a5d768c1e00ca05c3d47756eaf0c53baf4aed6e143e55df2f7586180bc6f4f85746e8f828603312929d23e6bb3746ec21eff03dd24be8c3cb07654f7bb1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    ea1d7872f7eabcbc1f818548b6d5b6f8

    SHA1

    868dac529e05a2e62ce0e22587e5e94682f98b8f

    SHA256

    fd81e811fbbdf87af1abded849cfd14aad002368fd3963fc5f20d5c42375ae0b

    SHA512

    4f519d85be54a6fa3f2407887885b0f4deab372bed82ac65385273f71eae69fc18bd496fd81cbb64c67784f52833870de574d4b3ffdcae9b7da440467bab4788

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    Filesize

    726KB

    MD5

    86f98523ceb67df5cc3431a839f63134

    SHA1

    160a60824e1adc4c0ffd5959341c6dae4da2e76b

    SHA256

    0e43d560502493dfade28c5822081232ee47fd42c233f9ff473c467e51297e27

    SHA512

    cd6d79dbf6e8ec3663570f584760db9ac50e190b4cc6e12630cb31796a88912b26556b08e01e803d3ec06874263fbdeb9ac73c8c5cd67e2749d32eba7a23c7b7

    Download Submit

  • memory/1040-28-0x0000000004D10000-0x0000000004D70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1040-24-0x0000000000880000-0x0000000000938000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1040-26-0x0000000001FB0000-0x0000000001FCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1040-27-0x0000000000820000-0x0000000000830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1960-51-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1960-48-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-46-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-44-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-42-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-53-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1960-54-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2140-6-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-5-0x0000000000090000-0x0000000000092000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2140-55-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-4-0x00000000008C0000-0x00000000008C2000-memory.dmp

    Filesize

    8KB

    Download