Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe
Resource
win10v2004-20240704-en
General
-
Target
6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe
-
Size
482KB
-
MD5
a8f7b3983a78d7d80e23f611b6abdcee
-
SHA1
a7ad42f1777735581e1adeadefcdfd45c4d92162
-
SHA256
6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff
-
SHA512
5af20833a07fd610d0f70ca92b8687415b9ed7bd9b8c1c1b2c9d959da73bb085122295e3ba1d7a0a36d14aa8264b95262f66fcc22f4ea18384645768834e5830
-
SSDEEP
12288:m5V2qPu7Ja0ApqVhnKrJAJIwjZfnhBr1klpbIoWSiwPm5sb9OGu46HDsKQefaur+:tqPuU1x
Malware Config
Extracted
redline
@nmrzv88
94.228.166.68:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1900-8-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 9 IoCs
pid Process 1420 conhost.exe 2296 7z.exe 2632 7z.exe 2508 7z.exe 3596 7z.exe 1996 7z.exe 2036 7z.exe 2400 7z.exe 2420 Installer.exe -
Loads dropped DLL 8 IoCs
pid Process 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 2296 7z.exe 2632 7z.exe 2508 7z.exe 3596 7z.exe 1996 7z.exe 2036 7z.exe 2400 7z.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 pastebin.com 34 pastebin.com -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3760 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2852 set thread context of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 -
pid Process 2356 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1900 MSBuild.exe 1900 MSBuild.exe 1900 MSBuild.exe 1900 MSBuild.exe 1900 MSBuild.exe 2420 Installer.exe 2356 powershell.exe 2356 powershell.exe 2420 Installer.exe 2420 Installer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1900 MSBuild.exe Token: SeRestorePrivilege 2296 7z.exe Token: 35 2296 7z.exe Token: SeSecurityPrivilege 2296 7z.exe Token: SeSecurityPrivilege 2296 7z.exe Token: SeRestorePrivilege 2632 7z.exe Token: 35 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeRestorePrivilege 2508 7z.exe Token: 35 2508 7z.exe Token: SeSecurityPrivilege 2508 7z.exe Token: SeSecurityPrivilege 2508 7z.exe Token: SeRestorePrivilege 3596 7z.exe Token: 35 3596 7z.exe Token: SeSecurityPrivilege 3596 7z.exe Token: SeSecurityPrivilege 3596 7z.exe Token: SeRestorePrivilege 1996 7z.exe Token: 35 1996 7z.exe Token: SeSecurityPrivilege 1996 7z.exe Token: SeSecurityPrivilege 1996 7z.exe Token: SeRestorePrivilege 2036 7z.exe Token: 35 2036 7z.exe Token: SeSecurityPrivilege 2036 7z.exe Token: SeSecurityPrivilege 2036 7z.exe Token: SeRestorePrivilege 2400 7z.exe Token: 35 2400 7z.exe Token: SeSecurityPrivilege 2400 7z.exe Token: SeSecurityPrivilege 2400 7z.exe Token: SeDebugPrivilege 2420 Installer.exe Token: SeDebugPrivilege 2356 powershell.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 2852 wrote to memory of 1900 2852 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe 86 PID 1900 wrote to memory of 1420 1900 MSBuild.exe 88 PID 1900 wrote to memory of 1420 1900 MSBuild.exe 88 PID 1900 wrote to memory of 1420 1900 MSBuild.exe 88 PID 1420 wrote to memory of 4232 1420 conhost.exe 90 PID 1420 wrote to memory of 4232 1420 conhost.exe 90 PID 4232 wrote to memory of 5088 4232 cmd.exe 92 PID 4232 wrote to memory of 5088 4232 cmd.exe 92 PID 4232 wrote to memory of 2296 4232 cmd.exe 93 PID 4232 wrote to memory of 2296 4232 cmd.exe 93 PID 4232 wrote to memory of 2632 4232 cmd.exe 94 PID 4232 wrote to memory of 2632 4232 cmd.exe 94 PID 4232 wrote to memory of 2508 4232 cmd.exe 95 PID 4232 wrote to memory of 2508 4232 cmd.exe 95 PID 4232 wrote to memory of 3596 4232 cmd.exe 96 PID 4232 wrote to memory of 3596 4232 cmd.exe 96 PID 4232 wrote to memory of 1996 4232 cmd.exe 97 PID 4232 wrote to memory of 1996 4232 cmd.exe 97 PID 4232 wrote to memory of 2036 4232 cmd.exe 98 PID 4232 wrote to memory of 2036 4232 cmd.exe 98 PID 4232 wrote to memory of 2400 4232 cmd.exe 99 PID 4232 wrote to memory of 2400 4232 cmd.exe 99 PID 4232 wrote to memory of 4536 4232 cmd.exe 100 PID 4232 wrote to memory of 4536 4232 cmd.exe 100 PID 4232 wrote to memory of 2420 4232 cmd.exe 101 PID 4232 wrote to memory of 2420 4232 cmd.exe 101 PID 4232 wrote to memory of 2420 4232 cmd.exe 101 PID 2420 wrote to memory of 3760 2420 Installer.exe 103 PID 2420 wrote to memory of 3760 2420 Installer.exe 103 PID 2420 wrote to memory of 3760 2420 Installer.exe 103 PID 3760 wrote to memory of 2356 3760 cmd.exe 105 PID 3760 wrote to memory of 2356 3760 cmd.exe 105 PID 3760 wrote to memory of 2356 3760 cmd.exe 105 PID 2420 wrote to memory of 2860 2420 Installer.exe 106 PID 2420 wrote to memory of 2860 2420 Installer.exe 106 PID 2420 wrote to memory of 2860 2420 Installer.exe 106 PID 2420 wrote to memory of 4088 2420 Installer.exe 107 PID 2420 wrote to memory of 4088 2420 Installer.exe 107 PID 2420 wrote to memory of 4088 2420 Installer.exe 107 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4536 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe"C:\Users\Admin\AppData\Local\Temp\6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\mode.commode 65,105⤵PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1404753551733818025492326517 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"5⤵
- Views/modifies file attributes
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEUANgBIAEcAQgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEgAQgBPAEMAWgBwAEgAZgBSAFcAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBSAEcAZAAzAE8ANQBpADcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVQB2AEQAMwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEUANgBIAEcAQgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEgAQgBPAEMAWgBwAEgAZgBSAFcAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBSAEcAZAAzAE8ANQBpADcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVQB2AEQAMwAjAD4A"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵PID:2860
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5597" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵PID:4088
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5b2e6a3d0bf3320b759c464ae6fa5b735
SHA1cc9f5de7742b9c11f7c0c0e3f9d39b0c16b38cc1
SHA256771b76ba28496c56d1d9c0fe67fdf7688a2f1b12a9eb428050551338945337a3
SHA512bf2f09aebf6d4b07ec06ce37617361e149b26d7fc2f5c0715a5e479747eb5b1f8fc615c90d1e4d8d751e05dd566819facfef8a00cfb7acb61ec588b0c23b022a
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD56dd7f70cddc4310e047032d70550f72c
SHA1e93c0d3a03dbe51eba117ea8e10bd0e8b6b27562
SHA256e92508881b6d69c45897a58b4c7dc58ee68e438979604d7f7b6f6ff71f15444d
SHA5121e6398a9739f57a3cf754a6e73f92cf67fe117440a6afe698767c578f396a4b8dab93b5568d02fa23fbcd3565b9017254625d58b1ea7a375c8537f2bab90f42c
-
Filesize
21KB
MD54265bf9f9535ebb4e1830e2a50589285
SHA1ddc45fe277a3b39179dd9e39e17d71b50a184607
SHA256c07698b4c960b60d8a3c661887d6cc1f7fe74e31a24d4c2ae95d52d1c92ce403
SHA5123a7a0a8a6b82d5e1b6c06c12250eb9b347ed024811467d6da5123f6d07a79836a4e414758cb5c708d0c96cc4a020f8743b2c1e4fa5f5ed448fc087772ab592be
-
Filesize
9KB
MD518f4fe969c4ba0517b403e28f7ad2b72
SHA19df09751ee1246db2ed6b6ed6fec87fb0891e077
SHA25606d1004f28a87b42b1d7ac23ff2e4b43d736295abc2e84740504386f40a041f4
SHA5129847b8e2b849b09a76e22ab0d76a1a7d29079676dbdf4277b712709af0ac6a6f0e3a473f144f0a8e247861111357027a758b95e4d096d24cec160192c5da32a4
-
Filesize
9KB
MD5a915fd2a4e2750ee9003e628294bf284
SHA1f9adc1e65fc3d2cf39b2c5a89030f3225e21616d
SHA2565e2e339dbee22d6c05d652646071bc81ad96a6422eb311453ca3905e7dfea285
SHA512044d5370ec915fb488cf77c1b181f5a4f89833028266f922766b782ff445f61ab85b92980d6939d0e252a368eb846def27bcdea7f029999d6854a90c793b3a5f
-
Filesize
9KB
MD54a5f569872c858ede1c0c67500cfdd6d
SHA1cdcac69d89b45a7903198467c2d2d32126c31661
SHA25688b2d9a82c911ad61f3570aa31b360ae1649b117f6495459698d724f0c9638dc
SHA512d9c6776829def517a253e9c60d0316dbc03092f850383305089dc1110b1abd19668ae47dca8188e96c6f12b66a8e5b5a783901f2115cadd5c1accf019c3bdb40
-
Filesize
9KB
MD56f7f4f7ed739e3ac5eee8d0876ff76d4
SHA19a65d52885624dc47f342b5a9875d7720540c755
SHA256b61a321a8a1f4ca1d8c52a1ad0464ac5882073ac8da7c5585f04ce2330b78acc
SHA51235cad901c3f77c58803372a2f230701469d99fb9d8b16d82b59416a62d215614ab044dcae123473cc5d9a4a09e23f2edaac53ef82bbd5b3556b9b187cff50021
-
Filesize
9KB
MD5870a5535c79edcf782551514f48d89ab
SHA1333d814d65753cdc4c4e8fb587c09af6960110d1
SHA256814a92267e0d8867932afd625f2f8e55b04b88b2cfc31e91b6e45e473f1b057d
SHA512f8743ca2f1ef2433b41adc41adf6a5836c1901bda70d5d76301cb06b471796b360544efa591c49b3a7d09eee12cef7ba20e79571f50d891d4729598210772b06
-
Filesize
1.6MB
MD5a62944686498212b290eae637729a151
SHA12053660850d3f578f7b31e5ced16069d6f9c4ee0
SHA2560bb07f0caab7e5539e7efeca5bee359d9f6b49237e0c908981d9168680fe2b3e
SHA512ae6abd482552445cbf8c308948519227b0d1a82c1b3adb4800f8c9ac32c519c8d0aee8f3b4caada26d1976b63b032aad72d95e574adf205b947dada23a5b8ad3
-
Filesize
1.6MB
MD5716459a6ceac7d310d4227ea3e9ddb59
SHA1fa27addf18c197bf5fc054bfb5ae57de1caf3382
SHA256ba5270891d3eef832fe34f9d67fbbb30ceb3873552ea859139914a6a783b0aa1
SHA5123857cc099edd99f1c20d4c4456ec4577478afcbdb6073852c6df10775a4e6de0316ab68c6dacb7212d27f49057312ba1aeb0c35e695d84832f3e9f8d61f7d8c1
-
Filesize
474B
MD5893874465a8d9f68f0684fd61e9f1d3c
SHA1866a58255ebab05d4ee2f2ed8383a6555ac1df03
SHA256e0855b82ec99b14bdfa38dacf90dadb2071e0d413c6559c752e0b2c6e8cd08c0
SHA5121cc878a3236a5ce4f3a89fae580b4d16a7842fd03dfe0a2c7d1d5da5be822528ea3826f659a70de727c9307fb15997f56b7204582043dc7efcc6c818f7aa2bd7
-
Filesize
437KB
MD5ac5eeb006d2b590f66ae7e69174d5f3a
SHA12331f0fc6f14c8bbd6a176927af84f95a946a638
SHA2569af40752470f3a82a4bb166558f0f5492269a30402458cf11af084f841cb4c49
SHA5124aff61122e0a1ebd25bd73fc9aea3272b82cb544310e243d4396c6cf9246d4b9d808e523b1a34e38ad5c41a04a6e4a6333eb62cef6d85ba5562bb36593fff443