Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 08:40
Static task
static1
Behavioral task
behavioral1
Sample
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
Resource
win10v2004-20241007-en
General
-
Target
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
-
Size
951KB
-
MD5
e530d19a769bcd90ec3e92ebf08d68e9
-
SHA1
ba44d592474de8fdb853f25fb364fe14a4779f74
-
SHA256
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36
-
SHA512
36e0b6fac19955bc2cc7c629f34577d1b0897ba4b551b5b0db3c8aec62c9ee92c15b7e1d953d79a3d6b428a31b816b7a410a2b62542d7260d97b22306e9b8f67
-
SSDEEP
24576:VouY8YFDfePwag4UuD8fb12btPSMAs+10lDgJHuA:tYZBW4uD8fxstPSMAP10lD
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.44.139:31598
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2964-31-0x0000000000090000-0x00000000000E2000-memory.dmp family_redline behavioral1/memory/2964-34-0x0000000000090000-0x00000000000E2000-memory.dmp family_redline behavioral1/memory/2964-33-0x0000000000090000-0x00000000000E2000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2680 created 1240 2680 Instrumental.pif 21 -
Executes dropped EXE 2 IoCs
pid Process 2680 Instrumental.pif 2964 RegAsm.exe -
Loads dropped DLL 3 IoCs
pid Process 2456 cmd.exe 2680 Instrumental.pif 2964 RegAsm.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2888 tasklist.exe 2684 tasklist.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\VisitorPage feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Instrumental.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2680 Instrumental.pif 2680 Instrumental.pif 2680 Instrumental.pif 2680 Instrumental.pif 2680 Instrumental.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2888 tasklist.exe Token: SeDebugPrivilege 2684 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2680 Instrumental.pif 2680 Instrumental.pif 2680 Instrumental.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2680 Instrumental.pif 2680 Instrumental.pif 2680 Instrumental.pif -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2456 1852 feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe 30 PID 1852 wrote to memory of 2456 1852 feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe 30 PID 1852 wrote to memory of 2456 1852 feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe 30 PID 1852 wrote to memory of 2456 1852 feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe 30 PID 2456 wrote to memory of 2888 2456 cmd.exe 32 PID 2456 wrote to memory of 2888 2456 cmd.exe 32 PID 2456 wrote to memory of 2888 2456 cmd.exe 32 PID 2456 wrote to memory of 2888 2456 cmd.exe 32 PID 2456 wrote to memory of 2892 2456 cmd.exe 33 PID 2456 wrote to memory of 2892 2456 cmd.exe 33 PID 2456 wrote to memory of 2892 2456 cmd.exe 33 PID 2456 wrote to memory of 2892 2456 cmd.exe 33 PID 2456 wrote to memory of 2684 2456 cmd.exe 35 PID 2456 wrote to memory of 2684 2456 cmd.exe 35 PID 2456 wrote to memory of 2684 2456 cmd.exe 35 PID 2456 wrote to memory of 2684 2456 cmd.exe 35 PID 2456 wrote to memory of 2860 2456 cmd.exe 36 PID 2456 wrote to memory of 2860 2456 cmd.exe 36 PID 2456 wrote to memory of 2860 2456 cmd.exe 36 PID 2456 wrote to memory of 2860 2456 cmd.exe 36 PID 2456 wrote to memory of 3016 2456 cmd.exe 37 PID 2456 wrote to memory of 3016 2456 cmd.exe 37 PID 2456 wrote to memory of 3016 2456 cmd.exe 37 PID 2456 wrote to memory of 3016 2456 cmd.exe 37 PID 2456 wrote to memory of 2864 2456 cmd.exe 38 PID 2456 wrote to memory of 2864 2456 cmd.exe 38 PID 2456 wrote to memory of 2864 2456 cmd.exe 38 PID 2456 wrote to memory of 2864 2456 cmd.exe 38 PID 2456 wrote to memory of 2488 2456 cmd.exe 39 PID 2456 wrote to memory of 2488 2456 cmd.exe 39 PID 2456 wrote to memory of 2488 2456 cmd.exe 39 PID 2456 wrote to memory of 2488 2456 cmd.exe 39 PID 2456 wrote to memory of 2680 2456 cmd.exe 40 PID 2456 wrote to memory of 2680 2456 cmd.exe 40 PID 2456 wrote to memory of 2680 2456 cmd.exe 40 PID 2456 wrote to memory of 2680 2456 cmd.exe 40 PID 2456 wrote to memory of 1064 2456 cmd.exe 41 PID 2456 wrote to memory of 1064 2456 cmd.exe 41 PID 2456 wrote to memory of 1064 2456 cmd.exe 41 PID 2456 wrote to memory of 1064 2456 cmd.exe 41 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42 PID 2680 wrote to memory of 2964 2680 Instrumental.pif 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe"C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Kathy Kathy.cmd & Kathy.cmd & exit3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4737224⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "LucasAlliedFooGraph" Armor4⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Edinburgh + Elliott + Luxembourg + Calm + Circumstances + Holders 473722\f4⤵
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\473722\Instrumental.pifInstrumental.pif f4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:1064
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD59c49b4a1f3a17bf4e3e1bc660f245e6c
SHA112aa8f0438d64b13c9e7d6886c9d431c89e7f95a
SHA25606922a1830ea25238ef27d3e47d18f96a003fda2f5ac166b7134a68b180c2363
SHA5124f931896327101250c10e3bf0d4c599714adfa73dfba4cf4e5f052d815fb6b11336044ab27e854bbf6d0452e1edb7ddb127c06013538760bc8f52f51d2c84740
-
Filesize
393B
MD5539436411a91ffff5f656b26255c8626
SHA1671cee8628e8cf7658c2705018203b6c2c77b149
SHA25690ea0b7abbd52a052ff34a28e840821a87f36676952eb89fa50ea813d2ade6ef
SHA51252b7926540393f9e82724d7291f438b9a58ea09128821f2847d29fdd9fc6e1334cbae26e093d321abd88052780feee358145379ffa02a6cb3858ab11f94ecab6
-
Filesize
55KB
MD5caf941605fb0c9b10e1ac279eee961ac
SHA17d88fee90d42f11540810d458c73dfe41b9ab85c
SHA2563c29f332850330bcebab673d0bd18b3313eacd7576d5cf8effd158169cca4a34
SHA512bed8761b7644b505ca45af83391398dd3d303759779e6ba24743cf7681b5053734989a0c0a9fe586da4bfda12e2dda401cd886963d42da2896e65af1561e3227
-
Filesize
90KB
MD5acbcde3c125a72ebd6a2ae8315f50b63
SHA19a1548555b64caf4b0f7e2e14a1b30e700c81552
SHA2563cc341685fded40e7973a6918312e174f7e9ee3c9f3fd32420f2b1cb21109361
SHA51298c8b3972715f6f3cd889ac3e7471f667ab98082a1cb5a5eb815665005e7d9e872bb8f2a2acaa97879c85cc797b48d17c86e39feaa3ea72a109928c4994d44bd
-
Filesize
67KB
MD5a2773a9de9c8deb990a654e343f1258d
SHA1cc83f93154c2cd956ee2bbd10f974c1db7cd91c8
SHA256b64170d3071397e910f47f9f298abc22c33841f759b8ee9d999c6a27a2a4a2c0
SHA512e5787a49fc0ecac8a325774d15c82d2dd27be981b12550a323304a703c7a20e171d08a1a384162a7a37d8e262f8ae7776e01886b845c4d7bf1342ae59da3c164
-
Filesize
67KB
MD5a9f377ceb60f84537bbaf960970cca82
SHA107bc24abaab9953be6018f92566b37f107e908a3
SHA2563cf292881045f3d50364f423aca2fbd87e6f7339fe8db36568a1dd4b78a0b842
SHA5123a30429a589776f430442b7cbbba3fb73a9891fb01e469ae59e3ee0479c90052d38223f102d1959b3b32589df8d14c13c55f765572845fbe67f2ea65b251c9fd
-
Filesize
32KB
MD530d6715fcb0d2ecea58ef12c55f47667
SHA1c9db2ae4074ddb7379bbb4f6839b8321be526fa0
SHA2560e1b8db2db7933870edaa0bccdc6a606f6e55597dde8f99638928f91728ea272
SHA5129b7e3c1855a300b41ba965a08dfbd396337870121151822b67d1bfe8a2d8aa03d7360952dee799445c2c6ccd93ce58808534f5c891d51761e21f9ce5da0bb44b
-
Filesize
13KB
MD5c4981f3a5228cb7df18526017be817c6
SHA11c3691bfea44a197df09841784cdcaf7cbae3ec5
SHA256d40d6e421976295250834db769af750c92012dcc88dc65507681faf6e4330c19
SHA51221d3bc72be1b6cab6e0f85a805ab7fde23cc18d856f32b692ad6845f04fad93255b21ebffb2572543c43e8124e9b78fa79ae900bfb7145013fb305bc94d22c01
-
Filesize
872KB
MD5fc1fceed4119e874078b3a5fd502477d
SHA1cddaf83c2aa7bab873ff8b9e3781c338645c81ac
SHA25628d4a2a735bf820c7c4e48017ed1c0cbcc9351820fa561861b10f86a0022bf76
SHA5125ec2f9c90500f8d118bc170da95caf09d88bc75f5f1f6d83866c7baa108bfaa74a4fc3d853cdf073430daae68810908514cf02dc4f6c5b5a1675efbcef34760a
-
Filesize
89KB
MD51c809e014a5fbf2c2782f00fc96140cd
SHA14d35a46db91a9cd4118ed05063f5db8adc885e34
SHA25611c9db0ee88e1de82a3a745db8d9d6acf23ad120e18cfb308ad5a538c8868f0d
SHA512060e05889fead6912c67f1fcfb7649996a43d86768cd8f0823572884f93fb6bf50bd3fafa5dad7e3509d5e43431c38cee9675e34f89a24d837b7ec440ded7cdb
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab