Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe
Resource
win10v2004-20241007-en
General
-
Target
6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe
-
Size
2.2MB
-
MD5
cc3b838c63e0b872e8d82e907e327870
-
SHA1
329cd955e1d242cefbf122e3c68c3b35fb74d96f
-
SHA256
6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc
-
SHA512
e27785e788de4d44ca1717e2ace0a61d0e3c66da3ffac657885e4a85e4354697f6d9ed51ac1a7bf4f10482c6b7a1ffe5f5a6f434d065686b9c275e8c6eacc9fd
-
SSDEEP
49152:V5O4DcuKF5i8avmG9OAhZVyMIdLTPf4Ut3qUqO6m:V5NRyG95ZgRdLTPf43rq
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2952-36-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2952-57-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2952-56-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1976 123.exe 2796 321.exe -
Loads dropped DLL 14 IoCs
pid Process 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 2668 WerFault.exe 2668 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2668 WerFault.exe 2684 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1976 set thread context of 2952 1976 123.exe 34 PID 2796 set thread context of 2740 2796 321.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2668 1976 WerFault.exe 30 2684 2796 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1976 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 30 PID 1832 wrote to memory of 1976 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 30 PID 1832 wrote to memory of 1976 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 30 PID 1832 wrote to memory of 1976 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 30 PID 1832 wrote to memory of 2796 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 32 PID 1832 wrote to memory of 2796 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 32 PID 1832 wrote to memory of 2796 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 32 PID 1832 wrote to memory of 2796 1832 6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe 32 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 1976 wrote to memory of 2952 1976 123.exe 34 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 2796 wrote to memory of 2740 2796 321.exe 35 PID 1976 wrote to memory of 2668 1976 123.exe 36 PID 1976 wrote to memory of 2668 1976 123.exe 36 PID 1976 wrote to memory of 2668 1976 123.exe 36 PID 1976 wrote to memory of 2668 1976 123.exe 36 PID 2796 wrote to memory of 2684 2796 321.exe 37 PID 2796 wrote to memory of 2684 2796 321.exe 37 PID 2796 wrote to memory of 2684 2796 321.exe 37 PID 2796 wrote to memory of 2684 2796 321.exe 37 PID 2740 wrote to memory of 556 2740 vbc.exe 38 PID 2740 wrote to memory of 556 2740 vbc.exe 38 PID 2740 wrote to memory of 556 2740 vbc.exe 38 PID 2740 wrote to memory of 556 2740 vbc.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe"C:\Users\Admin\AppData\Local\Temp\6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 363⤵
- Loads dropped DLL
- Program crash
PID:2668
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe4⤵
- System Location Discovery: System Language Discovery
PID:556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 363⤵
- Loads dropped DLL
- Program crash
PID:2684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD530331fd0ead4694da45325fc19fabc3a
SHA1d73c2c4fad06dbcbae7615aa4c88909326fd89cb
SHA256ffa25629021b6056a0477a1ea816182b357b11e78dcf4b5964bd0e56acc3d90f
SHA512a0bd2c3e3199ad47ef3ee10ea5d5b6ba70e97863f4ba75d43f07d2896df2ad4766a6d71a5169641624f459d9c19c26443336f8acf20c062db107ccdca0d0f213
-
Filesize
2.9MB
MD5af3c3bab7b9b07a797f515cbeaaba227
SHA1e25c60acc5c55e7660820f66b96d7d0a9052b2cd
SHA25665b145d3c64d33b0c57bb023cdeb1995e57dd2ca99c6ad45ece43704bd14e12d
SHA51207a71d774c22cef1bd86d1cc56a4dd718b8b8293ec4a5babcdbf4338cbd22a455cc3c918312a7323638be2cd5f21eab3b16401a0eb3f4b30e38543dd4d6f2d24