Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 11:43

General

  • Target

    6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe

  • Size

    2.2MB

  • MD5

    cc3b838c63e0b872e8d82e907e327870

  • SHA1

    329cd955e1d242cefbf122e3c68c3b35fb74d96f

  • SHA256

    6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc

  • SHA512

    e27785e788de4d44ca1717e2ace0a61d0e3c66da3ffac657885e4a85e4354697f6d9ed51ac1a7bf4f10482c6b7a1ffe5f5a6f434d065686b9c275e8c6eacc9fd

  • SSDEEP

    49152:V5O4DcuKF5i8avmG9OAhZVyMIdLTPf4Ut3qUqO6m:V5NRyG95ZgRdLTPf43rq

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.210.137.6:47909

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe
    "C:\Users\Admin\AppData\Local\Temp\6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\Temp\123.exe
      "C:\Windows\Temp\123.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2668
    • C:\Windows\Temp\321.exe
      "C:\Windows\Temp\321.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 36
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Temp\123.exe

    Filesize

    504KB

    MD5

    30331fd0ead4694da45325fc19fabc3a

    SHA1

    d73c2c4fad06dbcbae7615aa4c88909326fd89cb

    SHA256

    ffa25629021b6056a0477a1ea816182b357b11e78dcf4b5964bd0e56acc3d90f

    SHA512

    a0bd2c3e3199ad47ef3ee10ea5d5b6ba70e97863f4ba75d43f07d2896df2ad4766a6d71a5169641624f459d9c19c26443336f8acf20c062db107ccdca0d0f213

  • \Windows\Temp\321.exe

    Filesize

    2.9MB

    MD5

    af3c3bab7b9b07a797f515cbeaaba227

    SHA1

    e25c60acc5c55e7660820f66b96d7d0a9052b2cd

    SHA256

    65b145d3c64d33b0c57bb023cdeb1995e57dd2ca99c6ad45ece43704bd14e12d

    SHA512

    07a71d774c22cef1bd86d1cc56a4dd718b8b8293ec4a5babcdbf4338cbd22a455cc3c918312a7323638be2cd5f21eab3b16401a0eb3f4b30e38543dd4d6f2d24

  • memory/1976-32-0x0000000000A4B000-0x0000000000A4C000-memory.dmp

    Filesize

    4KB

  • memory/2740-42-0x0000000000720000-0x00000000009B0000-memory.dmp

    Filesize

    2.6MB

  • memory/2740-59-0x0000000000720000-0x00000000009B0000-memory.dmp

    Filesize

    2.6MB

  • memory/2740-34-0x0000000000720000-0x00000000009B0000-memory.dmp

    Filesize

    2.6MB

  • memory/2796-33-0x0000000000DFA000-0x0000000000DFB000-memory.dmp

    Filesize

    4KB

  • memory/2952-35-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2952-36-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2952-40-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2952-57-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2952-56-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB