Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
Resource
win10v2004-20241007-en
General
-
Target
5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
-
Size
1.8MB
-
MD5
d59be142eb273dd2c2475932ea507be9
-
SHA1
778922a0c3449b856f1b655866fb80542277e4fa
-
SHA256
5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373
-
SHA512
a65cd3061b2533d1cab10df6e7157cce8983fb1b94e30137e9ccb4cb6bad08fab4b587030e5225e17914ae8bab02add30629fd9c872274d34ed69cbdc4c92fce
-
SSDEEP
49152:V5OSyRh7E/kByJ4g3AVm5c3+12bk7vRDB3VwMylYZRD:V5yRh75W4wAycuQbk1FFwvYv
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1188-17-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2376 123.exe 4048 321.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 1188 2376 123.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4236 2376 WerFault.exe 84 1812 2376 WerFault.exe 84 3176 2376 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5108 cmd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2376 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 84 PID 2312 wrote to memory of 2376 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 84 PID 2312 wrote to memory of 2376 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 84 PID 2312 wrote to memory of 4048 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 87 PID 2312 wrote to memory of 4048 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 87 PID 2312 wrote to memory of 4048 2312 5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe 87 PID 4048 wrote to memory of 5108 4048 321.exe 92 PID 4048 wrote to memory of 5108 4048 321.exe 92 PID 4048 wrote to memory of 5108 4048 321.exe 92 PID 2376 wrote to memory of 1188 2376 123.exe 96 PID 2376 wrote to memory of 1188 2376 123.exe 96 PID 2376 wrote to memory of 1188 2376 123.exe 96 PID 2376 wrote to memory of 1188 2376 123.exe 96 PID 2376 wrote to memory of 1188 2376 123.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe"C:\Users\Admin\AppData\Local\Temp\5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 2363⤵
- Program crash
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 2403⤵
- Program crash
PID:1812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 2803⤵
- Program crash
PID:3176
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 23761⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2376 -ip 23761⤵PID:2664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2376 -ip 23761⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD5139bd936a6adeb2b74a181c601247ae8
SHA156c9287350a3ee85d3ac53e2035c888960553cb9
SHA256bab411dae143f5b27889ead75f9b6136320815ee8a0051bec80a0e24b38248f7
SHA512c24e986fb0461f8e9b51f76f4b9caaf3e9038f8620dda2b082bda524df758678b6cf210775c5e35e288d4104e0ebd110583df6986e2be77bb3902e5798b29d5a
-
Filesize
2.5MB
MD5dcfaf070a6a9f794614f015be1a4288d
SHA18516855f7202ec5ebf010d30e591149bd249f60e
SHA25632a8cd30c365f2e24302b0fce7fdcc6300cbbabb8ffe99247612411774be49b5
SHA51252979a0716f1956f889fa62212ba4923cd869011c190b80679343f01b9d6160cbb1067bbbd281688c7f0936fe5d4304c61854aaa167e0d7f79a9e511f51a80fc