Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 01:50
Static task
static1
Behavioral task
behavioral1
Sample
f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe
Resource
win10v2004-20241007-en
General
-
Target
f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe
-
Size
2.2MB
-
MD5
a7fadc5ffccd272e1f3e5dc1717926de
-
SHA1
d7ec968dbd537158f91b3493fd5f6657e7572836
-
SHA256
f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff
-
SHA512
a297600ba51c2ffa19ddcf0183a949393ea138240cb404ad38b4f90aaaf2dbec2cc8e4cc3f32678ae01e65653f18d91782fde4e3f54789c161986f2561d981d7
-
SSDEEP
49152:V5OXoeI6Fye8Aivbktejn/dGiGf/vkADafh2KdOTD5Q1f:V5Youevbk2ngiwFafhLOT9Q1
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3640-19-0x0000000000380000-0x00000000003B2000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1972 123.exe 3532 321.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1972 set thread context of 3640 1972 123.exe 90 PID 3532 set thread context of 1960 3532 321.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2772 1972 WerFault.exe 85 2800 3532 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 952 cmd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1972 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 85 PID 1504 wrote to memory of 1972 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 85 PID 1504 wrote to memory of 1972 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 85 PID 1504 wrote to memory of 3532 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 88 PID 1504 wrote to memory of 3532 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 88 PID 1504 wrote to memory of 3532 1504 f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe 88 PID 1972 wrote to memory of 3640 1972 123.exe 90 PID 1972 wrote to memory of 3640 1972 123.exe 90 PID 1972 wrote to memory of 3640 1972 123.exe 90 PID 1972 wrote to memory of 3640 1972 123.exe 90 PID 1972 wrote to memory of 3640 1972 123.exe 90 PID 3532 wrote to memory of 1960 3532 321.exe 94 PID 3532 wrote to memory of 1960 3532 321.exe 94 PID 3532 wrote to memory of 1960 3532 321.exe 94 PID 3532 wrote to memory of 1960 3532 321.exe 94 PID 3532 wrote to memory of 1960 3532 321.exe 94 PID 1960 wrote to memory of 952 1960 vbc.exe 100 PID 1960 wrote to memory of 952 1960 vbc.exe 100 PID 1960 wrote to memory of 952 1960 vbc.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe"C:\Users\Admin\AppData\Local\Temp\f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 2563⤵
- Program crash
PID:2772
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:952
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2363⤵
- Program crash
PID:2800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1972 -ip 19721⤵PID:4060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3532 -ip 35321⤵PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD51244eae9b1995837eb39eecdd646fbc6
SHA11b6edf0cdf255b7d3267d58816ecc36b19c9d32a
SHA256777d9fc3cf159b1554720893800d7ea5289995778744257c4fa34a678d2c43b5
SHA512e302df8763863ceca10fd7df2ae07cc532193c12e72a2920b3620310525c0d1a6c0aee2c9f6a702d5419c61999df52d12f2109e0081eab23dfa27a6add068dd0
-
Filesize
2.9MB
MD5f291aa00046d70c3f20bef3bcdb74053
SHA10741b75321f0f140954db48b401f061ac932d246
SHA256c3897c2a1c41dded26b54515782fb189862938b56fb48f75f3e7fbc7360ab8e5
SHA512b66b2cdcdd989ec28407957865269d818f619834b3cf3149b8fe66c2969acddb43b742242d1a230eb9a3ed6f710078206b4025e60e1611a7e5c0e85083871568