Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 01:50

General

  • Target

    f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe

  • Size

    2.2MB

  • MD5

    a7fadc5ffccd272e1f3e5dc1717926de

  • SHA1

    d7ec968dbd537158f91b3493fd5f6657e7572836

  • SHA256

    f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff

  • SHA512

    a297600ba51c2ffa19ddcf0183a949393ea138240cb404ad38b4f90aaaf2dbec2cc8e4cc3f32678ae01e65653f18d91782fde4e3f54789c161986f2561d981d7

  • SSDEEP

    49152:V5OXoeI6Fye8Aivbktejn/dGiGf/vkADafh2KdOTD5Q1f:V5Youevbk2ngiwFafhLOT9Q1

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.210.137.6:47909

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe
    "C:\Users\Admin\AppData\Local\Temp\f7a1329e5d2d787c17e5357dfe8242f14dc9e1faf5981a1a4d9d8d1d6511f9ff.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\Temp\123.exe
      "C:\Windows\Temp\123.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 256
        3⤵
        • Program crash
        PID:2772
    • C:\Windows\Temp\321.exe
      "C:\Windows\Temp\321.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 236
        3⤵
        • Program crash
        PID:2800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1972 -ip 1972
    1⤵
      PID:4060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3532 -ip 3532
      1⤵
        PID:2476

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Temp\123.exe

        Filesize

        515KB

        MD5

        1244eae9b1995837eb39eecdd646fbc6

        SHA1

        1b6edf0cdf255b7d3267d58816ecc36b19c9d32a

        SHA256

        777d9fc3cf159b1554720893800d7ea5289995778744257c4fa34a678d2c43b5

        SHA512

        e302df8763863ceca10fd7df2ae07cc532193c12e72a2920b3620310525c0d1a6c0aee2c9f6a702d5419c61999df52d12f2109e0081eab23dfa27a6add068dd0

      • C:\Windows\Temp\321.exe

        Filesize

        2.9MB

        MD5

        f291aa00046d70c3f20bef3bcdb74053

        SHA1

        0741b75321f0f140954db48b401f061ac932d246

        SHA256

        c3897c2a1c41dded26b54515782fb189862938b56fb48f75f3e7fbc7360ab8e5

        SHA512

        b66b2cdcdd989ec28407957865269d818f619834b3cf3149b8fe66c2969acddb43b742242d1a230eb9a3ed6f710078206b4025e60e1611a7e5c0e85083871568

      • memory/1960-44-0x0000000000400000-0x0000000000690000-memory.dmp

        Filesize

        2.6MB

      • memory/1960-32-0x0000000000400000-0x0000000000690000-memory.dmp

        Filesize

        2.6MB

      • memory/1972-17-0x00000000007BD000-0x00000000007BE000-memory.dmp

        Filesize

        4KB

      • memory/3532-31-0x0000000000B9C000-0x0000000000B9D000-memory.dmp

        Filesize

        4KB

      • memory/3640-24-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

        Filesize

        4KB

      • memory/3640-27-0x0000000004B90000-0x0000000004BA2000-memory.dmp

        Filesize

        72KB

      • memory/3640-28-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

        Filesize

        240KB

      • memory/3640-29-0x0000000074C80000-0x0000000075430000-memory.dmp

        Filesize

        7.7MB

      • memory/3640-30-0x0000000004D60000-0x0000000004DAC000-memory.dmp

        Filesize

        304KB

      • memory/3640-25-0x00000000050D0000-0x00000000056E8000-memory.dmp

        Filesize

        6.1MB

      • memory/3640-26-0x0000000004C50000-0x0000000004D5A000-memory.dmp

        Filesize

        1.0MB

      • memory/3640-19-0x0000000000380000-0x00000000003B2000-memory.dmp

        Filesize

        200KB

      • memory/3640-45-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

        Filesize

        4KB

      • memory/3640-46-0x0000000074C80000-0x0000000075430000-memory.dmp

        Filesize

        7.7MB