Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe
Resource
win10v2004-20241007-en
General
-
Target
25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe
-
Size
2.1MB
-
MD5
dac6eda1fe997400f98cebc36aa13301
-
SHA1
4c589bbaa0ac59da4060db5452cc85f69aaa81f4
-
SHA256
25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c
-
SHA512
2f088a83f4ea6836b4bfbb56e19942ecaa513915044e630dd2b08b023080a94eefb53c3fcea4c4a662fd8825a1eb90b47ab27e441f2b5b460b8f4f170b121371
-
SSDEEP
49152:V5Oaj/gtjDQypipWLn2zFScR+DOeQEitnYb1m8whw:V5nj/gaypismN+DhVitnYm8z
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.89.207.166:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2724-28-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2724-35-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2724-34-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2764 123.exe 2772 321.exe -
Loads dropped DLL 12 IoCs
pid Process 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 2424 WerFault.exe 2424 WerFault.exe 2424 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2764 set thread context of 2724 2764 123.exe 34 PID 2772 set thread context of 1860 2772 321.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2424 2764 WerFault.exe 30 2128 2772 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2764 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 30 PID 1992 wrote to memory of 2764 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 30 PID 1992 wrote to memory of 2764 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 30 PID 1992 wrote to memory of 2764 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 30 PID 1992 wrote to memory of 2772 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 32 PID 1992 wrote to memory of 2772 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 32 PID 1992 wrote to memory of 2772 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 32 PID 1992 wrote to memory of 2772 1992 25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe 32 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2724 2764 123.exe 34 PID 2764 wrote to memory of 2424 2764 123.exe 35 PID 2764 wrote to memory of 2424 2764 123.exe 35 PID 2764 wrote to memory of 2424 2764 123.exe 35 PID 2764 wrote to memory of 2424 2764 123.exe 35 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 1860 2772 321.exe 36 PID 2772 wrote to memory of 2128 2772 321.exe 37 PID 2772 wrote to memory of 2128 2772 321.exe 37 PID 2772 wrote to memory of 2128 2772 321.exe 37 PID 2772 wrote to memory of 2128 2772 321.exe 37 PID 1860 wrote to memory of 1068 1860 vbc.exe 38 PID 1860 wrote to memory of 1068 1860 vbc.exe 38 PID 1860 wrote to memory of 1068 1860 vbc.exe 38 PID 1860 wrote to memory of 1068 1860 vbc.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe"C:\Users\Admin\AppData\Local\Temp\25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 483⤵
- Loads dropped DLL
- Program crash
PID:2424
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe4⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 483⤵
- Loads dropped DLL
- Program crash
PID:2128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5528886eb080a687c38e4aea8bc760ced
SHA1777aef713f53cc4a3f580d301b64f3a26dfe3b04
SHA25630367c11ad9a8da6a3537fcd595979a45861abebdd3bbbc2fe5420fc39998edb
SHA512c9957d3bb235f1b25d447e86db0def97a1e84b4a7c96d702a8c8e961f68b0e384e7c0d2b9240a866a228441bb99c974075d844f68521b741ccc4a862c03c8362
-
Filesize
3.7MB
MD5c6412b4b3f614547677ec67caf32a28a
SHA1f2f05e899dc2c48e75851b6e296e8ef755db806a
SHA256c432d95fd646cf432aa2705683c76862eddfc65ece30790ed90d86391d124b03
SHA512ad586a95d18b043d91dbbec2833143e1c8aa1e49097d9b0509de87f853ef4479642d68b342bc8390d934b376fe885d1cb13a265a490739ae52252c8565f0b24f