Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/11/2024, 10:06

General

  • Target

    25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe

  • Size

    2.1MB

  • MD5

    dac6eda1fe997400f98cebc36aa13301

  • SHA1

    4c589bbaa0ac59da4060db5452cc85f69aaa81f4

  • SHA256

    25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c

  • SHA512

    2f088a83f4ea6836b4bfbb56e19942ecaa513915044e630dd2b08b023080a94eefb53c3fcea4c4a662fd8825a1eb90b47ab27e441f2b5b460b8f4f170b121371

  • SSDEEP

    49152:V5Oaj/gtjDQypipWLn2zFScR+DOeQEitnYb1m8whw:V5nj/gaypismN+DhVitnYm8z

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.89.207.166:47909

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe
    "C:\Users\Admin\AppData\Local\Temp\25480dc89d202c2d696d27081d6e965e4278a7191f7cb732520535cecbb8d44c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\Temp\123.exe
      "C:\Windows\Temp\123.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 48
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2424
    • C:\Windows\Temp\321.exe
      "C:\Windows\Temp\321.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 48
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Temp\123.exe

    Filesize

    1.3MB

    MD5

    528886eb080a687c38e4aea8bc760ced

    SHA1

    777aef713f53cc4a3f580d301b64f3a26dfe3b04

    SHA256

    30367c11ad9a8da6a3537fcd595979a45861abebdd3bbbc2fe5420fc39998edb

    SHA512

    c9957d3bb235f1b25d447e86db0def97a1e84b4a7c96d702a8c8e961f68b0e384e7c0d2b9240a866a228441bb99c974075d844f68521b741ccc4a862c03c8362

  • \Windows\Temp\321.exe

    Filesize

    3.7MB

    MD5

    c6412b4b3f614547677ec67caf32a28a

    SHA1

    f2f05e899dc2c48e75851b6e296e8ef755db806a

    SHA256

    c432d95fd646cf432aa2705683c76862eddfc65ece30790ed90d86391d124b03

    SHA512

    ad586a95d18b043d91dbbec2833143e1c8aa1e49097d9b0509de87f853ef4479642d68b342bc8390d934b376fe885d1cb13a265a490739ae52252c8565f0b24f

  • memory/1860-48-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/1860-45-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/1860-47-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/1860-39-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/2724-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2724-28-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2724-35-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2724-34-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2724-27-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/2764-26-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB