Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

14c0a6c07b...d1.exe

windows7-x64

10

14c0a6c07b...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14c0a6c07b5cfce1a669a3771320bad1.exe

  • Size

    1.4MB

  • MD5

    14c0a6c07b5cfce1a669a3771320bad1

  • SHA1

    40c4ff3e96551b6283afd04a2d2b96985d111c11

  • SHA256

    e713b0a5748a7b8332121f638462b2f5cef38a61f2b5ce0a7cd2c90922265397

  • SHA512

    cae7e53b1f4093b1204313f2159f0b76dc1d0a3f4e1d8191489d8b60d36d3cdf847be1bfa18033f0faaaef85164e2b258752b75efd0328d5b7abdd7b3af5193c

  • SSDEEP

    24576:pM5q1YQYFXAxclMpJeh9dMRqp/urZj8jNIYQLtuqQLL/ygh:y574yN7QLtuqQLN

Score
10/10
redline3discoveryinfostealer

Malware Config

Extracted

Family

redline

Botnet

3

C2

45.15.156.86:37262

Attributes
  • auth_value

    d85366020a96552bd07acdfc49dc187c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14c0a6c07b5cfce1a669a3771320bad1.exe
    "C:\Users\Admin\AppData\Local\Temp\14c0a6c07b5cfce1a669a3771320bad1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1664-0-0x00000000004AC000-0x00000000004AD000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-9-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2804-10-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2804-11-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2804-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-3-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2804-1-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2804-12-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-13-0x0000000074A70000-0x000000007515E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-14-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-15-0x0000000074A70000-0x000000007515E000-memory.dmp

    Filesize

    6.9MB

    Download