Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe
Resource
win10v2004-20241007-en
General
-
Target
5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe
-
Size
586KB
-
MD5
96345dc7842307368fd315162ae51873
-
SHA1
b84e076b1492c48a21e3ebf98d7fac8fb1a258d6
-
SHA256
5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5
-
SHA512
07eecf80c62e78cb9abf2693252d61c2a43f607a8602f4db7a37ed8a04c5443b5a68cadeb44f3beb08651f61aa4016baa1f11e81890958ffe86a852212c4687f
-
SSDEEP
12288:WMV1C968rngo5WRem+A47x9IyZEZxOrOlW4y34:Wg1iag97x9BZEZQilW49
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2624-2148-0x00000000027A0000-0x00000000027D2000-memory.dmp family_redline behavioral1/files/0x0007000000012118-2151.dat family_redline behavioral1/memory/9528-2157-0x0000000000B30000-0x0000000000B5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 9528 1.exe -
Loads dropped DLL 1 IoCs
pid Process 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2624 wrote to memory of 9528 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe 30 PID 2624 wrote to memory of 9528 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe 30 PID 2624 wrote to memory of 9528 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe 30 PID 2624 wrote to memory of 9528 2624 5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe"C:\Users\Admin\AppData\Local\Temp\5257844de1ca4bdb3974a856842bdfd215402589fa9c42f39bbc402328d158e5.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1