Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe
Resource
win10v2004-20241007-en
General
-
Target
90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe
-
Size
1.8MB
-
MD5
d511992136c2cda00b468ce9e30b0cf5
-
SHA1
e947bcc2b9e603392841fafe4fcf4c2e23fa42da
-
SHA256
90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb
-
SHA512
dbd145f438f1b07c2051437c9c2dfff3cad2d5402abbd52df4ffc5d06b4aa6c2628bf62f3f6dc300079170adf3fc7543316eff66f4a62d13a2fd8760945d4a2d
-
SSDEEP
49152:V5OzHCcQhi/kByJ4g3AVm5c3+12bk7vRDB3VwMylYZRL:V5ph3W4wAycuQbk1FFwvYf
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2372-35-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2372-34-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/2372-28-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2580 123.exe 2552 321.exe -
Loads dropped DLL 9 IoCs
pid Process 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2580 set thread context of 2372 2580 123.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2296 2580 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2580 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 30 PID 2008 wrote to memory of 2580 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 30 PID 2008 wrote to memory of 2580 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 30 PID 2008 wrote to memory of 2580 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 30 PID 2008 wrote to memory of 2552 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 31 PID 2008 wrote to memory of 2552 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 31 PID 2008 wrote to memory of 2552 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 31 PID 2008 wrote to memory of 2552 2008 90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe 31 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2372 2580 123.exe 33 PID 2580 wrote to memory of 2296 2580 123.exe 34 PID 2580 wrote to memory of 2296 2580 123.exe 34 PID 2580 wrote to memory of 2296 2580 123.exe 34 PID 2580 wrote to memory of 2296 2580 123.exe 34 PID 2552 wrote to memory of 2068 2552 321.exe 35 PID 2552 wrote to memory of 2068 2552 321.exe 35 PID 2552 wrote to memory of 2068 2552 321.exe 35 PID 2552 wrote to memory of 2068 2552 321.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe"C:\Users\Admin\AppData\Local\Temp\90d635817607ef7037d5f3c3d516cbce989155590946c088cabb9f80bf7fbfeb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 483⤵
- Loads dropped DLL
- Program crash
PID:2296
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe3⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD52472fd3c7bca782e5373e5b3bfd03175
SHA17df5c62d0cd15021aeaea289a346d037a6f93cff
SHA256269bc4ad1e175ca6a44caba5bf4503dc7cd7f1d0eeac4ab5cdc2d92761918a8d
SHA5122d066dc991e4267db747e58fc31c28c98a905928b3840dbbfcaa83809b2fe00c42c3197c2a94d8acc0e13d691314023c5cf0618fecb6f357b61a502ffdf5d149
-
Filesize
2.5MB
MD5dcfaf070a6a9f794614f015be1a4288d
SHA18516855f7202ec5ebf010d30e591149bd249f60e
SHA25632a8cd30c365f2e24302b0fce7fdcc6300cbbabb8ffe99247612411774be49b5
SHA51252979a0716f1956f889fa62212ba4923cd869011c190b80679343f01b9d6160cbb1067bbbd281688c7f0936fe5d4304c61854aaa167e0d7f79a9e511f51a80fc