Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
13/02/2023, 22:03
General
-
Target
f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe
-
Size
478KB
-
MD5
ad73f56789ba7bb139feba1217f9d3b7
-
SHA1
06672cfd3f4d13fc5e9639e7e4f7e2d3cdef8e10
-
SHA256
f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af
-
SHA512
80f1ab2b92c887adedaf060037d54d57d5b5053446c5a1589e573043295a2c1a1bad1c86ad72f8e30421fe47bab84245cf35c713c31def1ac3a4a605b524e3b9
-
SSDEEP
12288:eMrvy90F/0cOMa/B0YY9fHW/e8yU2w80Mbz:NymeMo4KSwAbz
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe"C:\Users\Admin\AppData\Local\Temp\f6ef39ad4c596ccac29d13a03de27e3f264603c901c5ca34834fe2043d5259af.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKl63jt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biB59lo.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 10724⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTY09ee.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\laz96Cd.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4852 -ip 48521⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
375KB
MD5aa9dd08139f3b4c32a236109630491c9
SHA188268d297f357087a67b3560e73fac5ecc96fae6
SHA2566aaeb29f413e39fabc19f2997f8f3de3535a4784671bb95a6907332c698f4047
SHA51245ebe06ef420c1444358f737196168a6a551c7fb98dd178cf2e8bed6fced9eca2c5771d31ac10dd2294da43ef4421ea146117cd02d9897141b68b89f764f5842
-
Filesize
375KB
MD5aa9dd08139f3b4c32a236109630491c9
SHA188268d297f357087a67b3560e73fac5ecc96fae6
SHA2566aaeb29f413e39fabc19f2997f8f3de3535a4784671bb95a6907332c698f4047
SHA51245ebe06ef420c1444358f737196168a6a551c7fb98dd178cf2e8bed6fced9eca2c5771d31ac10dd2294da43ef4421ea146117cd02d9897141b68b89f764f5842
-
Filesize
235KB
MD5ea2af715b2c17a763c05bffc5669ded5
SHA1876295abbc668533e3629c38e5b4db50776f969a
SHA256b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29
SHA5121f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d
-
Filesize
235KB
MD5ea2af715b2c17a763c05bffc5669ded5
SHA1876295abbc668533e3629c38e5b4db50776f969a
SHA256b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29
SHA5121f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
200KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
128KB
-
Filesize
1.4MB
-
Filesize
128KB
-
Filesize
5.6MB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
128KB