Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15/02/2023, 15:18
General
-
Target
534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe
-
Size
817KB
-
MD5
6d4a53922da1179aa6285a91a2ea9200
-
SHA1
3a26be7cc84b649b92a0a7b99035fd2c0c3c1d86
-
SHA256
534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f
-
SHA512
0d7d176b828d92af09f44adbd165e8016d730513bbae929ee261733748933b5aaed2cc6ca7aa736f25523c1ab10091e342a0a691b83094f6ab14aef6adf8ed39
-
SSDEEP
12288:3Mrdy90r0ERCuQmMHVJCWZ57nNl9t/CYP/GoxQW8CF/zGvlDYLQZdJifqTue:6yXaCuQmMvCe5brNmNW8CF/zy4QZxTd
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe"C:\Users\Admin\AppData\Local\Temp\534104dc528bab9c04ce1151f056127be6cd9446b4aa517c960206b8d65b995f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vWz2696.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vWz2696.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vZg7447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vZg7447.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\red4980.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\red4980.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stT7185.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stT7185.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 10725⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txe05qn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\txe05qn.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urv39xk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urv39xk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 13403⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4896 -ip 48961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 204 -ip 2041⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD546206315b239aaa7ed7fc548e1580baf
SHA1ae2407c20aaddafc43a5f34c434a18c5a7456698
SHA2566e74bf28e590cdf7f48544ae52bed6b79d490d454776ac45fe30d6b3a3594dde
SHA512ab40025a161e83b8c8d7ddddef3cba1cd0384b365117e10dd0999e78cf36411ed7705cfdb22dd17bb68a1deef249f8c88e241f469cc1d7127cd3e458d249b4da
-
Filesize
303KB
MD546206315b239aaa7ed7fc548e1580baf
SHA1ae2407c20aaddafc43a5f34c434a18c5a7456698
SHA2566e74bf28e590cdf7f48544ae52bed6b79d490d454776ac45fe30d6b3a3594dde
SHA512ab40025a161e83b8c8d7ddddef3cba1cd0384b365117e10dd0999e78cf36411ed7705cfdb22dd17bb68a1deef249f8c88e241f469cc1d7127cd3e458d249b4da
-
Filesize
481KB
MD588b34cc4eeb0eecdb1663781d76e2aa3
SHA1a343ba65719961e95b25b35cf9ebe6582da34b94
SHA256461c9f189e7e69a3425cf4c78dfb09bc6d626010b69e15f754fced62b68c19d8
SHA5128fc27e707cdff3dae80fc74721bc9f94442e83b918bc27502ef17e25d309c487114f589ec7a78aa38c869d51e5edad5d21d33ec27b47979e2a7a45bbe80a5711
-
Filesize
481KB
MD588b34cc4eeb0eecdb1663781d76e2aa3
SHA1a343ba65719961e95b25b35cf9ebe6582da34b94
SHA256461c9f189e7e69a3425cf4c78dfb09bc6d626010b69e15f754fced62b68c19d8
SHA5128fc27e707cdff3dae80fc74721bc9f94442e83b918bc27502ef17e25d309c487114f589ec7a78aa38c869d51e5edad5d21d33ec27b47979e2a7a45bbe80a5711
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
336KB
MD5dbf60c49e646797a595ae3863c7ef8ff
SHA194633845475009574d570e3135da2815631349af
SHA2565df3d32133bd520eb748a0d00626001279bd5c11fc1fe65352c54297b2ebce9c
SHA512d5cb0cd3b0eac3593b2082a51507b7d1befbe56bed20f747761108a7751f9a7e3ad28cccf040880d26dea5ab2ef3ef0418d69087c1784fdea9ec4a736164ce08
-
Filesize
336KB
MD5dbf60c49e646797a595ae3863c7ef8ff
SHA194633845475009574d570e3135da2815631349af
SHA2565df3d32133bd520eb748a0d00626001279bd5c11fc1fe65352c54297b2ebce9c
SHA512d5cb0cd3b0eac3593b2082a51507b7d1befbe56bed20f747761108a7751f9a7e3ad28cccf040880d26dea5ab2ef3ef0418d69087c1784fdea9ec4a736164ce08
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
245KB
MD5bbcaab6d431de6d63e20ec7a085b0526
SHA1e5bb15ef7458b516b37602649498b3d13c4df67d
SHA256e0bd77d953de9c400b8338ca69f2aeb4eadfae945c75081b3c61fcc23ede76ee
SHA5124f9ba138d9b458bb24907b2873a5eb0648858a60c0afac97c7b41adc2a3033d12037770b8d266ec8e2fb821dc8dcefc65c7150af534110e407a9cc672e317ac8
-
Filesize
245KB
MD5bbcaab6d431de6d63e20ec7a085b0526
SHA1e5bb15ef7458b516b37602649498b3d13c4df67d
SHA256e0bd77d953de9c400b8338ca69f2aeb4eadfae945c75081b3c61fcc23ede76ee
SHA5124f9ba138d9b458bb24907b2873a5eb0648858a60c0afac97c7b41adc2a3033d12037770b8d266ec8e2fb821dc8dcefc65c7150af534110e407a9cc672e317ac8
-
Filesize
184KB
-
Filesize
300KB
-
Filesize
1.5MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
1.5MB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
200KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
128KB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
1.4MB
-
Filesize
5.6MB
-
Filesize
128KB
-
Filesize
128KB