Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01/03/2023, 02:12
General
-
Target
8234f55745a5f5bafd006fbf96156138890d87492d29f8a76a49931aa667ec73.exe
-
Size
1.2MB
-
MD5
167e5b9143136a8d01782c5de939d3b9
-
SHA1
1f19e64c89bcb698647fb4480cbe6543f249a106
-
SHA256
8234f55745a5f5bafd006fbf96156138890d87492d29f8a76a49931aa667ec73
-
SHA512
ecef7cfa5e56a609e57b926dd342c2d49e4bc70919658f8378301d31f43b086aa6420e1103bd0f2fc796e9f39c9dc279d769b90cd26e29598712af493a97d8e7
-
SSDEEP
24576:yyQ0cnLedfvxclTAhdTCRf7FkeD3JVZFoqt9yg9:ZQxLWfvmlkiVFkeD3NLyg
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
redline
dunkan
193.233.20.24:4123
-
auth_value
505c396c57c6287fc3fdc5f3aeab0819
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 17 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
-
Executes dropped EXE 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8234f55745a5f5bafd006fbf96156138890d87492d29f8a76a49931aa667ec73.exe"C:\Users\Admin\AppData\Local\Temp\8234f55745a5f5bafd006fbf96156138890d87492d29f8a76a49931aa667ec73.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plXR98tC60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plXR98tC60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEy25rt12.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEy25rt12.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvc99hG98.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvc99hG98.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plIv10CZ71.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plIv10CZ71.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buBe61SM06.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buBe61SM06.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSw71OO75.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSw71OO75.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 20247⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\diAs89zI11.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\diAs89zI11.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 11006⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\esNM00Ue06.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\esNM00Ue06.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 13005⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fuZk5238WE84.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fuZk5238WE84.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\grKi88iD69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\grKi88iD69.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1164 -ip 11641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4768 -ip 47681⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD527abe90dfa3542ff84eed6b44a684e92
SHA1e0dbc6905d66cb83f00a5d2233c976d3d8673695
SHA256e4216225676fb52f7d550ea2a848ac6763f2627f4eafd8ba220cfe12e58d8ce7
SHA512b717944aca0126bcd0172b4f520d0c3ac5251fbb790be80bebbe114824732081e36fa29a035dfebf5d9b75974e0908d2ea3afdc46c0e6c1d9b7b47a80f508fc5
-
Filesize
175KB
MD527abe90dfa3542ff84eed6b44a684e92
SHA1e0dbc6905d66cb83f00a5d2233c976d3d8673695
SHA256e4216225676fb52f7d550ea2a848ac6763f2627f4eafd8ba220cfe12e58d8ce7
SHA512b717944aca0126bcd0172b4f520d0c3ac5251fbb790be80bebbe114824732081e36fa29a035dfebf5d9b75974e0908d2ea3afdc46c0e6c1d9b7b47a80f508fc5
-
Filesize
1.0MB
MD5cb769ffcc769e0ea49fbe0f0badf7c5a
SHA1993024019036ceca72d3cb17ff4d6d2a2488a083
SHA256123e84aeafc008d6ba126147dc32a0b0aa562e0de91ad63f403ede67fc8c468e
SHA512d712e1484fa1cbbb7747030132d0894905767e66f5e110297441406ae78c06ea2c15c67131ac113bbfe83cff5f7d1eca60864ea1397ba842dd623b889a1c1639
-
Filesize
1.0MB
MD5cb769ffcc769e0ea49fbe0f0badf7c5a
SHA1993024019036ceca72d3cb17ff4d6d2a2488a083
SHA256123e84aeafc008d6ba126147dc32a0b0aa562e0de91ad63f403ede67fc8c468e
SHA512d712e1484fa1cbbb7747030132d0894905767e66f5e110297441406ae78c06ea2c15c67131ac113bbfe83cff5f7d1eca60864ea1397ba842dd623b889a1c1639
-
Filesize
15KB
MD58d2e0a5bec14439475596047871a7110
SHA1dca2eeb5a385409db4faa8e8bca5545123bbdead
SHA256bcf44192a233a45603db0d8dbfd7c08234f6dde50cf9923a24c8e86b6fe01dfa
SHA5125bcde2b2cb37dc157987dcfc8bfc144d483fdf0d995587fb774222fff6bbd8cd5b6cfe37494f09d450cded5ab670c3f5bf698cc5d685656a402d6b3ccaef63f3
-
Filesize
15KB
MD58d2e0a5bec14439475596047871a7110
SHA1dca2eeb5a385409db4faa8e8bca5545123bbdead
SHA256bcf44192a233a45603db0d8dbfd7c08234f6dde50cf9923a24c8e86b6fe01dfa
SHA5125bcde2b2cb37dc157987dcfc8bfc144d483fdf0d995587fb774222fff6bbd8cd5b6cfe37494f09d450cded5ab670c3f5bf698cc5d685656a402d6b3ccaef63f3
-
Filesize
972KB
MD53516b5d1751c40d80e2b5b04c36be694
SHA145c29093a86362e8bc45da6b04eee467fb73d8d4
SHA2569c5ab46308b2f2347d6cee1fad260cdeaa76027fba614f038dad2884c6ece713
SHA51233257f3faecd1e55b55290afc0fa1c78d86acc51c1595d8caf8df98a1dae2a5bd69eacea912b9d05b6a67cf6a7719001e3282b3017a81e2abe6d583d0428bcb9
-
Filesize
972KB
MD53516b5d1751c40d80e2b5b04c36be694
SHA145c29093a86362e8bc45da6b04eee467fb73d8d4
SHA2569c5ab46308b2f2347d6cee1fad260cdeaa76027fba614f038dad2884c6ece713
SHA51233257f3faecd1e55b55290afc0fa1c78d86acc51c1595d8caf8df98a1dae2a5bd69eacea912b9d05b6a67cf6a7719001e3282b3017a81e2abe6d583d0428bcb9
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd
-
Filesize
691KB
MD568a0d7889af6665f5f4270f4d38b1567
SHA1366d394f16075c9799b9cfdc828bc33d8f03b086
SHA2561aa5887111d4dcd865d654dcb4aac388b0b6d8bfec3a203a4b26e3a110891297
SHA512cd1c0e738105412f37fafd0cba43ed3473101002c11ce6eb8538cabcbd33450d17d4fd25636211c0e632dfe0be9cc96d87ae2af245f1cb2582866a75d733eb06
-
Filesize
691KB
MD568a0d7889af6665f5f4270f4d38b1567
SHA1366d394f16075c9799b9cfdc828bc33d8f03b086
SHA2561aa5887111d4dcd865d654dcb4aac388b0b6d8bfec3a203a4b26e3a110891297
SHA512cd1c0e738105412f37fafd0cba43ed3473101002c11ce6eb8538cabcbd33450d17d4fd25636211c0e632dfe0be9cc96d87ae2af245f1cb2582866a75d733eb06
-
Filesize
320KB
MD5887d5f3f25f82ef4ec073a39f3050594
SHA10f0d0e2f3b7d8b61dffab0d347d81740dfe956d8
SHA256f253180eaa3ade6c077fe6af72f5146029ff4d27a93debfe7f66507aa8739c65
SHA512bf6ab835d6f35063d6d499b18a60581b97c894e9a524da4b60008765a9853b29f0594c6fdca718b64cd5799a7b0fea1c115d21662bf90ff4dd67083d289cc81d
-
Filesize
320KB
MD5887d5f3f25f82ef4ec073a39f3050594
SHA10f0d0e2f3b7d8b61dffab0d347d81740dfe956d8
SHA256f253180eaa3ade6c077fe6af72f5146029ff4d27a93debfe7f66507aa8739c65
SHA512bf6ab835d6f35063d6d499b18a60581b97c894e9a524da4b60008765a9853b29f0594c6fdca718b64cd5799a7b0fea1c115d21662bf90ff4dd67083d289cc81d
-
Filesize
403KB
MD5109e75ca760e77aa9f1bc5c0d8d61bc3
SHA1ac6459bbe08526b5623dc9ee74d6e42ecd609614
SHA256be52e064262718bb42042ea9c76813130bed6b68a4111e600b26fd3de68a4c36
SHA512673b65539d4910a92dad41d970a438a355c10898dbf554f6beb39001ddbfac14c8ee7a139fb2c5418c362e52538bbed05107dbf9066d5c46634d51fe5153135a
-
Filesize
403KB
MD5109e75ca760e77aa9f1bc5c0d8d61bc3
SHA1ac6459bbe08526b5623dc9ee74d6e42ecd609614
SHA256be52e064262718bb42042ea9c76813130bed6b68a4111e600b26fd3de68a4c36
SHA512673b65539d4910a92dad41d970a438a355c10898dbf554f6beb39001ddbfac14c8ee7a139fb2c5418c362e52538bbed05107dbf9066d5c46634d51fe5153135a
-
Filesize
15KB
MD566e3a52144bbd3a9c85a14de47decfbe
SHA1213bb80474e9a7be5a28a17f8955c95819a02c0d
SHA25630e7d233e965799daf9da96c8069acbfd98cb2845329a2247bb90d32e0010c1a
SHA5122ea1b1bd4124dc7eb884ef4868c223c189dca886d5fbe9b14ae89802718743c97cab8f98258f4aaf3b8f5acf40b09c45c4963a736167bbfda8aaa5c69411cfe3
-
Filesize
15KB
MD566e3a52144bbd3a9c85a14de47decfbe
SHA1213bb80474e9a7be5a28a17f8955c95819a02c0d
SHA25630e7d233e965799daf9da96c8069acbfd98cb2845329a2247bb90d32e0010c1a
SHA5122ea1b1bd4124dc7eb884ef4868c223c189dca886d5fbe9b14ae89802718743c97cab8f98258f4aaf3b8f5acf40b09c45c4963a736167bbfda8aaa5c69411cfe3
-
Filesize
15KB
MD566e3a52144bbd3a9c85a14de47decfbe
SHA1213bb80474e9a7be5a28a17f8955c95819a02c0d
SHA25630e7d233e965799daf9da96c8069acbfd98cb2845329a2247bb90d32e0010c1a
SHA5122ea1b1bd4124dc7eb884ef4868c223c189dca886d5fbe9b14ae89802718743c97cab8f98258f4aaf3b8f5acf40b09c45c4963a736167bbfda8aaa5c69411cfe3
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
5.6MB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB