Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

a9a79e838a...25.exe

windows7-x64

10

a9a79e838a...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2023, 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe

  • Size

    530KB

  • MD5

    9d98887da237676528795fc16cc28242

  • SHA1

    5fac23c5983cb857dec0ac79f4d9491f9a3cb99d

  • SHA256

    a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425

  • SHA512

    2262ed94830c4bc627f6f924d966442dc4d08084515e46cbaabd7adf07b2b4e64df65b7b6dd6583e6d43f5a474ee9d8f92a05ef190b993d8502c59c29e8471ca

  • SSDEEP

    12288:4MrNy902v5yPNzLa5YdCKvVFZuMBJhRX3wDb1YJks:VyxvsPNvaKbvFR/hRIbqJr

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe
    "C:\Users\Admin\AppData\Local\Temp\a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
    Filesize

    175KB

    MD5

    1390e22edc77aa421eb0357375b442ef

    SHA1

    015409efc11c4f5f6f091a1517e47021aa32b9ec

    SHA256

    47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

    SHA512

    2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
    Filesize

    175KB

    MD5

    1390e22edc77aa421eb0357375b442ef

    SHA1

    015409efc11c4f5f6f091a1517e47021aa32b9ec

    SHA256

    47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

    SHA512

    2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
    Filesize

    385KB

    MD5

    d8e3f421348ce110fa5822c0bba850cc

    SHA1

    5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

    SHA256

    06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

    SHA512

    40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
    Filesize

    385KB

    MD5

    d8e3f421348ce110fa5822c0bba850cc

    SHA1

    5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

    SHA256

    06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

    SHA512

    40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
    Filesize

    11KB

    MD5

    882a67e5fd493f6bd53c1017fc83560b

    SHA1

    1ded2aad86cbbd08642c958dde824ae21064f045

    SHA256

    54b69b90a598a0481908d727d34b90c87c93eca5ef74ad44afe09971e77fae00

    SHA512

    5cbf8aeb1e6ce65397a24018a49a0c9c3b6863d11bfaf7d0ea432bc756995700cbc80ef13da3a8ceab818416dbca95da7721a69b55a1158ca5e04832cd2e7820

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
    Filesize

    11KB

    MD5

    882a67e5fd493f6bd53c1017fc83560b

    SHA1

    1ded2aad86cbbd08642c958dde824ae21064f045

    SHA256

    54b69b90a598a0481908d727d34b90c87c93eca5ef74ad44afe09971e77fae00

    SHA512

    5cbf8aeb1e6ce65397a24018a49a0c9c3b6863d11bfaf7d0ea432bc756995700cbc80ef13da3a8ceab818416dbca95da7721a69b55a1158ca5e04832cd2e7820

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
    Filesize

    175KB

    MD5

    1390e22edc77aa421eb0357375b442ef

    SHA1

    015409efc11c4f5f6f091a1517e47021aa32b9ec

    SHA256

    47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

    SHA512

    2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
    Filesize

    175KB

    MD5

    1390e22edc77aa421eb0357375b442ef

    SHA1

    015409efc11c4f5f6f091a1517e47021aa32b9ec

    SHA256

    47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

    SHA512

    2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
    Filesize

    385KB

    MD5

    d8e3f421348ce110fa5822c0bba850cc

    SHA1

    5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

    SHA256

    06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

    SHA512

    40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
    Filesize

    385KB

    MD5

    d8e3f421348ce110fa5822c0bba850cc

    SHA1

    5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

    SHA256

    06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

    SHA512

    40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
    Filesize

    11KB

    MD5

    882a67e5fd493f6bd53c1017fc83560b

    SHA1

    1ded2aad86cbbd08642c958dde824ae21064f045

    SHA256

    54b69b90a598a0481908d727d34b90c87c93eca5ef74ad44afe09971e77fae00

    SHA512

    5cbf8aeb1e6ce65397a24018a49a0c9c3b6863d11bfaf7d0ea432bc756995700cbc80ef13da3a8ceab818416dbca95da7721a69b55a1158ca5e04832cd2e7820

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
    Filesize

    294KB

    MD5

    10466b602e1c396979e43b57cd69bdc2

    SHA1

    dd1e099b5b8b216f8894f100427eec39023ddb4e

    SHA256

    78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

    SHA512

    0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

    Download Submit

  • memory/780-72-0x0000000000150000-0x000000000015A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1852-1003-0x0000000001100000-0x0000000001132000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1852-1004-0x0000000005030000-0x0000000005070000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-105-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-127-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-93-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-95-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-97-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-99-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-101-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-103-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-89-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-109-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-107-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-111-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-113-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-115-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-117-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-119-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-121-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-123-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-125-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-91-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-129-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-131-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-133-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-135-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-137-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-139-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-141-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-143-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-145-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-147-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-149-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-151-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-994-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-88-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1864-87-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-86-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-85-0x00000000009F0000-0x0000000000A3B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1864-84-0x0000000004AD0000-0x0000000004B14000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1864-83-0x0000000004950000-0x0000000004996000-memory.dmp

    Filesize

    280KB

    Download