Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2023, 18:02
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
97KB
-
MD5
95e03ae51a6671e98b8461dc1ad766eb
-
SHA1
3968a825dbda1b2998f89018c163a5e16fbdc3f3
-
SHA256
23f70436d5d45e4abfd9763a73a43637a51192bb1ad95df790b6ebb3dd4060d1
-
SHA512
bd12655eb446251a76ddf49a68efadaa30f13cf905323dac0992a652679e745cad881e72df95b63c26b833cf2c5a7c51f8aa10da90291843a24a9b4180e4da26
-
SSDEEP
1536:fEzhNlLbVUKs23ZS0M5Gw/B4dIR/2rS4eCurntMJI8MY4:8z5LbVUz2RM5GfrS4eC6teIHB
Malware Config
Extracted
redline
MIX-3
167.235.133.96:43849
-
auth_value
5809bfc38a41ac4369f75ca7762ad9c9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 3388 2180 tmp.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1580 powershell.exe 1580 powershell.exe 3388 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2180 tmp.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 3388 tmp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1580 2180 tmp.exe 91 PID 2180 wrote to memory of 1580 2180 tmp.exe 91 PID 2180 wrote to memory of 1580 2180 tmp.exe 91 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99 PID 2180 wrote to memory of 3388 2180 tmp.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53a9188331a78f1dbce606db64b841fcb
SHA18e2c99b7c477d06591a856a4ea3e1e214719eee8
SHA256db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451
SHA512d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82