Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    178s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/03/2023, 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe

  • Size

    546KB

  • MD5

    0652658f0d87fba539d4e65083c815e2

  • SHA1

    fb302cbc7cf27f498aacc246db04f38098eea199

  • SHA256

    072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e

  • SHA512

    b6b919be69d2af4414459ee48a66960b32215dfc2fe979d39963aae25a6737c7940f0dbeb57c28bf8ee0cb6171d40d9685b54c17d871a93f522eda477026465f

  • SSDEEP

    12288:IMrmy90dJG/rHg62J30NsYeyJidazIUaqAE2BADPWtWtYGSe:+yCJGjHsJEuhezIUaqAj1tWAe

Score
10/10
redlinegonnamangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

gonna

C2

193.56.146.220:4174

Attributes
  • auth_value

    10ce5127fa09a5422f1a407fb6a7c077

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe
    "C:\Users\Admin\AppData\Local\Temp\072af4027c94ee255fbd32b25ad60798d3f5668dc994f4ebc4f72971a02c300e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:68
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exe
    Filesize

    175KB

    MD5

    ddaf6a7e4c6bd55f4001a68b41020710

    SHA1

    cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad

    SHA256

    5669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8

    SHA512

    02ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uzast82.exe
    Filesize

    175KB

    MD5

    ddaf6a7e4c6bd55f4001a68b41020710

    SHA1

    cc50a5dd9e0b1be80c43b0850c002e0484b5d2ad

    SHA256

    5669aa2a6e00d71f9ca012fecdea7ec1134e22f4ac349106af7f7e5372a5b6a8

    SHA512

    02ececce795610f012f81feb1ec338dabedfbbfe0461df7352b1600cc04b6f5b8e14ebd715ba3ff32a3d5a75345eddd26cae6059bad48e3fda93e61cffac4d51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exe
    Filesize

    402KB

    MD5

    ae92995063c599f57c80a5d35a98b340

    SHA1

    72bbb27d0ea04722ba1cb373667db2bb2a2f2810

    SHA256

    ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13

    SHA512

    76b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkWQ6077hP.exe
    Filesize

    402KB

    MD5

    ae92995063c599f57c80a5d35a98b340

    SHA1

    72bbb27d0ea04722ba1cb373667db2bb2a2f2810

    SHA256

    ec81fa71088214f6f50b0f4e35f2ee96f405a97b165b24ddf3851fc81e816f13

    SHA512

    76b0d5b5420d4de748bd0115a72dc506471893bfbc07bc9bfa9dbc4623a13a0b610de653bb666675ec6998b59f5d85a044bb6b5cf0b0266afc6e76fc1636ea08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s2866yQ.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exe
    Filesize

    367KB

    MD5

    b027ebb3e70d7bc51c75bbdfd85ea392

    SHA1

    89bea40a9f34e998af07884e9a3da1df21037b2a

    SHA256

    0c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3

    SHA512

    4d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t38xk55.exe
    Filesize

    367KB

    MD5

    b027ebb3e70d7bc51c75bbdfd85ea392

    SHA1

    89bea40a9f34e998af07884e9a3da1df21037b2a

    SHA256

    0c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3

    SHA512

    4d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c

    Download Submit

  • memory/1108-1071-0x0000000000310000-0x0000000000342000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1108-1072-0x0000000004C40000-0x0000000004C8B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1108-1074-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1108-1073-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3232-130-0x0000000000B50000-0x0000000000B5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4068-174-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-188-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-140-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-142-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-141-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-144-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-143-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-148-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-146-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-150-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-152-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-154-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-156-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-158-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-160-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-162-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-164-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-166-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-168-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-170-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-172-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-138-0x0000000004A40000-0x0000000004A84000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4068-176-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-178-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-180-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-182-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-186-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-139-0x00000000005B0000-0x00000000005FB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4068-184-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-190-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-192-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-194-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-196-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-198-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-200-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-202-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-204-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-206-0x0000000004A40000-0x0000000004A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-1049-0x0000000005600000-0x0000000005C06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4068-1050-0x0000000005070000-0x000000000517A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4068-1051-0x00000000051D0000-0x00000000051E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4068-1052-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4068-1053-0x0000000005330000-0x000000000537B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4068-1054-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-1056-0x00000000054B0000-0x0000000005516000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4068-1057-0x00000000061B0000-0x0000000006242000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4068-1059-0x00000000064B0000-0x0000000006672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4068-1058-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-1061-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-1060-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-137-0x0000000004A90000-0x0000000004F8E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4068-136-0x0000000002280000-0x00000000022C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4068-1062-0x0000000006680000-0x0000000006BAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4068-1063-0x0000000004A80000-0x0000000004A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-1064-0x0000000002500000-0x0000000002576000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4068-1065-0x0000000007FB0000-0x0000000008000000-memory.dmp

    Filesize

    320KB

    Download