Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
18/03/2023, 17:40
General
-
Target
cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe
-
Size
837KB
-
MD5
1b660e47773d0641eae4039f163130c2
-
SHA1
dddd18e6258a4d25462638663517f483993fb9a1
-
SHA256
cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f
-
SHA512
75342833c7e7147e7c5928a26e908610dc9ec6b6e22fa08b34fec4561e17f36ba8c99ae53be8081e1cb7310ebd966350cabaca7274c2cfb24c493a0604b28804
-
SSDEEP
12288:GMrdy90j6w0g0VzpfUQ/igyGn4WfCy0y+WVawMuFhqTk608V97xjscoCxDuNfOGo:TyVTbUQqSn4mt0JWEIqTkPKRxoCoNlI
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe"C:\Users\Admin\AppData\Local\Temp\cb6a74ec5561f435fd844b0772037ea9b2d88f795516c9a083dbec598b04ac8f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5653.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8101.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4852pe.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4852pe.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h37En44.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h37En44.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 10805⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 10885⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iTnCO77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iTnCO77.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 18604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 13244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 15764⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l86Wk20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l86Wk20.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3960 -ip 39601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3960 -ip 39601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 50641⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
695KB
MD5d2aafb536cf19d9f2ed09953c99874a1
SHA172d23687729d08b4f977575f8086838f711eb992
SHA256f11a728f77270e9d6ff37d8274832212cda3dfe02e18aca3fa3b4afd2e13b072
SHA512c5dd8e1ef7764d91741c6d2279e2e396f97341602adff1b5c62afcbeb4bc20f507f38daf85490c71d2b45ccb17327ee804e58cee443932855d2ef66d6e649063
-
Filesize
695KB
MD5d2aafb536cf19d9f2ed09953c99874a1
SHA172d23687729d08b4f977575f8086838f711eb992
SHA256f11a728f77270e9d6ff37d8274832212cda3dfe02e18aca3fa3b4afd2e13b072
SHA512c5dd8e1ef7764d91741c6d2279e2e396f97341602adff1b5c62afcbeb4bc20f507f38daf85490c71d2b45ccb17327ee804e58cee443932855d2ef66d6e649063
-
Filesize
391KB
MD5006db4e8295906ae0fd6c762784737ac
SHA165cf601c32b4768dcd14647e93c959ba916319de
SHA2561448f003ceff3bb6c5c20e2065ab14dcba08ab5c1d58335f0ab5aee1572040cb
SHA512c45ff066112b5f275e6e92f83a1239d44b3e93e7cbaa54589d47b77da7d5aa327d42c115513b35091c516a6cdba562cb7ab5775a22219a008f240e3be53ba637
-
Filesize
391KB
MD5006db4e8295906ae0fd6c762784737ac
SHA165cf601c32b4768dcd14647e93c959ba916319de
SHA2561448f003ceff3bb6c5c20e2065ab14dcba08ab5c1d58335f0ab5aee1572040cb
SHA512c45ff066112b5f275e6e92f83a1239d44b3e93e7cbaa54589d47b77da7d5aa327d42c115513b35091c516a6cdba562cb7ab5775a22219a008f240e3be53ba637
-
Filesize
344KB
MD5835fe0fb5a896ac7c12bb18de4b43269
SHA113e7d6c5d04f324c2cb1279cf52bd937ddf087c2
SHA256c9c92e22902d9760be2e67795d671655ebe492c95aa7b6b708e79cc05375516b
SHA512d50d321fdb3e65c91ccbe754d5fcb1a4e45d08808322cb08f0750a3336f308c53f0e6622b4284643c00ce51c984369e8fcf01122d40b98410027dbfe454de654
-
Filesize
344KB
MD5835fe0fb5a896ac7c12bb18de4b43269
SHA113e7d6c5d04f324c2cb1279cf52bd937ddf087c2
SHA256c9c92e22902d9760be2e67795d671655ebe492c95aa7b6b708e79cc05375516b
SHA512d50d321fdb3e65c91ccbe754d5fcb1a4e45d08808322cb08f0750a3336f308c53f0e6622b4284643c00ce51c984369e8fcf01122d40b98410027dbfe454de654
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5c050f21e7aa339df55930b9d76a3cdb4
SHA122dd083bdfb4b33a864be0047515127e5464d374
SHA256bffe99f0f072c9c5fff55b62ce88c0fa5d8302c5a4ac2ef6d836f86e56e3bdeb
SHA51204fd072d7adf3f891e0c8a988c0d195ff6fc37766f7345228dc76c040465622a08baa26792baa10c9872fb92ff143d612aafb462a8badc12dcd31fa2029f81ed
-
Filesize
333KB
MD5c050f21e7aa339df55930b9d76a3cdb4
SHA122dd083bdfb4b33a864be0047515127e5464d374
SHA256bffe99f0f072c9c5fff55b62ce88c0fa5d8302c5a4ac2ef6d836f86e56e3bdeb
SHA51204fd072d7adf3f891e0c8a988c0d195ff6fc37766f7345228dc76c040465622a08baa26792baa10c9872fb92ff143d612aafb462a8badc12dcd31fa2029f81ed
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
39.0MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
320KB
-
Filesize
64KB