Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
19/03/2023, 23:33
General
-
Target
bfb745112d8bae20c677477764a6991c08b7adf16104fbfce076a55c4676b52c.exe
-
Size
818KB
-
MD5
1a3e10e79ae77547d029a4cd89cd1aab
-
SHA1
6bcb8081dd454f7facd5c276857c7b2d3af0f763
-
SHA256
bfb745112d8bae20c677477764a6991c08b7adf16104fbfce076a55c4676b52c
-
SHA512
0e7ffd777427c236a314a63ea97e2e5f46eb5a53052cce9e633a7a04b59e1150054a6152c9ec38d0c3b51db6b225afa30c4d282aeea743cc98ec64af48057d2e
-
SSDEEP
24576:qyIL5cn2POgqHWpyYDSTin0Dc4f8URjkz6vyHZ:xIL5c2POggYDOJc+yvH
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb745112d8bae20c677477764a6991c08b7adf16104fbfce076a55c4676b52c.exe"C:\Users\Admin\AppData\Local\Temp\bfb745112d8bae20c677477764a6991c08b7adf16104fbfce076a55c4676b52c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4821.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4821.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba6965.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba6965.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8844jw.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8844jw.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h14sm05.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h14sm05.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 10845⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iXjle49.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iXjle49.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 13484⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l58CY62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l58CY62.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4052 -ip 40521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3856 -ip 38561⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
676KB
MD59e736e93c050a5e7fe2c2f17ce90d8ff
SHA17e9f70e2110d964471e46e44a0b8908c25e5b31f
SHA2561cf14062b2ac57d64a6e459850d42650e53db7bc16cc24c73019fd032527b4ee
SHA51240ae3c16f2ddd941ef21303d8719cdce5e9370adc3011f956e2b64b32eaeb8ca4de2ba16cb2df3bcba964504d06417bcbbfdb9b8618b66a08fc6e114b8939ddc
-
Filesize
676KB
MD59e736e93c050a5e7fe2c2f17ce90d8ff
SHA17e9f70e2110d964471e46e44a0b8908c25e5b31f
SHA2561cf14062b2ac57d64a6e459850d42650e53db7bc16cc24c73019fd032527b4ee
SHA51240ae3c16f2ddd941ef21303d8719cdce5e9370adc3011f956e2b64b32eaeb8ca4de2ba16cb2df3bcba964504d06417bcbbfdb9b8618b66a08fc6e114b8939ddc
-
Filesize
349KB
MD593accccb4b04886aa620a67aadbee875
SHA1a2aa9ca5200fa96b0181d5f0c21d5a5b20c70dc0
SHA25623e685fce8c605d961ddb3e3f3521bdc68908d1780f1c2b2ea39bf8201f455b4
SHA512cc21160d1677570a73986610eabcd7d3632363691d350aa6bbff5ba13d4628841c9400706f3be7615f0f4d46f720b61cddbee22f24142a0ee549191e971b8833
-
Filesize
349KB
MD593accccb4b04886aa620a67aadbee875
SHA1a2aa9ca5200fa96b0181d5f0c21d5a5b20c70dc0
SHA25623e685fce8c605d961ddb3e3f3521bdc68908d1780f1c2b2ea39bf8201f455b4
SHA512cc21160d1677570a73986610eabcd7d3632363691d350aa6bbff5ba13d4628841c9400706f3be7615f0f4d46f720b61cddbee22f24142a0ee549191e971b8833
-
Filesize
334KB
MD5deed452538c4ba7681125b84838c2b61
SHA11a91251094cd87f2a0f70bf2674471a9b6e1f883
SHA25610b82cabe8ea703b039e255d2f98fe32f68dfc00865933a2410f11542966c363
SHA5129bd7653ef92bd71ae026367b773006e01f7691a44f2d6a7c2f28b41d3981e9bb6d9291c10c5b36e4811d5a90aceaeebb356b235baae9554cea12f7ac1531e0ba
-
Filesize
334KB
MD5deed452538c4ba7681125b84838c2b61
SHA11a91251094cd87f2a0f70bf2674471a9b6e1f883
SHA25610b82cabe8ea703b039e255d2f98fe32f68dfc00865933a2410f11542966c363
SHA5129bd7653ef92bd71ae026367b773006e01f7691a44f2d6a7c2f28b41d3981e9bb6d9291c10c5b36e4811d5a90aceaeebb356b235baae9554cea12f7ac1531e0ba
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
290KB
MD5428a4a1240824d074eb888997ff7ed14
SHA1adc5a808d6e5b2c716705fb48c61676ac023a444
SHA256a7bae460114d51c17211eb0ce7d1aec920cb0f1149e00edc0908a308f8a5e604
SHA512329792337e6c2cee69abe8ac752a460a4ccd9a5c39d496c31a83285a958f7049cea660a71729a30a774ab4bb3e77e8ed371284332d77db66df829a64d63df895
-
Filesize
290KB
MD5428a4a1240824d074eb888997ff7ed14
SHA1adc5a808d6e5b2c716705fb48c61676ac023a444
SHA256a7bae460114d51c17211eb0ce7d1aec920cb0f1149e00edc0908a308f8a5e604
SHA512329792337e6c2cee69abe8ac752a460a4ccd9a5c39d496c31a83285a958f7049cea660a71729a30a774ab4bb3e77e8ed371284332d77db66df829a64d63df895
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
4.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.2MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
200KB
-
Filesize
64KB