Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9f599ef2a8...c9.exe

windows7-x64

10

9f599ef2a8...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f599ef2a8eacf024c118cd20e7282c9.exe

  • Size

    866KB

  • MD5

    9f599ef2a8eacf024c118cd20e7282c9

  • SHA1

    512513ff7c8be1d7cc81269bdfeb880fc8dcac7f

  • SHA256

    59ab8b3a54d198e0e9b3dfd72a23159e9c2ced61b712edbd1b64b66c31992287

  • SHA512

    a9f20dc958b54b3ace53da410c88282ff97ae21a5adbbca03aaccd147734f0bdedae5a34445fca47ed6041ef878d35bc7f980b65cf4352ea805a1244d97aa695

  • SSDEEP

    12288:/MrHy90GJB790LqQxMD91XA5fwu/q1SD2aQkYKc5INdKMot62bhs+X1D3ixhCvYv:EydPhxzAfmSD2r8rNdY8Us63CM15ep

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f599ef2a8eacf024c118cd20e7282c9.exe
    "C:\Users\Admin\AppData\Local\Temp\9f599ef2a8eacf024c118cd20e7282c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0268.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0268.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4797.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4797.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1375Gc.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1375Gc.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:228
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85zA48.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85zA48.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPsAe09.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPsAe09.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1292
          4⤵
          • Program crash
          PID:612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e01Zw15.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e01Zw15.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892
    1⤵
      PID:4048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e01Zw15.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e01Zw15.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0268.exe
      Filesize

      721KB

      MD5

      04d10e62e727597efa4d8eff2350f60b

      SHA1

      753ee960ef5c0e5f99c3eac553ed0dda45243f1c

      SHA256

      503f8cc4974e2de289d4e83aee75295797910a60936115a1e80bdd8ad1502f00

      SHA512

      23a59f98018b18f16fa69acf88cc1a31aab65f46cacc2c38a8d4fafa4c3980264b781499b31a917e5ac20bd253c546e8e92b41910d02be1d7ccbfecc171b654b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0268.exe
      Filesize

      721KB

      MD5

      04d10e62e727597efa4d8eff2350f60b

      SHA1

      753ee960ef5c0e5f99c3eac553ed0dda45243f1c

      SHA256

      503f8cc4974e2de289d4e83aee75295797910a60936115a1e80bdd8ad1502f00

      SHA512

      23a59f98018b18f16fa69acf88cc1a31aab65f46cacc2c38a8d4fafa4c3980264b781499b31a917e5ac20bd253c546e8e92b41910d02be1d7ccbfecc171b654b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPsAe09.exe
      Filesize

      391KB

      MD5

      93100be7386a22ca9e0b9d894affbf81

      SHA1

      c026c693480f414f5b4ced30da5c2782160562c6

      SHA256

      669ff2ea211bf8e78f7cb6f856c78498c45a0d8c9823d74dc12a90bcaed9fc45

      SHA512

      60fbefa407dd5387c48f7c9d1ca772962a627fa4c46cba5cf04108406df089aaf28fbaee9ab385006f64647f312c3dc591127e2385f99b94dd6052184ae865ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dPsAe09.exe
      Filesize

      391KB

      MD5

      93100be7386a22ca9e0b9d894affbf81

      SHA1

      c026c693480f414f5b4ced30da5c2782160562c6

      SHA256

      669ff2ea211bf8e78f7cb6f856c78498c45a0d8c9823d74dc12a90bcaed9fc45

      SHA512

      60fbefa407dd5387c48f7c9d1ca772962a627fa4c46cba5cf04108406df089aaf28fbaee9ab385006f64647f312c3dc591127e2385f99b94dd6052184ae865ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4797.exe
      Filesize

      368KB

      MD5

      28c23bdf5297fcac859480073f0ff075

      SHA1

      b2e08b396e37d8b90d2adee91817e93bf14dfb4e

      SHA256

      a9fec5a8fd2c43f00cec6ce460721eeab0cf9652283724b4fe1d68bfeee4b264

      SHA512

      2905354191f8f69a0cd0fcedc6a7dcbe214667eeef5662138427a887e6893b159dfb342e9e73ea07cb41040248df37ef1b063ba6ec9473917af554cda9f7d1c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4797.exe
      Filesize

      368KB

      MD5

      28c23bdf5297fcac859480073f0ff075

      SHA1

      b2e08b396e37d8b90d2adee91817e93bf14dfb4e

      SHA256

      a9fec5a8fd2c43f00cec6ce460721eeab0cf9652283724b4fe1d68bfeee4b264

      SHA512

      2905354191f8f69a0cd0fcedc6a7dcbe214667eeef5662138427a887e6893b159dfb342e9e73ea07cb41040248df37ef1b063ba6ec9473917af554cda9f7d1c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1375Gc.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1375Gc.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85zA48.exe
      Filesize

      371KB

      MD5

      976924e22c46ae1cf95efb9d54bc3673

      SHA1

      77c06165d40773eb40bdffaf3475b95638900501

      SHA256

      f931071af98c84f1ad272065db2641e22b05e43e5c44b73173b0736b8839ee5e

      SHA512

      5cfeef761417392cdadcc85a8a7e194f1d13ce357fa7cc7eeb84f2f221d23113af8ce9f824770e6eaff8c283038d9baa04643fe22a0b8c9c4eb15842a0a0ec71

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85zA48.exe
      Filesize

      371KB

      MD5

      976924e22c46ae1cf95efb9d54bc3673

      SHA1

      77c06165d40773eb40bdffaf3475b95638900501

      SHA256

      f931071af98c84f1ad272065db2641e22b05e43e5c44b73173b0736b8839ee5e

      SHA512

      5cfeef761417392cdadcc85a8a7e194f1d13ce357fa7cc7eeb84f2f221d23113af8ce9f824770e6eaff8c283038d9baa04643fe22a0b8c9c4eb15842a0a0ec71

      Download Submit

    • memory/228-154-0x0000000000460000-0x000000000046A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1840-179-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-175-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-165-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-173-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-177-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-162-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-187-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-189-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-185-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-183-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-181-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-163-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-171-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-169-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-167-0x0000000004A60000-0x0000000004A72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1840-190-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1840-191-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1840-192-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1840-193-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/1840-195-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/1840-160-0x0000000002C60000-0x0000000002C8D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1840-161-0x0000000007120000-0x00000000076C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4348-1131-0x0000000000680000-0x00000000006B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4348-1132-0x0000000005200000-0x0000000005210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-205-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-211-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-207-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-213-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-217-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-215-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-219-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-223-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-227-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-229-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-225-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-221-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-233-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-231-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-257-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-260-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-256-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4892-261-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-1110-0x0000000007760000-0x0000000007D78000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4892-1111-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4892-1112-0x0000000007F00000-0x0000000007F12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-1113-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-1114-0x0000000007F20000-0x0000000007F5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4892-1116-0x0000000008210000-0x0000000008276000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4892-1117-0x00000000088C0000-0x0000000008952000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4892-1118-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-1119-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-1120-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-1121-0x0000000008AD0000-0x0000000008C92000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4892-1122-0x0000000008CB0000-0x00000000091DC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4892-1124-0x00000000094F0000-0x0000000009540000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4892-1123-0x0000000009460000-0x00000000094D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4892-1126-0x0000000007160000-0x0000000007170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-209-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-203-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-201-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4892-200-0x0000000007720000-0x000000000775E000-memory.dmp

      Filesize

      248KB

      Download