Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20/03/2023, 07:50
General
-
Target
a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe
-
Size
777KB
-
MD5
2812e6ab289fc98370f1bebd5a047b1f
-
SHA1
86c19a31ac8a0c4570fba955b58eb57f6d29e0f3
-
SHA256
a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678
-
SHA512
6fa02b02ceb1237a0e03852ab8b58f73faf39f27f47644771ac6e7c6e1a048dda6b49bcb54ec9a07c27e9fec560d5c284d90f384f64de2963c9c31b830cb3202
-
SSDEEP
12288:sMrfy90vms583lPg4FJZ/4t4lMoGtaUAxAa6j9yjuEDNFQPwL7W:LyK181PgiPgUMF5EF6j4ju6N+PwLy
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe"C:\Users\Admin\AppData\Local\Temp\a87adefff86e4669d4f471bf1fe65b42f201fb96460353f3314bb43b4af3a678.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba2422.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba2422.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1988rF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1988rF.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h06Lp86.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h06Lp86.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 10805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixDXV54.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixDXV54.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 13324⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l65Na79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l65Na79.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 404 -ip 4041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1168 -ip 11681⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
635KB
MD59c6fd96ba8b9c691959b9d26b1350e89
SHA16b96274c982e79b064b6186114205d1b8982325e
SHA256835f275d4dafe9098042b8e04b1e33304b570e7e40ff7c6ef81caf358e89726d
SHA512afc06e6167c6fe581645b5c7235da66e2dea5a27fc558a47ae0e56a127335785397babe2f00635fa55057d682000a032f6092190f86d1fded2c4859d982b23f4
-
Filesize
635KB
MD59c6fd96ba8b9c691959b9d26b1350e89
SHA16b96274c982e79b064b6186114205d1b8982325e
SHA256835f275d4dafe9098042b8e04b1e33304b570e7e40ff7c6ef81caf358e89726d
SHA512afc06e6167c6fe581645b5c7235da66e2dea5a27fc558a47ae0e56a127335785397babe2f00635fa55057d682000a032f6092190f86d1fded2c4859d982b23f4
-
Filesize
287KB
MD5a5ff3d90880b26602631fcd20ca34f8f
SHA146f99ae04547f1e8972aebf0c38be4f04d61df56
SHA256056ac0553ad39fe48aeb2f6398c0586a4a938593dce003ebfbdf6ee77f1d47b0
SHA5124dfd0ba16ee0b3647b320a28efe0780f24293ed0fda46f540e971555b64576f5e964c78fb077e6d8c18ef2a06db2580c6d07842dd04884939895e8b3a6c92f76
-
Filesize
287KB
MD5a5ff3d90880b26602631fcd20ca34f8f
SHA146f99ae04547f1e8972aebf0c38be4f04d61df56
SHA256056ac0553ad39fe48aeb2f6398c0586a4a938593dce003ebfbdf6ee77f1d47b0
SHA5124dfd0ba16ee0b3647b320a28efe0780f24293ed0fda46f540e971555b64576f5e964c78fb077e6d8c18ef2a06db2580c6d07842dd04884939895e8b3a6c92f76
-
Filesize
314KB
MD539894d2681f47c4c61793a72bb4337f3
SHA1725d8a41b4dbda841a8c8e2df86714b1ed4fe954
SHA25637ca2b8185a8e44251cfade4fbc763e53cba8a71248e2436ebda28c27d7b3545
SHA51297205efc377b71e9de75ff864cc8d15a5e550d919be5772148a7e554f401a9e52100f0217f6f9b4f27f05733734f82002164985d7450bc104b0a8f7faa92015b
-
Filesize
314KB
MD539894d2681f47c4c61793a72bb4337f3
SHA1725d8a41b4dbda841a8c8e2df86714b1ed4fe954
SHA25637ca2b8185a8e44251cfade4fbc763e53cba8a71248e2436ebda28c27d7b3545
SHA51297205efc377b71e9de75ff864cc8d15a5e550d919be5772148a7e554f401a9e52100f0217f6f9b4f27f05733734f82002164985d7450bc104b0a8f7faa92015b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
229KB
MD56d2ff1f0dce33590fe3b35fab58c6011
SHA1921341827661af5bfcfdc83d8dbbdb6d0c0b248d
SHA256c68e0b6db0c8a85197bb58715f3db3e226c0b712ee9adbe9f3285be22c2e8439
SHA512035c61a8928373d9591d0b24585161450cb4f4ac917f72204f21421bdbe70622b0f5c5c7e84c371a61d52dd7a1c500c32bc7054cd62e39de19c693890ec16feb
-
Filesize
229KB
MD56d2ff1f0dce33590fe3b35fab58c6011
SHA1921341827661af5bfcfdc83d8dbbdb6d0c0b248d
SHA256c68e0b6db0c8a85197bb58715f3db3e226c0b712ee9adbe9f3285be22c2e8439
SHA512035c61a8928373d9591d0b24585161450cb4f4ac917f72204f21421bdbe70622b0f5c5c7e84c371a61d52dd7a1c500c32bc7054cd62e39de19c693890ec16feb
-
Filesize
5.6MB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
744KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
744KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
200KB
-
Filesize
64KB