Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
21/03/2023, 13:36
General
-
Target
135b219a0448601c15b9ef7988ecd95ae10c145c81c35b0371464852ce8bd664.exe
-
Size
876KB
-
MD5
d62988730da168a6b7a3994efed12984
-
SHA1
998c354e8118548e29c6a3c2edaf90b04b8e42a5
-
SHA256
135b219a0448601c15b9ef7988ecd95ae10c145c81c35b0371464852ce8bd664
-
SHA512
6ca4f7c090d1f7f1cfb4258a00af5e8a3a47777ce64113220657864fe36cf91e32fb59d5de41e0c7f9f57d2a2c6b95ba0203bbaac56e0963e1d13655f34016d8
-
SSDEEP
12288:HMrSy90iTOObkb9JJ76EAKR9xwamc0zia0P9yLqSOfrtdEEkaZfvvzZtlEw1vNoY:VynUJJeEAYjwamB+4pursS1fZ
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
relon
193.233.20.30:4125
-
auth_value
17da69809725577b595e217ba006b869
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\135b219a0448601c15b9ef7988ecd95ae10c145c81c35b0371464852ce8bd664.exe"C:\Users\Admin\AppData\Local\Temp\135b219a0448601c15b9ef7988ecd95ae10c145c81c35b0371464852ce8bd664.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7620.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7620.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7335.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7335.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9384.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9384.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9844.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu9844.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 10805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ryA79s20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ryA79s20.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 11044⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705113.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705113.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3136 -ip 31361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2116 -ip 21161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
734KB
MD5f3d4af7fc6a8351e3da8da16959be08a
SHA1e62b5f13e43c3bb2333a6fe270be6e3fd1427648
SHA256ca24a6378a125cdb134fd1dabef378bb2ed955d461625466d11af857ce03cf68
SHA512e70e89b4cabe4e8f0c9f7902f3c116f8a7a431ad180aab6a1bc8e09035dccbcc164f7f340398c00d8395115f2c91d9fc47a489eb304de31b685d97eafaeee475
-
Filesize
734KB
MD5f3d4af7fc6a8351e3da8da16959be08a
SHA1e62b5f13e43c3bb2333a6fe270be6e3fd1427648
SHA256ca24a6378a125cdb134fd1dabef378bb2ed955d461625466d11af857ce03cf68
SHA512e70e89b4cabe4e8f0c9f7902f3c116f8a7a431ad180aab6a1bc8e09035dccbcc164f7f340398c00d8395115f2c91d9fc47a489eb304de31b685d97eafaeee475
-
Filesize
420KB
MD5c8d85eb632fee1207d188cd6c15dee4b
SHA1846b3608f3505631c914ce2d0f5ee5a1863cc0f5
SHA25679f0b96f08603686fd9fb633929e2411a9547ac12eb95940245542e4d3c05d4f
SHA512a1708236e7a9359fe5e046a2e3c901e09733d2d128c392164cc94e7b924074cdd6d4e90a266dfab63bb4b4f95c524ce6bb87b5c835c27c9ccd09c47eea45fdeb
-
Filesize
420KB
MD5c8d85eb632fee1207d188cd6c15dee4b
SHA1846b3608f3505631c914ce2d0f5ee5a1863cc0f5
SHA25679f0b96f08603686fd9fb633929e2411a9547ac12eb95940245542e4d3c05d4f
SHA512a1708236e7a9359fe5e046a2e3c901e09733d2d128c392164cc94e7b924074cdd6d4e90a266dfab63bb4b4f95c524ce6bb87b5c835c27c9ccd09c47eea45fdeb
-
Filesize
363KB
MD5242c8194a3461c142fa3de3962a6d00f
SHA14e70a0c139e6a7b88079449ac4596ebb66bdebfd
SHA256445343c54372153a52a80cbba63a6dc2c366e1607c8bdebf770b64770541fe83
SHA5129dc86e9d0f6dda415869474b49457a2e438229672c2c50bbcd48a6adf916cfd8232e4133c8362784b52a1b99b0c67a4f6e7fb7c4b389bb7915a72dffbf98c2b1
-
Filesize
363KB
MD5242c8194a3461c142fa3de3962a6d00f
SHA14e70a0c139e6a7b88079449ac4596ebb66bdebfd
SHA256445343c54372153a52a80cbba63a6dc2c366e1607c8bdebf770b64770541fe83
SHA5129dc86e9d0f6dda415869474b49457a2e438229672c2c50bbcd48a6adf916cfd8232e4133c8362784b52a1b99b0c67a4f6e7fb7c4b389bb7915a72dffbf98c2b1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
363KB
MD52acb26bda053309f8a4faca904cb8fa8
SHA1afc2e0718cea60321de032e2467b1642b180abf5
SHA2568bb8469fd4abce935fdfc169e62d5355cd014bf801c9c22d6e666941a5435afb
SHA5129bf2c2af191579da44e60d667ceb345c2bb9d565e039df62901482828ba8fc7aa52e784c852c16758d39aa421df313f3f6c93a272b460170179ef5f49ececab0
-
Filesize
363KB
MD52acb26bda053309f8a4faca904cb8fa8
SHA1afc2e0718cea60321de032e2467b1642b180abf5
SHA2568bb8469fd4abce935fdfc169e62d5355cd014bf801c9c22d6e666941a5435afb
SHA5129bf2c2af191579da44e60d667ceb345c2bb9d565e039df62901482828ba8fc7aa52e784c852c16758d39aa421df313f3f6c93a272b460170179ef5f49ececab0
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
200KB
-
Filesize
64KB