Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21/03/2023, 16:37
General
-
Target
aa0fa91bb3f31d5165eebe4ef6bb0f47efcf27a7954707d48d3bcbb2e15a50d3.exe
-
Size
876KB
-
MD5
4ba1325c05ef31e40fe483b4f3935ac8
-
SHA1
dd59e9384e5871af564fc087c6828b78ab22b4b8
-
SHA256
aa0fa91bb3f31d5165eebe4ef6bb0f47efcf27a7954707d48d3bcbb2e15a50d3
-
SHA512
7cf550e600692144d81a5f5e0486f32d67f88c9d882536f73b52fef8fa031bed013757e222d4de2f46d7bc7173ef1cd6df6dab71655dca5730899630c7af279e
-
SSDEEP
12288:HMr8y90PNUAKb8Ai/0Ewf2TIgIzeEuzQOOATit4NowjDG+i14o/Q7PAlqZCOP7fT:nyKKw2EwAZIzeEk9j/+H/mIlqCOsUV
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
relon
193.233.20.30:4125
-
auth_value
17da69809725577b595e217ba006b869
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa0fa91bb3f31d5165eebe4ef6bb0f47efcf27a7954707d48d3bcbb2e15a50d3.exe"C:\Users\Admin\AppData\Local\Temp\aa0fa91bb3f31d5165eebe4ef6bb0f47efcf27a7954707d48d3bcbb2e15a50d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5678.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5678.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4712.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4712.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3809.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3809.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5464.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5464.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 10805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rZO17s61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rZO17s61.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 19204⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si550993.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si550993.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1076 -ip 10761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2640 -ip 26401⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
734KB
MD5be42d717c64405633830e7ccca794390
SHA13f0715bc5276b75c55a6fe45b214338859b08f6b
SHA256ad5e6b29a82f20dddb4ca8c8b55c853adc2f7cd7b461736c60065bd3b5637236
SHA512fb3ca85f739b571b5f35ca26fe25074bbb588e9c7a75ecbe11f6c4d2438a79c05ca27dbeaf0d3319a8357c7e6138c30d334939ce8ed161f83cbf3be8b0e9207e
-
Filesize
734KB
MD5be42d717c64405633830e7ccca794390
SHA13f0715bc5276b75c55a6fe45b214338859b08f6b
SHA256ad5e6b29a82f20dddb4ca8c8b55c853adc2f7cd7b461736c60065bd3b5637236
SHA512fb3ca85f739b571b5f35ca26fe25074bbb588e9c7a75ecbe11f6c4d2438a79c05ca27dbeaf0d3319a8357c7e6138c30d334939ce8ed161f83cbf3be8b0e9207e
-
Filesize
420KB
MD579c31832aa8a0013092cf4dd1011ceae
SHA143af3656e0521bd4153c1ce927c8ba18f2be1ab2
SHA2564a01f09d37ba9d765152bc1b63255d2f034c0a44a1bee0a3078f249a4c72f39b
SHA5125879f4c97265b170c770bec5040ee9cb024f25ffd9f555c8f8b121a6b9b9631ea8c66b7f1101a90cdbdbbf2408f2b429c2cd485ded0426ac997d8930966e7b96
-
Filesize
420KB
MD579c31832aa8a0013092cf4dd1011ceae
SHA143af3656e0521bd4153c1ce927c8ba18f2be1ab2
SHA2564a01f09d37ba9d765152bc1b63255d2f034c0a44a1bee0a3078f249a4c72f39b
SHA5125879f4c97265b170c770bec5040ee9cb024f25ffd9f555c8f8b121a6b9b9631ea8c66b7f1101a90cdbdbbf2408f2b429c2cd485ded0426ac997d8930966e7b96
-
Filesize
364KB
MD58e22c32b64d9620b3741031976924dbf
SHA1ed442532a5bd9a08ef1c0609588cb71e5ecf64e0
SHA256ff6d4c087f3c25136742bbdec899c6a6d6bdb9cd8dc90c8e669b09987ecfdb39
SHA512e52cf0c648c070fd276eca2ff1424dc98a3125c6e519a0d957d76a66cb839e5914c846505524e3c3ddec221fd7a4a950ff6b98f1d84f068e71d660f061f733eb
-
Filesize
364KB
MD58e22c32b64d9620b3741031976924dbf
SHA1ed442532a5bd9a08ef1c0609588cb71e5ecf64e0
SHA256ff6d4c087f3c25136742bbdec899c6a6d6bdb9cd8dc90c8e669b09987ecfdb39
SHA512e52cf0c648c070fd276eca2ff1424dc98a3125c6e519a0d957d76a66cb839e5914c846505524e3c3ddec221fd7a4a950ff6b98f1d84f068e71d660f061f733eb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
362KB
MD5a02c6e5b4ab9f8401c2d38aed40a98e2
SHA13db0ac149b41e153e48d7121f7593729c2ae84c6
SHA25660d7f77638d13e4a1448565ba3a2a11b3ce1496eeb9e95ed941006db0a8a0288
SHA512cef8706fcff7687fb5463f26064501f36fde0fe0119f07a31d4e2799ef273bd699cf3da58950a0cf307ec21926c41021194ef41fdb6ac109e0d4f531027127e6
-
Filesize
362KB
MD5a02c6e5b4ab9f8401c2d38aed40a98e2
SHA13db0ac149b41e153e48d7121f7593729c2ae84c6
SHA25660d7f77638d13e4a1448565ba3a2a11b3ce1496eeb9e95ed941006db0a8a0288
SHA512cef8706fcff7687fb5463f26064501f36fde0fe0119f07a31d4e2799ef273bd699cf3da58950a0cf307ec21926c41021194ef41fdb6ac109e0d4f531027127e6
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
40KB