Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
11/04/2023, 00:21
General
-
Target
1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe
-
Size
924KB
-
MD5
b05d76bd5741761e8f77eb6dea4e30f5
-
SHA1
7786e298b16004c1c8d08bab405a64bc88bea0bb
-
SHA256
1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a
-
SHA512
50eb19baad322e7e25167a15417a2ac4d00496c70f13c538cb5ec83fabe39be884391b7add0ef7c7fd82c7cc76e092dbdd0dfdf6d786c2a6a753661b08f479b4
-
SSDEEP
24576:5yoHQ854Ms7vD/EzNeSJg9re196/QZ650q8:soHQ8y7DqeSJg9r22t0
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe"C:\Users\Admin\AppData\Local\Temp\1b4fa3c9d1a0fc2523e252994157501cb36c6418b5023ec73cea5462deaa6e4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124478.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un124478.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un707191.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un707191.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr239432.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr239432.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160502.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160502.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk081201.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk081201.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si095037.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si095037.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 6243⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 7083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 7763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 8523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 10803⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD54be9d89cb3308ce100c56b5bdbccafac
SHA1274f57114096a555ece5bcd983fd670f4f971ece
SHA2569f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9
SHA5121095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f
-
Filesize
230KB
MD54be9d89cb3308ce100c56b5bdbccafac
SHA1274f57114096a555ece5bcd983fd670f4f971ece
SHA2569f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9
SHA5121095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f
-
Filesize
660KB
MD5e4e6d3640e0f4a3bb0dba13e2a6e50b1
SHA14f3f83398b34084cb327d3685681f21252346e49
SHA2562b007d4cc02396a720a93b9c7cebe7de37c6fe3317251e41a3258d3b1ea3f5d6
SHA51226b4948580639e92c6733a5a79e15a45e3a2512e065654f57642240ab7b982192177a563dd84ef3b0a89168ebff9760ced24b847562d0194ad7bc43cac12a51c
-
Filesize
660KB
MD5e4e6d3640e0f4a3bb0dba13e2a6e50b1
SHA14f3f83398b34084cb327d3685681f21252346e49
SHA2562b007d4cc02396a720a93b9c7cebe7de37c6fe3317251e41a3258d3b1ea3f5d6
SHA51226b4948580639e92c6733a5a79e15a45e3a2512e065654f57642240ab7b982192177a563dd84ef3b0a89168ebff9760ced24b847562d0194ad7bc43cac12a51c
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
518KB
MD597d529a903c811fd5142c1436958e4bc
SHA14a77c88eb83f8b0cd132f9d4dbe8ed554c6c7d0d
SHA25671fd6226001c707287ad6d7aae7d1174ad6aa21352c2ccbeff8c4402b2601bfa
SHA5122ab8fb7b3198e64fcfb8215a7dc64b79e26f7b1dd4c1b2b0f0a965204cff37217e65cc5cf655d8c0c8bbd5d07ebcbdd6ac1ec456dc6269937ba76564512b2f0e
-
Filesize
518KB
MD597d529a903c811fd5142c1436958e4bc
SHA14a77c88eb83f8b0cd132f9d4dbe8ed554c6c7d0d
SHA25671fd6226001c707287ad6d7aae7d1174ad6aa21352c2ccbeff8c4402b2601bfa
SHA5122ab8fb7b3198e64fcfb8215a7dc64b79e26f7b1dd4c1b2b0f0a965204cff37217e65cc5cf655d8c0c8bbd5d07ebcbdd6ac1ec456dc6269937ba76564512b2f0e
-
Filesize
238KB
MD5d265c39e6a330a862d7471deb8b1d862
SHA1ae4029f1b8db6b055b4239e86e8e96b456917fbb
SHA2564ec2fb806808d376d72f83d0c9a4ba35afaa58ef9f066b8d21b70d24dae8516e
SHA5125689d72e9def89f1746b44668b5ccedbe7366fdc5d1fe7b05b128ff71327fd76f56c6a5430ab0c2262ab1dc869d3ffe22ad808cb771505e9c32b81cbff26599c
-
Filesize
238KB
MD5d265c39e6a330a862d7471deb8b1d862
SHA1ae4029f1b8db6b055b4239e86e8e96b456917fbb
SHA2564ec2fb806808d376d72f83d0c9a4ba35afaa58ef9f066b8d21b70d24dae8516e
SHA5125689d72e9def89f1746b44668b5ccedbe7366fdc5d1fe7b05b128ff71327fd76f56c6a5430ab0c2262ab1dc869d3ffe22ad808cb771505e9c32b81cbff26599c
-
Filesize
297KB
MD5719ab766f5df705c5acad58ec3844c1b
SHA1d845969ba7885e5f9a484d1cb36cdfba5fc2d885
SHA2560ee5a7e86c29e6dd99bd5f4485dcb53ad6788663901901071d612ac8ed4fbc0c
SHA512fd1d5ac9220df4419505528e37d65bf7a709ca6b9b1547f8520bd59e3975ab2aaead6c9c42a12a71b431308bf4e16d61561ea849019fb5044242f1d5bee50366
-
Filesize
297KB
MD5719ab766f5df705c5acad58ec3844c1b
SHA1d845969ba7885e5f9a484d1cb36cdfba5fc2d885
SHA2560ee5a7e86c29e6dd99bd5f4485dcb53ad6788663901901071d612ac8ed4fbc0c
SHA512fd1d5ac9220df4419505528e37d65bf7a709ca6b9b1547f8520bd59e3975ab2aaead6c9c42a12a71b431308bf4e16d61561ea849019fb5044242f1d5bee50366
-
Filesize
236KB
-
Filesize
248KB
-
Filesize
252KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.0MB
-
Filesize
180KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
200KB