Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
11/04/2023, 05:46
General
-
Target
5af602804ab9854a2e029ab2551c28014c5518222c6b89b4714201b6d16f6f7e.exe
-
Size
789KB
-
MD5
07cfdc249df5a4ced508137ad086971a
-
SHA1
16d9e6b2ba5f80d62a9366c48af539bde536a0ab
-
SHA256
5af602804ab9854a2e029ab2551c28014c5518222c6b89b4714201b6d16f6f7e
-
SHA512
d45213447c145132e5b2c19c17e391c271807fb76784cb570a344b867fd5e89fff36d5f3d6cd780e1c9510d619827e29ece8678057fbab1492454850f8ea4e99
-
SSDEEP
12288:AMruy900s0WHd9jKKS+Sl9gylFkl57olPBT+dw5ZNfpZwZ76EZwX91NGfUmC/g:ey2jdSxFklKrTpffZw96EZwX7SUm8g
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 37 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af602804ab9854a2e029ab2551c28014c5518222c6b89b4714201b6d16f6f7e.exe"C:\Users\Admin\AppData\Local\Temp\5af602804ab9854a2e029ab2551c28014c5518222c6b89b4714201b6d16f6f7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigB5264.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigB5264.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDa5715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDa5715.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it041608.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it041608.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr851823.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr851823.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp193730.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp193730.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr179467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr179467.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 6163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 6963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 10683⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD58f72e39dc917ec2036dc9f331f9a536f
SHA1e1c13d690c796c8824777adacaf2be4204ce0f97
SHA256173a4511cff68489f4aa2e141441f87ac3692ebb24f9771b46d6034b5970a3e3
SHA512b38fa982bf6427ab6b844896e87e652209ab7d9adf1311bfd740b5b4f428185837cc6d520ec5ac687e5b07bf4fd88ed1105a51a8dcdf450c10a34c09dc3ecc29
-
Filesize
231KB
MD58f72e39dc917ec2036dc9f331f9a536f
SHA1e1c13d690c796c8824777adacaf2be4204ce0f97
SHA256173a4511cff68489f4aa2e141441f87ac3692ebb24f9771b46d6034b5970a3e3
SHA512b38fa982bf6427ab6b844896e87e652209ab7d9adf1311bfd740b5b4f428185837cc6d520ec5ac687e5b07bf4fd88ed1105a51a8dcdf450c10a34c09dc3ecc29
-
Filesize
524KB
MD5f1a9eb9f7e0ab5d89c89b14421c0a442
SHA1d72af21e6aebc10ce57f10a76aca0e842e85e739
SHA256a73decde331a4db0a3e8b856e8a8bb4b9f706f43950aceec7ae722e5dd045adf
SHA5124974e93cbed099ca350697294d3ce423b81f2e7675b371ee7cc5fdc8e802de8dace6241d29d33d6ce16a2e86518ecd1e66225ddc595b2c0633a199598c6b358c
-
Filesize
524KB
MD5f1a9eb9f7e0ab5d89c89b14421c0a442
SHA1d72af21e6aebc10ce57f10a76aca0e842e85e739
SHA256a73decde331a4db0a3e8b856e8a8bb4b9f706f43950aceec7ae722e5dd045adf
SHA5124974e93cbed099ca350697294d3ce423b81f2e7675b371ee7cc5fdc8e802de8dace6241d29d33d6ce16a2e86518ecd1e66225ddc595b2c0633a199598c6b358c
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
382KB
MD57edafe0162753938ad747d778d6684b6
SHA17ba4a82f7f02d6923b1038be3080da3ec6a5c9e6
SHA256bc679c6a5e534da70f477610c0bac36258fb4754e40e7adb97313b785fa454ef
SHA5128ff37de562e8e7b6cef4affbd7644daf43278fbc62640d36c90871ab45e518c85b2f8932364ed7c9572bafea1f54bba84e690fc473747def106531c79af0ac60
-
Filesize
382KB
MD57edafe0162753938ad747d778d6684b6
SHA17ba4a82f7f02d6923b1038be3080da3ec6a5c9e6
SHA256bc679c6a5e534da70f477610c0bac36258fb4754e40e7adb97313b785fa454ef
SHA5128ff37de562e8e7b6cef4affbd7644daf43278fbc62640d36c90871ab45e518c85b2f8932364ed7c9572bafea1f54bba84e690fc473747def106531c79af0ac60
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
299KB
MD5f9dded213b9e04efd1e73a415d99663c
SHA1cb10a88473d3b8c696bb6d8a536622bb251d1a92
SHA2568b7de51f435a647b41debf4b88987a5b9172212294b8ad687d0faa76f3c3f0fe
SHA5128b7e3126c6283483a7cfbb3d875c7081aea0d894fe5e884157822b1415d384b04d4f4a55cc41618d697cfa7a59adc45df50a98d34181268070be44e418789a67
-
Filesize
299KB
MD5f9dded213b9e04efd1e73a415d99663c
SHA1cb10a88473d3b8c696bb6d8a536622bb251d1a92
SHA2568b7de51f435a647b41debf4b88987a5b9172212294b8ad687d0faa76f3c3f0fe
SHA5128b7e3126c6283483a7cfbb3d875c7081aea0d894fe5e884157822b1415d384b04d4f4a55cc41618d697cfa7a59adc45df50a98d34181268070be44e418789a67
-
Filesize
236KB
-
Filesize
300KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
280KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB