Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
03/05/2023, 22:12 UTC
General
-
Target
d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe
-
Size
1.4MB
-
MD5
cd720db9e9f6bd1d661936b2b5187143
-
SHA1
7f698015698b61e2a31c4b27569903fd501c040c
-
SHA256
d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d
-
SHA512
2f4534271acc77a6639dc858b0f3d3e41df102e98175298d27a42ff6275329f3261e0af58d5806ef6a65073bc638e22b6f90783b59447c70345dd38de211e79e
-
SSDEEP
24576:TyhXR5iqzOHeAi+miNjsT5SUuIKrPQ5hsic3Gc/dpm8BT:m1riqzui+psT5SUuIKrKhtc38
Malware Config
Extracted
redline
mask
217.196.96.56:4138
-
auth_value
31aef25be0febb8e491794ef7f502c50
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe"C:\Users\Admin\AppData\Local\Temp\d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0836460.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0836460.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5912512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5912512.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9015438.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9015438.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0104675.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0104675.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6963326.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6963326.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5477546.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5477546.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3949629.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3949629.exe5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 6206⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 7006⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8406⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8486⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 9086⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8366⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 11206⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 11926⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 12406⤵
- Program crash
-
-
-
-
-
Network
-
DNS56.96.196.217.in-addr.arpaRemote address:8.8.8.8:53Request56.96.196.217.in-addr.arpaIN PTRResponse -
DNS52.4.107.13.in-addr.arpaRemote address:8.8.8.8:53Request52.4.107.13.in-addr.arpaIN PTRResponse
-
DNS64.13.109.52.in-addr.arpaRemote address:8.8.8.8:53Request64.13.109.52.in-addr.arpaIN PTRResponse
-
217.196.96.56:4138 -
52.178.17.3:443 -
8.238.21.126:80
-
8.8.8.8:5356.96.196.217.in-addr.arpadns
DNS Request
56.96.196.217.in-addr.arpa
-
8.8.8.8:5352.4.107.13.in-addr.arpadns
DNS Request
52.4.107.13.in-addr.arpa
-
8.8.8.8:5364.13.109.52.in-addr.arpadns
DNS Request
64.13.109.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ecfb94bcc1d1b3a27148d2b2493822ca
SHA1200ae5328dc3f457af859430ea2493d41c9263d6
SHA256776414d8868271f72ab52924eef3621fe22e627806fc90bf8ae127650214ffd0
SHA5123a15af3c9cb5b83f29fb74d2c86fcbe42b742947801520759d0f80197ddf629d3f71902c3321b6e5efd564ca362a4ce14651d35fad5712643e3994a52e4fd353
-
Filesize
1.3MB
MD5ecfb94bcc1d1b3a27148d2b2493822ca
SHA1200ae5328dc3f457af859430ea2493d41c9263d6
SHA256776414d8868271f72ab52924eef3621fe22e627806fc90bf8ae127650214ffd0
SHA5123a15af3c9cb5b83f29fb74d2c86fcbe42b742947801520759d0f80197ddf629d3f71902c3321b6e5efd564ca362a4ce14651d35fad5712643e3994a52e4fd353
-
Filesize
845KB
MD5149418b7d4713fa444bf069ecbd79a3a
SHA145bfb36fcc994a01adfc54c0f5b5d1dc73962095
SHA256b3f8e074c083405bd78305998011cd4d006fd24acd18e4a4ee363a21d5098e47
SHA51260ee4b7176316e760b7cc738fd58371f5e4c784609d88ea26a05d7da2273744d1ac9c706f36987e59516f6c10e7fe0cd2a0217a4aec42b120ee827caac8d9e31
-
Filesize
845KB
MD5149418b7d4713fa444bf069ecbd79a3a
SHA145bfb36fcc994a01adfc54c0f5b5d1dc73962095
SHA256b3f8e074c083405bd78305998011cd4d006fd24acd18e4a4ee363a21d5098e47
SHA51260ee4b7176316e760b7cc738fd58371f5e4c784609d88ea26a05d7da2273744d1ac9c706f36987e59516f6c10e7fe0cd2a0217a4aec42b120ee827caac8d9e31
-
Filesize
641KB
MD5a9d58d131b123515f970503b5dd67ba4
SHA1377a34adeb8df9c23009b4db68e4a7b11c7bf625
SHA2564c249596b47d21173de34146f989b8163514068e01c6fc85579bdd2b9fee14f2
SHA512676071eff21ec9c5aa97a68eb99b222d24c96a22de478b77aa267b8767dbeae5304118c924895c292b497c635b43e9a4ec9d91801990c90461994d3f8558a3be
-
Filesize
641KB
MD5a9d58d131b123515f970503b5dd67ba4
SHA1377a34adeb8df9c23009b4db68e4a7b11c7bf625
SHA2564c249596b47d21173de34146f989b8163514068e01c6fc85579bdd2b9fee14f2
SHA512676071eff21ec9c5aa97a68eb99b222d24c96a22de478b77aa267b8767dbeae5304118c924895c292b497c635b43e9a4ec9d91801990c90461994d3f8558a3be
-
Filesize
268KB
MD51c5f6d6cecf56c665270b12957176f04
SHA18f9a134be57bc254d4a916261762a482af902632
SHA2560ee59b47167c6255a62aeaba9c1c3a5b9d0a2dc6134125dc3bd91996c10eb4e9
SHA512b94098d935ecf9736122fb1eaa77be4b865dc462c6cf6fbd4a0d4cc2d885c83e61a36c6f1c127b06efc800e40629afd8386735514ff21ce62ca74b56000a7090
-
Filesize
268KB
MD51c5f6d6cecf56c665270b12957176f04
SHA18f9a134be57bc254d4a916261762a482af902632
SHA2560ee59b47167c6255a62aeaba9c1c3a5b9d0a2dc6134125dc3bd91996c10eb4e9
SHA512b94098d935ecf9736122fb1eaa77be4b865dc462c6cf6fbd4a0d4cc2d885c83e61a36c6f1c127b06efc800e40629afd8386735514ff21ce62ca74b56000a7090
-
Filesize
383KB
MD5a9858da4d8d68f9148cb2fdf88c968b0
SHA1dd95e412a2d1ae826aa4376f3179a4c284a6e96a
SHA25686bd0d4490ff6bd10ff0639f1d9d4d98a1a910d5dcb7d75db31d4d9c0f9efefb
SHA5121409e1ca0e0bb3388846d4b17fece4c43ff78f0cd970d25583f7d9f4992d95f85824df3dffdbd865a6fc2ca413e33865a9ad4523429acb9d05f94beb64b5baea
-
Filesize
383KB
MD5a9858da4d8d68f9148cb2fdf88c968b0
SHA1dd95e412a2d1ae826aa4376f3179a4c284a6e96a
SHA25686bd0d4490ff6bd10ff0639f1d9d4d98a1a910d5dcb7d75db31d4d9c0f9efefb
SHA5121409e1ca0e0bb3388846d4b17fece4c43ff78f0cd970d25583f7d9f4992d95f85824df3dffdbd865a6fc2ca413e33865a9ad4523429acb9d05f94beb64b5baea
-
Filesize
289KB
MD54cd759f1f1666573ef5a6756d5268424
SHA1a979ffdccaf067ac3f43865c9900608a1aefaeb0
SHA2567f677e587f427a224054bed62ce3313e9c48cfa7a17bb630b4a685a64ae08f49
SHA51230a87da5cd8a481ae724e69011bffbca7843d8f1d5b302e7338228da5cc38ed72886a766eb1239dd74d096f153d2582c3e97c2c7ad47ffb2a71eaa9bd665f97f
-
Filesize
289KB
MD54cd759f1f1666573ef5a6756d5268424
SHA1a979ffdccaf067ac3f43865c9900608a1aefaeb0
SHA2567f677e587f427a224054bed62ce3313e9c48cfa7a17bb630b4a685a64ae08f49
SHA51230a87da5cd8a481ae724e69011bffbca7843d8f1d5b302e7338228da5cc38ed72886a766eb1239dd74d096f153d2582c3e97c2c7ad47ffb2a71eaa9bd665f97f
-
Filesize
168KB
MD57a74df915b5430800ba197dafd4212e1
SHA168836a1e973bcee635351e9a5f697b27639efcb6
SHA2562a65571a76a6acb055bbcae4911cf3c5bcaad3186930c92e4b9941ccacac4618
SHA5123ead8c640f51aed743423c71747f060c1033e31c349b78cdc6ecfd196837e69c932a074881ec422c4ed8e4454dc686c199c580c6c1159ed0660e43f5a5fd2b1e
-
Filesize
168KB
MD57a74df915b5430800ba197dafd4212e1
SHA168836a1e973bcee635351e9a5f697b27639efcb6
SHA2562a65571a76a6acb055bbcae4911cf3c5bcaad3186930c92e4b9941ccacac4618
SHA5123ead8c640f51aed743423c71747f060c1033e31c349b78cdc6ecfd196837e69c932a074881ec422c4ed8e4454dc686c199c580c6c1159ed0660e43f5a5fd2b1e
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
192KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
24KB
-
Filesize
212KB
-
Filesize
2.8MB
-
Filesize
96KB
-
Filesize
508KB
-
Filesize
64KB
-
Filesize
508KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
180KB