Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ca887dd704...cd.exe

windows7-x64

10

ca887dd704...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    322s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca887dd704d9e5cff862551bf30e25e40ce8e0d1cc6a59b7efd99984f5b68ecd.exe

  • Size

    709KB

  • MD5

    32c439d81b4c78400821415a00b724af

  • SHA1

    4181ec36934778bc462d822b6e30e0acaaafc6d9

  • SHA256

    ca887dd704d9e5cff862551bf30e25e40ce8e0d1cc6a59b7efd99984f5b68ecd

  • SHA512

    77dd6a5f5648e4ae1d92f3e4e22b4fdf552c975cbf41fc39a25b0458f7261683478ef3b832c5867c70eaf5898f3b405599c0aee6f657d66389ba0738be30f257

  • SSDEEP

    12288:pMrcy9050+tfM4ZlcprWOCH/ule0xwNYWiSK75TA/VaUyCaWWsAfcJT:dyInRMlprWOCfule0+NYWiSWANSCVW0V

Score
10/10
redlineinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca887dd704d9e5cff862551bf30e25e40ce8e0d1cc6a59b7efd99984f5b68ecd.exe
    "C:\Users\Admin\AppData\Local\Temp\ca887dd704d9e5cff862551bf30e25e40ce8e0d1cc6a59b7efd99984f5b68ecd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8361521.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8361521.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4417395.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4417395.exe
        3⤵
        • Executes dropped EXE
        PID:432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8361521.exe
    Filesize

    417KB

    MD5

    d00f6e17c7e498d6f1c3ffd92b4fd33d

    SHA1

    5209d9bfd477d3efa49173958f8ab7de8019ee86

    SHA256

    6be92cac43270ffeaaebeca4de1f2dcd6bdfb61280e9f1952f6fc9c141690a15

    SHA512

    ab8f83bf4c71e538cdd8ae4025cae7445c3780625c5e2b9a516c09c84991818ecf2e508685ff1a9b8f97efb6b26e02369c41b401b968aa9939bace20b6391a2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8361521.exe
    Filesize

    417KB

    MD5

    d00f6e17c7e498d6f1c3ffd92b4fd33d

    SHA1

    5209d9bfd477d3efa49173958f8ab7de8019ee86

    SHA256

    6be92cac43270ffeaaebeca4de1f2dcd6bdfb61280e9f1952f6fc9c141690a15

    SHA512

    ab8f83bf4c71e538cdd8ae4025cae7445c3780625c5e2b9a516c09c84991818ecf2e508685ff1a9b8f97efb6b26e02369c41b401b968aa9939bace20b6391a2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4417395.exe
    Filesize

    136KB

    MD5

    fa026d0f665cf5ca1db6b5d3460bf8f1

    SHA1

    359d1c403d42e40a2944fa9e35842bec1cb744f0

    SHA256

    27a4fc5e26fcf19a15f681613b95103f5c673c5d2a30231c108f5142e937a67a

    SHA512

    381cbcefdb53c99c58aa51d7c60904d264fe273136475a138063caa2a5756e5635ed32c5d0bad10ec65609ca6c234476ef8d6942e99c6de436ef8e26ac065084

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4417395.exe
    Filesize

    136KB

    MD5

    fa026d0f665cf5ca1db6b5d3460bf8f1

    SHA1

    359d1c403d42e40a2944fa9e35842bec1cb744f0

    SHA256

    27a4fc5e26fcf19a15f681613b95103f5c673c5d2a30231c108f5142e937a67a

    SHA512

    381cbcefdb53c99c58aa51d7c60904d264fe273136475a138063caa2a5756e5635ed32c5d0bad10ec65609ca6c234476ef8d6942e99c6de436ef8e26ac065084

    Download Submit

  • memory/432-147-0x0000000000620000-0x0000000000648000-memory.dmp

    Filesize

    160KB

    Download

  • memory/432-148-0x0000000007A40000-0x0000000008058000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/432-149-0x0000000007480000-0x0000000007492000-memory.dmp

    Filesize

    72KB

    Download

  • memory/432-150-0x00000000075B0000-0x00000000076BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/432-151-0x0000000007500000-0x000000000753C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/432-152-0x00000000074B0000-0x00000000074C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/432-153-0x00000000074B0000-0x00000000074C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/432-154-0x00000000078B0000-0x0000000007916000-memory.dmp

    Filesize

    408KB

    Download

  • memory/432-155-0x0000000008910000-0x0000000008EB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/432-156-0x0000000008440000-0x00000000084D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/432-157-0x00000000026D0000-0x0000000002720000-memory.dmp

    Filesize

    320KB

    Download

  • memory/432-158-0x00000000027E0000-0x0000000002856000-memory.dmp

    Filesize

    472KB

    Download

  • memory/432-159-0x00000000086B0000-0x0000000008872000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/432-160-0x00000000093F0000-0x000000000991C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/432-161-0x0000000002860000-0x000000000287E000-memory.dmp

    Filesize

    120KB

    Download