Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d5bcbf7a78...aa.exe

windows7-x64

10

d5bcbf7a78...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe

  • Size

    930KB

  • MD5

    198488ccbd6bf1eb1e2627642659dfd1

  • SHA1

    5a2433a2ace450f461b301d8e3b14c44edaac8c9

  • SHA256

    d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa

  • SHA512

    c960031346f661955add5bd07f9b480a3fccba1feb6b2799113de31de0459e21f8bef8b8312b2a039b46ce346fc75c455f1f15dda479aa4bc0e3b0008f09d397

  • SSDEEP

    12288:ey90o5CSbqTYixb2gPny9W58Z/42fKOtNKEAFOO9ncxXaAmztd9ffBE0BpJC5yyg:eytXqNJbqJRBt8l9nchaL9REIZll

Score
10/10
redlinedarkevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe
    "C:\Users\Admin\AppData\Local\Temp\d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1256
          4⤵
          • Program crash
          PID:2496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
      2⤵
      • Executes dropped EXE
      PID:4076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2860 -ip 2860
    1⤵
      PID:1208

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
      Filesize

      168KB

      MD5

      16cf18c8ef1d4be89b36e27c8fb88e9d

      SHA1

      7811ba84f75a1adc6d995c2c1121ec996d1cc003

      SHA256

      116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

      SHA512

      4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
      Filesize

      168KB

      MD5

      16cf18c8ef1d4be89b36e27c8fb88e9d

      SHA1

      7811ba84f75a1adc6d995c2c1121ec996d1cc003

      SHA256

      116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

      SHA512

      4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
      Filesize

      777KB

      MD5

      1e000b19e66cc219ef86ab22a6138733

      SHA1

      26c2ee2b42531f3cf98a2ba496a7192a4b409eff

      SHA256

      5fc431c32cfaaea7a3f81697416096a3619c0cfbf45d87eb4cf9780d011c130d

      SHA512

      f731027ac4e898036bd9ada78f65312d0cf34d74c2be5565614d11d16f2397a734b8c243aa6f5dbd5a14cc6a88494171bc01f0d931a72304b418c426644132fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
      Filesize

      777KB

      MD5

      1e000b19e66cc219ef86ab22a6138733

      SHA1

      26c2ee2b42531f3cf98a2ba496a7192a4b409eff

      SHA256

      5fc431c32cfaaea7a3f81697416096a3619c0cfbf45d87eb4cf9780d011c130d

      SHA512

      f731027ac4e898036bd9ada78f65312d0cf34d74c2be5565614d11d16f2397a734b8c243aa6f5dbd5a14cc6a88494171bc01f0d931a72304b418c426644132fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
      Filesize

      299KB

      MD5

      77fed822d8705ba474bb9cc0e48ea8ee

      SHA1

      03eb75e2cebed09f554d6533eedf938a3bba75c6

      SHA256

      16376c564d6695ec93e6133af6bc561c82377cf997ed21fd3d8467284b09b846

      SHA512

      cc89e5f43e19f4d6cf8ec3f9208f05af48866696123424fa3c86ccc7064a5f5809379ee50d03fffabd0d89c8411727142b57745c539ac6c0e15385182cdda4e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
      Filesize

      299KB

      MD5

      77fed822d8705ba474bb9cc0e48ea8ee

      SHA1

      03eb75e2cebed09f554d6533eedf938a3bba75c6

      SHA256

      16376c564d6695ec93e6133af6bc561c82377cf997ed21fd3d8467284b09b846

      SHA512

      cc89e5f43e19f4d6cf8ec3f9208f05af48866696123424fa3c86ccc7064a5f5809379ee50d03fffabd0d89c8411727142b57745c539ac6c0e15385182cdda4e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
      Filesize

      589KB

      MD5

      759a1fc0c5de36cf21be294ddec2cce5

      SHA1

      73f7d7175b04385c72aa7e328b227491767c805a

      SHA256

      44d81cb98a5268cd36f552c7676f03c1a10680a01198782adc19ae6db67bc30a

      SHA512

      03d091e6b9fd455a44e4d20ece607157115765f82bba45747e616667150a77f719d91865fba7e08c4928ec4abfc17bb83e19f2eb8a2c30a11af2a07b1c5fb179

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
      Filesize

      589KB

      MD5

      759a1fc0c5de36cf21be294ddec2cce5

      SHA1

      73f7d7175b04385c72aa7e328b227491767c805a

      SHA256

      44d81cb98a5268cd36f552c7676f03c1a10680a01198782adc19ae6db67bc30a

      SHA512

      03d091e6b9fd455a44e4d20ece607157115765f82bba45747e616667150a77f719d91865fba7e08c4928ec4abfc17bb83e19f2eb8a2c30a11af2a07b1c5fb179

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • memory/1268-167-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-206-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-163-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-165-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-159-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-166-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-169-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-188-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-192-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-194-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-196-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-198-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-200-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-202-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-204-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-161-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-208-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-210-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-212-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-214-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-2280-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-157-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-155-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-149-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-153-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-151-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1268-147-0x0000000004AD0000-0x0000000005074000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1268-148-0x00000000049B0000-0x0000000004A01000-memory.dmp

      Filesize

      324KB

      Download

    • memory/1504-2295-0x00000000006E0000-0x00000000006EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2860-4447-0x0000000005760000-0x00000000057F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2860-2460-0x0000000000A80000-0x0000000000A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-2458-0x0000000000A80000-0x0000000000A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-4448-0x0000000000A80000-0x0000000000A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-2454-0x0000000000910000-0x000000000096B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2860-2456-0x0000000000A80000-0x0000000000A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-4454-0x00000000000F0000-0x0000000000120000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4076-4456-0x0000000005030000-0x0000000005648000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4076-4457-0x0000000004B20000-0x0000000004C2A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4076-4458-0x0000000004A40000-0x0000000004A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4076-4459-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4076-4460-0x0000000004A00000-0x0000000004A10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-4461-0x0000000004A00000-0x0000000004A10000-memory.dmp

      Filesize

      64KB

      Download