Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d8f33974c6...f5.exe

windows7-x64

10

d8f33974c6...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    240s
  • max time network
    294s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe

  • Size

    707KB

  • MD5

    7942df7c711f153b096e16f2b5358552

  • SHA1

    04d08b5ac2b32e95a0667e07e92714e1f1801d80

  • SHA256

    d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5

  • SHA512

    3766c0b59c99941c8630addec60f87087dd80cdccc0c5eef0ff7f05256aa51e7c815ab4ff46033bd81741251872afa7a97a835ba485934fa83d5fcea58f79010

  • SSDEEP

    12288:3Mr/y90CR9ShuaUzHMpye91c/pYhy0cBOvMccLoZY/AQKMGDg5x2PX2qGWp:8yfR9ShTCsj91YyhyZE6oqoF5MOv2qd

Score
10/10
redlinediscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe
    "C:\Users\Admin\AppData\Local\Temp\d8f33974c674d3728a993226147d9c07f18e1df1ac466df9da2f0ef21cc1cbf5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5016 -ip 5016
    1⤵
      PID:5064

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exe
      Filesize

      416KB

      MD5

      5d3f96f0be9f0535fee85d9679ee00ca

      SHA1

      ff72cc355106ff01129d8b265e93d6f8b4245df3

      SHA256

      349e0a96f6a8615e2d258175f5addd2f17d1ea96a1d87168377f1ed2c0a2398c

      SHA512

      26aad1edd88c1879bdf888d4879bfce3979d000456916fdd5715f8f3925c5635562cc8c4d77a725b08dc5b656cf5333ddc80cb3e89ab2dc3eb45384787f59bcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4091549.exe
      Filesize

      416KB

      MD5

      5d3f96f0be9f0535fee85d9679ee00ca

      SHA1

      ff72cc355106ff01129d8b265e93d6f8b4245df3

      SHA256

      349e0a96f6a8615e2d258175f5addd2f17d1ea96a1d87168377f1ed2c0a2398c

      SHA512

      26aad1edd88c1879bdf888d4879bfce3979d000456916fdd5715f8f3925c5635562cc8c4d77a725b08dc5b656cf5333ddc80cb3e89ab2dc3eb45384787f59bcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exe
      Filesize

      136KB

      MD5

      35187463a61673cc4f7689871992ae51

      SHA1

      5a6eaaa11088b32dbd707462d783e179ccedeb2e

      SHA256

      516073795d58dfeb04728f4ccf2edd9acea3c4dd9f054cce3c710abcc29e9f38

      SHA512

      5aca38e17edf859a677f815646e6b9a2dad2777343453addbd3fa741c915d37a374ad294569bb8a885db7e383248da69d42d9af0219f4048325bb88e6719ed15

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0235717.exe
      Filesize

      136KB

      MD5

      35187463a61673cc4f7689871992ae51

      SHA1

      5a6eaaa11088b32dbd707462d783e179ccedeb2e

      SHA256

      516073795d58dfeb04728f4ccf2edd9acea3c4dd9f054cce3c710abcc29e9f38

      SHA512

      5aca38e17edf859a677f815646e6b9a2dad2777343453addbd3fa741c915d37a374ad294569bb8a885db7e383248da69d42d9af0219f4048325bb88e6719ed15

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exe
      Filesize

      360KB

      MD5

      1a76f7446c8b18fb99103eeea8013807

      SHA1

      42dd43ddc7f85fa03c9ed9d592e0a0fad0c88769

      SHA256

      37a94fb471dc4a3c0edbb5cd83f73bc2f07c1acaafe920e130716d7ab6337866

      SHA512

      5aa8898b9a5bbe874c3df6817f4cb12b484a5cb3c5416135c08d317ea6908b091eaf437053b315c137410c122e984fd137d5188186d44a8f1b4ba7b3325f450b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8572679.exe
      Filesize

      360KB

      MD5

      1a76f7446c8b18fb99103eeea8013807

      SHA1

      42dd43ddc7f85fa03c9ed9d592e0a0fad0c88769

      SHA256

      37a94fb471dc4a3c0edbb5cd83f73bc2f07c1acaafe920e130716d7ab6337866

      SHA512

      5aa8898b9a5bbe874c3df6817f4cb12b484a5cb3c5416135c08d317ea6908b091eaf437053b315c137410c122e984fd137d5188186d44a8f1b4ba7b3325f450b

      Download Submit

    • memory/3492-153-0x0000000007580000-0x0000000007590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3492-156-0x00000000084A0000-0x0000000008532000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3492-151-0x00000000075D0000-0x000000000760C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3492-152-0x0000000007580000-0x0000000007590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3492-149-0x0000000007530000-0x0000000007542000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3492-154-0x0000000008170000-0x00000000081D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3492-155-0x0000000008990000-0x0000000008F34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3492-150-0x0000000007660000-0x000000000776A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3492-157-0x00000000086C0000-0x0000000008736000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3492-158-0x0000000008640000-0x000000000865E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3492-159-0x0000000008F40000-0x0000000009102000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3492-160-0x0000000009640000-0x0000000009B6C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3492-161-0x00000000027B0000-0x0000000002800000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3492-148-0x0000000007A90000-0x00000000080A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3492-147-0x00000000006C0000-0x00000000006E8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/5016-167-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-186-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-170-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-172-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-174-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-176-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-178-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-180-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-182-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-184-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-188-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-168-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-190-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-192-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-194-0x0000000004C60000-0x0000000004C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5016-195-0x0000000000850000-0x000000000087D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5016-196-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-197-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-198-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-199-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/5016-202-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-203-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-204-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-205-0x0000000000400000-0x00000000006F4000-memory.dmp

      Filesize

      3.0MB

      Download