Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 19:59
General
-
Target
dc49b05b71d0467bc50265f890734eeada2cd652292890b32300767a7d6638ce.exe
-
Size
707KB
-
MD5
8247238d9a9e2d2a320288651b3497e3
-
SHA1
b4725616e944457e7449f966eea8978bdcd8be07
-
SHA256
dc49b05b71d0467bc50265f890734eeada2cd652292890b32300767a7d6638ce
-
SHA512
c448dde83219eefb5b934732c41dc35afd6a48e06fdc86ffec6f2c0a7d8f6cb3f93ac1263aceef43247cea88706c615e47dbcdf1730dca8d279d955d2bf8ed78
-
SSDEEP
12288:nMrNy90+Pf1KhTmu3lQUrn9oShNjgJiyVpfrG74W4Jiz2qq68kE:eyhn15ilz2SI4y3fSMWYCqWE
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc49b05b71d0467bc50265f890734eeada2cd652292890b32300767a7d6638ce.exe"C:\Users\Admin\AppData\Local\Temp\dc49b05b71d0467bc50265f890734eeada2cd652292890b32300767a7d6638ce.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9919649.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9919649.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5256864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5256864.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5ace1eb70caee68cc2d5fee1b7023b45c
SHA1cf8a6b1dba4196fe76a336d9acbad6f4ff3ba50e
SHA256383b2ee222edd41c189cae4965d7b7cb10cb79a83a97d1f7d02997c6eb18258f
SHA512598a80b0acc3ae5065cfc3efc57075da1f71b4f0c9891c46d72c02252ac55aed6858b248ef06071d9f67189e49387b0a1378fea7ff22d421c5dbe94703ee3636
-
Filesize
416KB
MD5ace1eb70caee68cc2d5fee1b7023b45c
SHA1cf8a6b1dba4196fe76a336d9acbad6f4ff3ba50e
SHA256383b2ee222edd41c189cae4965d7b7cb10cb79a83a97d1f7d02997c6eb18258f
SHA512598a80b0acc3ae5065cfc3efc57075da1f71b4f0c9891c46d72c02252ac55aed6858b248ef06071d9f67189e49387b0a1378fea7ff22d421c5dbe94703ee3636
-
Filesize
136KB
MD5a8bce2591d56d765d792d8b6b7cbd9ee
SHA1be9c6756852c9edf30ac7afff362e28d27367433
SHA2568f7cb9ef8ed5660a4ffdaaaec4ab770dbd24f16f594e52fa2df661ae3fed80cd
SHA512d3069fdc393333e3074a281a86d1c0b63c56af2ef26c62b113cbb323927fb133889d8816576414d3062c4b38f066945fa00338e1551412224160fb27a4567a5d
-
Filesize
136KB
MD5a8bce2591d56d765d792d8b6b7cbd9ee
SHA1be9c6756852c9edf30ac7afff362e28d27367433
SHA2568f7cb9ef8ed5660a4ffdaaaec4ab770dbd24f16f594e52fa2df661ae3fed80cd
SHA512d3069fdc393333e3074a281a86d1c0b63c56af2ef26c62b113cbb323927fb133889d8816576414d3062c4b38f066945fa00338e1551412224160fb27a4567a5d
-
Filesize
160KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
320KB