Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

IContratoQK.msi

windows7-x64

10

IContratoQK.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IContratoQK.msi

  • Size

    6.9MB

  • MD5

    923ec566997f9c002d9cf7397c79eb4a

  • SHA1

    2bea51e5e6ab96a4669e34a903e30a4b97580e46

  • SHA256

    9fb4b0494ce8e71c1af8bc538895731ea6da666d8efe405182baa3328aff9966

  • SHA512

    79b1f04d66d1a2b237d57c2f341dbec2e2c41df8089ef38f1f402e6b77d91224a620b6c6c424742d7f7460f5fe60aaaaaed3e3020376d514eb49df2b56eb6e35

  • SSDEEP

    196608:vSc73CzEFE2cseSF2fFpuUaMo8zcdKmGZA+:KI3CzSE2BXFBUaw9/

Score
10/10
redlineinfostealerstealer

Malware Config

Signatures

  • Detects Redline Stealer samples 7 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\IContratoQK.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4444
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 590E2AC6A0D7F63DEE8684FD126B6282
      2⤵
      • Loads dropped DLL
      PID:2624
    • C:\Users\Admin\Desktop\Quiz Press\Glys.exe
      "C:\Users\Admin\Desktop\Quiz Press\Glys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e56deed.rbs
    Filesize

    2KB

    MD5

    822be8e0fadbdc21511b6e93c9551ddb

    SHA1

    52bde4e5d2ead9539a737f79c5ae3a820a22a68b

    SHA256

    131edcbda00bc14515fe0715978dfe22afc76693a73cfd55db3ac7600eb6f7ca

    SHA512

    25c86c4f69bf76e2c2109d9422114656d1fdb8d5136788470277fe7acdfa7643f938b55b8253a0d769236494e52b122d30fbba49cebf7b0b6f03792ed09816c7

    Download Submit

  • C:\Users\Admin\Desktop\Quiz Press\Appearance Pak.dll
    Filesize

    6.2MB

    MD5

    d18a59943631dc69a000a12bc98bf74a

    SHA1

    9cf5e9646678e23cb35dfe502072abbc01bbc7ad

    SHA256

    8c807ed34e5469717b018547509faaaf458ce95bb09128b09b6eb2dbb233f212

    SHA512

    ae74e1d42688da04b6faab491dad3595dba39daedd8382d39d37297ea0a6477eed12907f745690c376c2b9a80a2748b9c9d1263dfe1c3cb60e599a50b692c2f1

    Download Submit

  • C:\Users\Admin\Desktop\Quiz Press\Appearance Pak.dll
    Filesize

    6.2MB

    MD5

    d18a59943631dc69a000a12bc98bf74a

    SHA1

    9cf5e9646678e23cb35dfe502072abbc01bbc7ad

    SHA256

    8c807ed34e5469717b018547509faaaf458ce95bb09128b09b6eb2dbb233f212

    SHA512

    ae74e1d42688da04b6faab491dad3595dba39daedd8382d39d37297ea0a6477eed12907f745690c376c2b9a80a2748b9c9d1263dfe1c3cb60e599a50b692c2f1

    Download Submit

  • C:\Users\Admin\Desktop\Quiz Press\Appearance Pak.dll
    Filesize

    6.2MB

    MD5

    d18a59943631dc69a000a12bc98bf74a

    SHA1

    9cf5e9646678e23cb35dfe502072abbc01bbc7ad

    SHA256

    8c807ed34e5469717b018547509faaaf458ce95bb09128b09b6eb2dbb233f212

    SHA512

    ae74e1d42688da04b6faab491dad3595dba39daedd8382d39d37297ea0a6477eed12907f745690c376c2b9a80a2748b9c9d1263dfe1c3cb60e599a50b692c2f1

    Download Submit

  • C:\Users\Admin\Desktop\Quiz Press\Glys.exe
    Filesize

    11.5MB

    MD5

    a6f635fe42eecac68f9ca5ba3da1f3df

    SHA1

    aa7c90dee2ffc84fc2f4cd741651fa88c3db0c1c

    SHA256

    f7a6dc8bffe41e4aecc20de117d84cc192f8855c332e24a36ff5428d3efad8ad

    SHA512

    3df5c52eafef70d7c5deb6800d00450e34e8846f0f550bcff7cc84ccb21e27977de6d17f1696dacd19c522364cbe266628e43b8df29a221d174556b6bb399b4d

    Download Submit

  • C:\Users\Admin\Desktop\Quiz Press\Glys.exe
    Filesize

    11.5MB

    MD5

    a6f635fe42eecac68f9ca5ba3da1f3df

    SHA1

    aa7c90dee2ffc84fc2f4cd741651fa88c3db0c1c

    SHA256

    f7a6dc8bffe41e4aecc20de117d84cc192f8855c332e24a36ff5428d3efad8ad

    SHA512

    3df5c52eafef70d7c5deb6800d00450e34e8846f0f550bcff7cc84ccb21e27977de6d17f1696dacd19c522364cbe266628e43b8df29a221d174556b6bb399b4d

    Download Submit

  • C:\Windows\Installer\MSIDFC6.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIDFC6.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIE46A.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIE46A.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/1044-162-0x0000000003720000-0x0000000003D59000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1044-164-0x00000000028D0000-0x0000000002DE0000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1044-165-0x0000000000D20000-0x0000000000D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1044-172-0x0000000003720000-0x0000000003D59000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1044-174-0x0000000003720000-0x0000000003D59000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1044-175-0x0000000003720000-0x0000000003D59000-memory.dmp

    Filesize

    6.2MB

    Download