Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

70b6b48bf7...40.exe

windows7-x64

10

70b6b48bf7...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70b6b48bf784ae6b415d3dbac1729bf59254caf128f69925063d6ea591cf9040.exe

  • Size

    387KB

  • MD5

    cee839d483ec9c78e683386fb104096a

  • SHA1

    f488dfafead30a7418691835f7e06cce1c1ea474

  • SHA256

    70b6b48bf784ae6b415d3dbac1729bf59254caf128f69925063d6ea591cf9040

  • SHA512

    19e50c0c7672b191a63c7a64f14366e851633d586fc5b96fddae648895241b900aa195ef6cf91eee10f39aff8e472817ee2ee2198a9eb5b777e8cc41918c2acf

  • SSDEEP

    6144:K4y+bnr+Jp0yN90QEBcWGxBLXJGHA3BrudQUGTnIEZRC8blbWF40B3dIDT:0Mrpy90oWGncA3BGvoICRCYlM4W3dI/

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70b6b48bf784ae6b415d3dbac1729bf59254caf128f69925063d6ea591cf9040.exe
    "C:\Users\Admin\AppData\Local\Temp\70b6b48bf784ae6b415d3dbac1729bf59254caf128f69925063d6ea591cf9040.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7783855.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7783855.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8628717.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8628717.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3297552.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3297552.exe
        3⤵
        • Executes dropped EXE
        PID:5112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7783855.exe
    Filesize

    204KB

    MD5

    303bfb6e8fb8e82d22fb7f58a34c7e9c

    SHA1

    f7c6d5cfc7ccaf55233ecbc965f2666cc1bea708

    SHA256

    49ecc6dd1b1a2c6108a835b901d0deed7827f2b2b17f7f8141009e9ea62996b3

    SHA512

    a939cadf85c9a6f3ef425cddaee017145603d820934ab1edfef1f1e9679b85d86575dbd05e08076cc52dc8d82ac9e1290056dcdbddc26c402eeaf88394e6c72a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7783855.exe
    Filesize

    204KB

    MD5

    303bfb6e8fb8e82d22fb7f58a34c7e9c

    SHA1

    f7c6d5cfc7ccaf55233ecbc965f2666cc1bea708

    SHA256

    49ecc6dd1b1a2c6108a835b901d0deed7827f2b2b17f7f8141009e9ea62996b3

    SHA512

    a939cadf85c9a6f3ef425cddaee017145603d820934ab1edfef1f1e9679b85d86575dbd05e08076cc52dc8d82ac9e1290056dcdbddc26c402eeaf88394e6c72a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8628717.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8628717.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3297552.exe
    Filesize

    136KB

    MD5

    c773f7c32442de812c502c64a65d5ee9

    SHA1

    7a17d38ad084ba2a3162f61751cb6c8a3712d993

    SHA256

    cf029b5dc2294a3aa6235b8b6c01e4262f305a393e8ddf8e478878694520e5da

    SHA512

    e70528b6742165e273e05ce97be7e13faba690ccac76740fa5f9989334d9ddad711ef2a661aa1339004fcddaa0cfcb0195fe93e88b50ec49a16a08e4bafc035e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3297552.exe
    Filesize

    136KB

    MD5

    c773f7c32442de812c502c64a65d5ee9

    SHA1

    7a17d38ad084ba2a3162f61751cb6c8a3712d993

    SHA256

    cf029b5dc2294a3aa6235b8b6c01e4262f305a393e8ddf8e478878694520e5da

    SHA512

    e70528b6742165e273e05ce97be7e13faba690ccac76740fa5f9989334d9ddad711ef2a661aa1339004fcddaa0cfcb0195fe93e88b50ec49a16a08e4bafc035e

    Download Submit

  • memory/4800-147-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5112-152-0x00000000007D0000-0x00000000007F8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/5112-153-0x0000000007A60000-0x0000000008078000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5112-154-0x0000000007500000-0x0000000007512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5112-155-0x0000000007630000-0x000000000773A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5112-156-0x00000000075D0000-0x00000000075E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5112-157-0x0000000007560000-0x000000000759C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5112-158-0x00000000075D0000-0x00000000075E0000-memory.dmp

    Filesize

    64KB

    Download