Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/05/2023, 21:23
General
-
Target
39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
-
Size
747KB
-
MD5
8dd5da27707c53b6acf8484d46dd4d92
-
SHA1
6ed443bd9a356033531cb51d10e4bcc28763a06f
-
SHA256
39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb
-
SHA512
aad2f44870ef31f528fff29f386a8ce4ae80b50621f5568b20d1ad4f27a88cca9a7eabf5860f5ec9dfec38e2347330b632eb9994768759e06657ea9f46f43850
-
SSDEEP
12288:hy90Hh6UtNuE8UtcKmHwGvvyrUGayqmG+MBYaTqbL4wr2fLCo7HPxsc:hyu48oakQGCrfapYaGbLZseC7
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe"C:\Users\Admin\AppData\Local\Temp\39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD53ce352927ea202aa6dcf98ba784f41a5
SHA136b7014a702f5f2bf12824503f60440a407f65a7
SHA256d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b
SHA512b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d
-
Filesize
593KB
MD53ce352927ea202aa6dcf98ba784f41a5
SHA136b7014a702f5f2bf12824503f60440a407f65a7
SHA256d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b
SHA512b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d
-
Filesize
377KB
MD58a7efdcc89765019e90a2d9589b178fa
SHA1decc7fdb89c1a1fe43e9ec1162c3e6d677073f84
SHA256053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d
SHA51277b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224
-
Filesize
377KB
MD58a7efdcc89765019e90a2d9589b178fa
SHA1decc7fdb89c1a1fe43e9ec1162c3e6d677073f84
SHA256053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d
SHA51277b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224
-
Filesize
459KB
MD5388ee03e27f4533505002b9374ba9db4
SHA12d16cd8e276b7c65e351bc77e36342682c689de0
SHA2563a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97
SHA512fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f
-
Filesize
459KB
MD5388ee03e27f4533505002b9374ba9db4
SHA12d16cd8e276b7c65e351bc77e36342682c689de0
SHA2563a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97
SHA512fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
280KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
4.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB