Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
25/05/2023, 05:18
General
-
Target
3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe
-
Size
981KB
-
MD5
70affd33075fc31907557f427292f2c3
-
SHA1
091f3702b1caec8d0841f5b4ca5efd36af45d724
-
SHA256
3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807
-
SHA512
cb731bae7ccb31b99e110ef7ce3c6076e55beb7dc26efaad3bc9b0c362dbf3c248ea9baf6e5328f9e68aae9e9eb57139d1af363278cd5382e9e0fe977cd15a7a
-
SSDEEP
24576:LytlnJS+SnwMT+JUf9TGWShlidzpmWho0IWhOBrff:+jn03FCJ4GDhleho0PM
Malware Config
Extracted
redline
maxi
83.97.73.122:19062
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Extracted
redline
haval
83.97.73.122:19062
-
auth_value
d23dec6813deb04eb8abd82657a9b0af
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe"C:\Users\Admin\AppData\Local\Temp\3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
328KB
MD5d1cf1a458b0d74ee497a74e98c5eb222
SHA1563ef7e8f092cee73b09ae5f5e1d0016a16273e7
SHA2563a5ba93d08b32e575069b812b50dbdbb0249464cc584b3ced8ead3e444bd452a
SHA512d42dca2b0d5e15c801d48eefe0087abaa2d4d5c21c9ce04cce80c7615e0f4e25c0664b6eb5a6640934defe5ca459de587ebb6923aeed998c4c32e8fb137ce39b
-
Filesize
328KB
MD5d1cf1a458b0d74ee497a74e98c5eb222
SHA1563ef7e8f092cee73b09ae5f5e1d0016a16273e7
SHA2563a5ba93d08b32e575069b812b50dbdbb0249464cc584b3ced8ead3e444bd452a
SHA512d42dca2b0d5e15c801d48eefe0087abaa2d4d5c21c9ce04cce80c7615e0f4e25c0664b6eb5a6640934defe5ca459de587ebb6923aeed998c4c32e8fb137ce39b
-
Filesize
661KB
MD5e7ceafb51d8d0b19d6697b448063c0a7
SHA1a1ed7dc09c8f1556591f5e1fa56afffcf4ebd54f
SHA256fba970cd92b6dc7c34f6f031c74a90189f01f8539ef94842d95eeba3bb3aedc1
SHA512d0f170fffb8452188ae5cdfead953e9ee0598696ad98346c0a686e981b03e18a6aef7aff3d8670673b359d1d24905dfe085743dfe7210737b03c1dd06e42a049
-
Filesize
661KB
MD5e7ceafb51d8d0b19d6697b448063c0a7
SHA1a1ed7dc09c8f1556591f5e1fa56afffcf4ebd54f
SHA256fba970cd92b6dc7c34f6f031c74a90189f01f8539ef94842d95eeba3bb3aedc1
SHA512d0f170fffb8452188ae5cdfead953e9ee0598696ad98346c0a686e981b03e18a6aef7aff3d8670673b359d1d24905dfe085743dfe7210737b03c1dd06e42a049
-
Filesize
387KB
MD569633724577ada814a52222b0916b57e
SHA141a8f00abc66539d28afc7bca1d28af3254eb300
SHA256699fc6c40db462423adc824c33a9d29ba88c67d63b1ee07a8cba1dad595ede4e
SHA512d6e31894fd2ec1cecbd3201345670ee951f5df6a5658377e0526b97f2a7b95f2e5e764a12bcbbbe4b2df1c1ad9384da1c66676870c44bddd6debd96a0eb3c97a
-
Filesize
387KB
MD569633724577ada814a52222b0916b57e
SHA141a8f00abc66539d28afc7bca1d28af3254eb300
SHA256699fc6c40db462423adc824c33a9d29ba88c67d63b1ee07a8cba1dad595ede4e
SHA512d6e31894fd2ec1cecbd3201345670ee951f5df6a5658377e0526b97f2a7b95f2e5e764a12bcbbbe4b2df1c1ad9384da1c66676870c44bddd6debd96a0eb3c97a
-
Filesize
280KB
MD539cb07a50a33ba1aacde92ea73c045d4
SHA10d22044a2d8027ec15e3f817ff7aa759a290c188
SHA2563d38dca1139794719fdfdfca7ce665b52b544e2ca8f4c60f31152bdfe570ca71
SHA512eb6b0b996650605932e32b8ded51a9a9d71cf5bf1aa66b19a32836386ba16aca72fc63e63ab5378ef42c4881d30acb54b533149604a6fd0795c6fdcf1f445b8e
-
Filesize
280KB
MD539cb07a50a33ba1aacde92ea73c045d4
SHA10d22044a2d8027ec15e3f817ff7aa759a290c188
SHA2563d38dca1139794719fdfdfca7ce665b52b544e2ca8f4c60f31152bdfe570ca71
SHA512eb6b0b996650605932e32b8ded51a9a9d71cf5bf1aa66b19a32836386ba16aca72fc63e63ab5378ef42c4881d30acb54b533149604a6fd0795c6fdcf1f445b8e
-
Filesize
194KB
MD5034232da3b384f62a84a081bb308b69e
SHA1d5993ef9a9a1c93a19fe52b693ed297e774cbae9
SHA256b50e6039a399b92df26bdf142fbadf9c8d43aeb15228553792785775b1eec6aa
SHA512d93533d1bc12523d1ac3eca198c8c8b2e8a2eb6e0178e22c2cd321ef3879d08ecca939b4ff860282e08addbc3708e9099ca69a228d7bac9a93ff4686420bee8e
-
Filesize
194KB
MD5034232da3b384f62a84a081bb308b69e
SHA1d5993ef9a9a1c93a19fe52b693ed297e774cbae9
SHA256b50e6039a399b92df26bdf142fbadf9c8d43aeb15228553792785775b1eec6aa
SHA512d93533d1bc12523d1ac3eca198c8c8b2e8a2eb6e0178e22c2cd321ef3879d08ecca939b4ff860282e08addbc3708e9099ca69a228d7bac9a93ff4686420bee8e
-
Filesize
145KB
MD50f412217401e2bc56d2202e3a12a148c
SHA100432fc244d4d3ee33c93b30ce68a4010f1665ab
SHA2565e498b91a2053ec2af3e1c04099f27eb854c5e5e379f4325755dc13a0c00e3e7
SHA512742d0022eb1623cdc0592274866bc9e81c471be275749d0d9ae9510ad78fbeee435a5bb0dc1a384f4c8c22cc3c14b2f23ddd18598a42b41c5bc22f3050eb715d
-
Filesize
145KB
MD50f412217401e2bc56d2202e3a12a148c
SHA100432fc244d4d3ee33c93b30ce68a4010f1665ab
SHA2565e498b91a2053ec2af3e1c04099f27eb854c5e5e379f4325755dc13a0c00e3e7
SHA512742d0022eb1623cdc0592274866bc9e81c471be275749d0d9ae9510ad78fbeee435a5bb0dc1a384f4c8c22cc3c14b2f23ddd18598a42b41c5bc22f3050eb715d
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
168KB
-
Filesize
5.6MB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
168KB
-
Filesize
64KB