Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/06/2023, 14:54
General
-
Target
f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe
-
Size
738KB
-
MD5
f634793c58e32402a29c27eed52abe14
-
SHA1
81eb03cf0815ce31017e1bd37ac0f859f520f14c
-
SHA256
f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60
-
SHA512
8e739445af721fdda21f362d49cdf6a2bf61560b6af85bfbbd64b72c06d4a51cbf0ff44eface619c0aca6d8b785d6ef473dd4a3cacbbfb461d8c9565d91fc30f
-
SSDEEP
12288:VMrHy90we9cWZFNaYGEP4+6KPbJtA0xE1UnIM42l1pYTcDxxUPKjhr6SK1r1:WyY3ZqYG7stAvUnIM4lYIPKjl6H1Z
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe"C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 5606⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2648 -ip 26481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD58730e98b94bcd0f2e6e14148f80d40bc
SHA17db7a9f6883ed40306672a854ee76915336f30ae
SHA256f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30
SHA512116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4
-
Filesize
531KB
MD58730e98b94bcd0f2e6e14148f80d40bc
SHA17db7a9f6883ed40306672a854ee76915336f30ae
SHA256f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30
SHA512116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4
-
Filesize
359KB
MD510a396856099f237d80da3b18b4ad71f
SHA1b0af77f9f9fa47c1f13acf7220367f8cf156b0ea
SHA256b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f
SHA512ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b
-
Filesize
359KB
MD510a396856099f237d80da3b18b4ad71f
SHA1b0af77f9f9fa47c1f13acf7220367f8cf156b0ea
SHA256b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f
SHA512ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b
-
Filesize
172KB
MD598b7a229e10a9b04d2ede40124fc2221
SHA18efb2256d2c267cc152d54887e64854314462797
SHA25642845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d
SHA512ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158
-
Filesize
172KB
MD598b7a229e10a9b04d2ede40124fc2221
SHA18efb2256d2c267cc152d54887e64854314462797
SHA25642845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d
SHA512ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158
-
Filesize
203KB
MD5198fd07c6445abd12e0c96cca28a542a
SHA111ddef31934e1030f0b2c2bc74345a2ff7b922bc
SHA256b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e
SHA5128983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e
-
Filesize
203KB
MD5198fd07c6445abd12e0c96cca28a542a
SHA111ddef31934e1030f0b2c2bc74345a2ff7b922bc
SHA256b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e
SHA5128983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e
-
Filesize
120KB
MD5d53eed66cc91b6e6a17ef4dbd48941db
SHA14b569408824995114d9f2345aa59ba4cfe0b57c6
SHA25665924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780
SHA512b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd
-
Filesize
120KB
MD5d53eed66cc91b6e6a17ef4dbd48941db
SHA14b569408824995114d9f2345aa59ba4cfe0b57c6
SHA25665924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780
SHA512b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd
-
Filesize
14KB
MD529b0bb8fb33fe5ab4397c86f17eab2b9
SHA13237d20992f9345c386323bce9831f506dce92e7
SHA2569e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db
SHA512d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0
-
Filesize
14KB
MD529b0bb8fb33fe5ab4397c86f17eab2b9
SHA13237d20992f9345c386323bce9831f506dce92e7
SHA2569e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db
SHA512d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
64KB