Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
07/06/2023, 01:07
General
-
Target
cd826afdb55e07846e823db1f9d0544ac8f9b4d411223ef4b18038c7d9e34192.exe
-
Size
722KB
-
MD5
813a4b7101896c7ac66b652eaad4f888
-
SHA1
68a78bee7a6d3fe2f34f949ab556b586806ff694
-
SHA256
cd826afdb55e07846e823db1f9d0544ac8f9b4d411223ef4b18038c7d9e34192
-
SHA512
da382775b5845f409cc2880939d8fea281b7927b60faeb3eb4c5989f192339d24f3fb5721d7b771a7fddd9b25465677b9df341714ec2b5105b56f0b82961dd8e
-
SSDEEP
12288:kMrZy907WzVqfE8LjawR0vYjgpGyb1Wg9ijinXWRvpL4eGHQGFHxeW:tygWRWjaYqGyxzNEZmHQqHxeW
Malware Config
Extracted
redline
dasa
83.97.73.126:19048
-
auth_value
7eca6ed540c2dcd359aed5b67c4eda07
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd826afdb55e07846e823db1f9d0544ac8f9b4d411223ef4b18038c7d9e34192.exe"C:\Users\Admin\AppData\Local\Temp\cd826afdb55e07846e823db1f9d0544ac8f9b4d411223ef4b18038c7d9e34192.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3370459.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3370459.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1367283.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1367283.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0549825.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0549825.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7977811.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7977811.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 5606⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0168294.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0168294.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6585035.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6585035.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2096 -ip 20961⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5a2a5adf7d21db762d7ab271283a52b1c
SHA165c146665f90a434349563d472fea9212336f5d6
SHA2560fd7ea5831e7530de3f66d09d11ea28e16a6cd1ab835fc3358883334f7d7097c
SHA5121b7b97ce6d675fa4359f1cebe1c12c27b838950e5a53ec988263620836f04147028eab5dd75b9a0846926b83e028c9a1b3ebd73f0ab62885ef6ff49ea7fc1689
-
Filesize
523KB
MD5a2a5adf7d21db762d7ab271283a52b1c
SHA165c146665f90a434349563d472fea9212336f5d6
SHA2560fd7ea5831e7530de3f66d09d11ea28e16a6cd1ab835fc3358883334f7d7097c
SHA5121b7b97ce6d675fa4359f1cebe1c12c27b838950e5a53ec988263620836f04147028eab5dd75b9a0846926b83e028c9a1b3ebd73f0ab62885ef6ff49ea7fc1689
-
Filesize
351KB
MD5bf3203919b4aa2b1f174e53bbee26651
SHA1fac959bfce088172899d307cc7523af836f47a80
SHA2560c9dd9148d298a0a57eb2f8996f4ec59847d4dbe2040429ce18249c950c565a2
SHA51272aae3dfbc8a886001647d2b9d68f02a5c2973b03a1a8d4685c7cfa1e984b864c5b42995aa554bbc447c7e9b8d5a19159b1320948d75985fbcd44985f56cbf95
-
Filesize
351KB
MD5bf3203919b4aa2b1f174e53bbee26651
SHA1fac959bfce088172899d307cc7523af836f47a80
SHA2560c9dd9148d298a0a57eb2f8996f4ec59847d4dbe2040429ce18249c950c565a2
SHA51272aae3dfbc8a886001647d2b9d68f02a5c2973b03a1a8d4685c7cfa1e984b864c5b42995aa554bbc447c7e9b8d5a19159b1320948d75985fbcd44985f56cbf95
-
Filesize
172KB
MD56705f99d93ebe160aa8f828805cb58b3
SHA15e12c9fdb66c494b21fb3bf6fd84fdb351236f15
SHA256403b13c77443cfdad500f827abe883fe421fd20989a3b349fe77285351782972
SHA5124ea82672c5bfd91061098f3728d0576c102390ab2734141d44a213638ce2f6b3c058c493efb060e3651703f0920bf538fdd06113cde12552e315022e4dc01f39
-
Filesize
172KB
MD56705f99d93ebe160aa8f828805cb58b3
SHA15e12c9fdb66c494b21fb3bf6fd84fdb351236f15
SHA256403b13c77443cfdad500f827abe883fe421fd20989a3b349fe77285351782972
SHA5124ea82672c5bfd91061098f3728d0576c102390ab2734141d44a213638ce2f6b3c058c493efb060e3651703f0920bf538fdd06113cde12552e315022e4dc01f39
-
Filesize
196KB
MD5b3bfdfc2670032e37747e7831c87959c
SHA17b13168955aabf13546a3b0507d50d50d14e2aad
SHA256622c45ce898cea609cdf0f2023089c0e9791181e6250159fe7b7adff54142489
SHA512ab5ba2e69d871180bdf77b321ff23c1697ecc3c8831d91d83ca894869add702a6340034eb8d5908703138c0913be4bf8ba640b8dec653e90d95f80c1a7216837
-
Filesize
196KB
MD5b3bfdfc2670032e37747e7831c87959c
SHA17b13168955aabf13546a3b0507d50d50d14e2aad
SHA256622c45ce898cea609cdf0f2023089c0e9791181e6250159fe7b7adff54142489
SHA512ab5ba2e69d871180bdf77b321ff23c1697ecc3c8831d91d83ca894869add702a6340034eb8d5908703138c0913be4bf8ba640b8dec653e90d95f80c1a7216837
-
Filesize
100KB
MD55e4d019c530ccfedfd447de2ec864f86
SHA1c5bb96605463e184ae4e6abbe334e3f0fe049a0d
SHA256fd13d526bf4e52015be00ceb4cdef70ef9f7388f148e83693b0229ed35f30941
SHA512b3855a69f3b427f882bb98402c06c7f9987ee80fa9d735d6d5741f9afcc93d08bf7bd59699d42db7c760169dca1e965e319e043888cb94e99289a789ea3e9741
-
Filesize
100KB
MD55e4d019c530ccfedfd447de2ec864f86
SHA1c5bb96605463e184ae4e6abbe334e3f0fe049a0d
SHA256fd13d526bf4e52015be00ceb4cdef70ef9f7388f148e83693b0229ed35f30941
SHA512b3855a69f3b427f882bb98402c06c7f9987ee80fa9d735d6d5741f9afcc93d08bf7bd59699d42db7c760169dca1e965e319e043888cb94e99289a789ea3e9741
-
Filesize
11KB
MD535148121e93b2903c6ea720f4af0e8fd
SHA1ff33ed98166a08008b3d3212435c0e3707204229
SHA256a65380126b5f7615f67af3f925864e43edbee91028aa58cf9783f28a5e7f2071
SHA5125517fd5c0a0e7685ff93cf12b6fecadf9d3f57bb37a8f7d76e7db0c2914b672c1d9006efd86d081fe1f5b1afdc020a5d476534e15914f58a9b6ebc94fd41be2b
-
Filesize
11KB
MD535148121e93b2903c6ea720f4af0e8fd
SHA1ff33ed98166a08008b3d3212435c0e3707204229
SHA256a65380126b5f7615f67af3f925864e43edbee91028aa58cf9783f28a5e7f2071
SHA5125517fd5c0a0e7685ff93cf12b6fecadf9d3f57bb37a8f7d76e7db0c2914b672c1d9006efd86d081fe1f5b1afdc020a5d476534e15914f58a9b6ebc94fd41be2b
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
320KB