Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 01:23
General
-
Target
c0906cc557a1d941baf5c44c93108918e4162b219c08e1ecaf406e428972a1b1.exe
-
Size
769KB
-
MD5
d5f36e7f809a7bd66bc99763e5f6c187
-
SHA1
81e80b9ece05cf54151f6832d1c1cff4eeca409a
-
SHA256
c0906cc557a1d941baf5c44c93108918e4162b219c08e1ecaf406e428972a1b1
-
SHA512
64af29547f9a3c76a227a7864d3c39cd0b49d35b9d66fd590393f023822482c0db024b46ffec5cd3baf29068505260074c7ac136a1ab7be41b0fa4ec484fae2a
-
SSDEEP
24576:by5kVRp4LCdSknDRLYKWTAzG5bwH5Zv4Os:O5i4LCQCeTqWmJ
Malware Config
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0906cc557a1d941baf5c44c93108918e4162b219c08e1ecaf406e428972a1b1.exe"C:\Users\Admin\AppData\Local\Temp\c0906cc557a1d941baf5c44c93108918e4162b219c08e1ecaf406e428972a1b1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7277834.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7277834.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0127805.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0127805.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5833277.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5833277.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9438043.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9438043.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5dcc0a312a1e6c75114642eecfb6694c0
SHA1d44549e5ff5274c85f20a2a36077997edb7d7e7c
SHA25692dc29b3fbea075f8a22c41055ae3e37183937b6bbf28d681441539a348de6eb
SHA512aa9ccd3bc85288f9c853f14d7d4e008855c29888a9801ba69ea1e7a4833fa0aa20773461c0f27a19b66eabef9c53e42fceb1f699f478ee9209e13e5bb8212c12
-
Filesize
316KB
MD5d7d3e9de3b3cac6847c60ac08eb8472b
SHA1ad5fd4f47ba78eb0fdebb069bfa7979c8d892564
SHA256a65a82afdc5c37b9ced590c70b893cb57fb7484de274ddfab083d6b9344b5a81
SHA512eb842f4263a21586c77c523e240b6d70f9d7b3d35d979208bb952ff04077782d4f53f82b15824fbdc7f20dea06dd1123a77cd50684869f716d9235d4e539f40c
-
Filesize
185KB
MD58e4323bebeb20c095734351332c3a8e0
SHA13f1699f8003df2f6f55355fd301f102b52485e9a
SHA25622eb7af57d850d819d220a2f99763815e024b8db0e517d3927717e7ab4958930
SHA512a73c39527757dfedf46a3e74bfb5bd342132b2a92219a413174e11c555229378914fabeb526c8c7dd25254147bf3fca4eb5d3c8e07f214cc345c9c9220caf9b1
-
Filesize
168KB
MD57bf0a6a05cb1d33a8ac1a1b7d36f412b
SHA1748d0806b02ba3ae25314665cd4015447fa2b0ca
SHA2561abb4a909d681a52316d185fefcf641fe8aec388d3dddb41852d1697e7955bec
SHA512bc33425c05aad166fe9e341aa476dcd3fd5c7736f7a510b5456acb197f9b75ee1448ff3d2ab271b8b4684b299534713095e4765c1274a3357550e266e231c900
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
24KB
-
Filesize
184KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
120KB