Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2023, 18:55 UTC

General

  • Target

    287573018d6b07b5b32fcffc63b9aa017740e4bf.exe

  • Size

    6.2MB

  • MD5

    7854eb17b45359996f52750494cb074c

  • SHA1

    287573018d6b07b5b32fcffc63b9aa017740e4bf

  • SHA256

    7a62100d2ed5e4d93d235b30136ef5bad3ab08d0618354aacb521206ff268ff7

  • SHA512

    b21d2e62e0d1c9da1ee084d2dfd137540493d1974a962853a40b95854c5c37ccfe1ae5ad29adbf0341afaeedd86ffceff81f0aaa608f41e4c8a7cb9ac17a3830

  • SSDEEP

    98304:hPVjSBqqI7eS4zgoy8KiB7+7G/spBBjYjoECUqbtMv:Tr4y8DxAG/sBBj9HUOK

Malware Config

Extracted

Family

redline

Botnet

UniverseCity101

C2

80.89.228.168:5007

Attributes
  • auth_value

    638ab234d171305d6eb5c29368e6c632

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4992

Network

    No results found
  • 80.89.228.168:5007
    InstallUtil.exe
    439.3kB
    10.7kB
    303
    128
  • 13.78.111.198:443
    322 B
    7
  • 8.238.110.126:80
    322 B
    7
  • 88.221.25.155:80
    322 B
    7
  • 88.221.25.155:80
    322 B
    7
  • 8.238.110.126:80
    322 B
    7
  • 204.79.197.203:80
    322 B
    7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4512-137-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4512-133-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4512-132-0x0000000000300000-0x0000000000944000-memory.dmp

    Filesize

    6.3MB

  • memory/4992-140-0x0000000004E50000-0x0000000004E8C000-memory.dmp

    Filesize

    240KB

  • memory/4992-136-0x00000000053A0000-0x00000000059B8000-memory.dmp

    Filesize

    6.1MB

  • memory/4992-138-0x0000000004DF0000-0x0000000004E02000-memory.dmp

    Filesize

    72KB

  • memory/4992-139-0x0000000004F20000-0x000000000502A000-memory.dmp

    Filesize

    1.0MB

  • memory/4992-134-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/4992-141-0x0000000005F70000-0x0000000006514000-memory.dmp

    Filesize

    5.6MB

  • memory/4992-142-0x0000000005210000-0x00000000052A2000-memory.dmp

    Filesize

    584KB

  • memory/4992-143-0x00000000052B0000-0x0000000005316000-memory.dmp

    Filesize

    408KB

  • memory/4992-144-0x00000000066F0000-0x00000000068B2000-memory.dmp

    Filesize

    1.8MB

  • memory/4992-145-0x0000000006DF0000-0x000000000731C000-memory.dmp

    Filesize

    5.2MB

  • memory/4992-146-0x0000000006A40000-0x0000000006AB6000-memory.dmp

    Filesize

    472KB

  • memory/4992-147-0x00000000069C0000-0x00000000069DE000-memory.dmp

    Filesize

    120KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.