Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

a32d74feae...4f.exe

windows7-x64

10

a32d74feae...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2023, 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe

  • Size

    896KB

  • MD5

    e01eed093c11df9172d1a70484e8f973

  • SHA1

    6a9b4f44a5d2cdab4770811543963e66f09d97ec

  • SHA256

    a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

  • SHA512

    6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

  • SSDEEP

    12288:C4a2aC3D3Lfzn7PjXNWjCT3eOPRRlWXYtvp0OjGP91pCmOBgu50x3ecZ:HsjCT6u0tP/OBgu50x3ecZ

Score
10/10
redlinematywon2discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

MatyWon2

C2

85.31.54.216:43728

Attributes
  • auth_value

    abc9e9d7ec3024110589ea03bcfaaa89

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe
    "C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe
      C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe
      2⤵
        PID:1684
      • C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe
        C:\Users\Admin\AppData\Local\Temp\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f.exe.log
      Filesize

      1KB

      MD5

      a3c82409506a33dec1856104ca55cbfd

      SHA1

      2e2ba4e4227590f8821002831c5410f7f45fe812

      SHA256

      780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

      SHA512

      9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

      Download Submit

    • memory/320-146-0x0000000006120000-0x0000000006186000-memory.dmp

      Filesize

      408KB

      Download

    • memory/320-144-0x00000000055A0000-0x00000000055B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/320-150-0x0000000006E20000-0x0000000006E70000-memory.dmp

      Filesize

      320KB

      Download

    • memory/320-149-0x0000000007250000-0x00000000072C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/320-138-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/320-148-0x00000000055A0000-0x00000000055B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/320-147-0x0000000006EE0000-0x00000000070A2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/320-141-0x0000000005A90000-0x00000000060A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/320-143-0x0000000005520000-0x0000000005532000-memory.dmp

      Filesize

      72KB

      Download

    • memory/320-142-0x00000000055F0000-0x00000000056FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/320-145-0x00000000055B0000-0x00000000055EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4604-133-0x0000000000390000-0x0000000000476000-memory.dmp

      Filesize

      920KB

      Download

    • memory/4604-135-0x0000000004EA0000-0x0000000004F32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4604-134-0x0000000005450000-0x00000000059F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4604-137-0x0000000005F30000-0x000000000645C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4604-136-0x0000000004E90000-0x0000000004EA0000-memory.dmp

      Filesize

      64KB

      Download