Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

42e697d8a6...ee.exe

windows7-x64

10

42e697d8a6...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe

  • Size

    479KB

  • MD5

    8fa03ba8d6cf5b72d02080a57c6cd1e2

  • SHA1

    f23aff55bd0b99dd493f8d94a8369aeda50d5515

  • SHA256

    42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee

  • SHA512

    cf64ceabf769f1949948a3f064a12eee30d158f421607befa3252e3ff187f673853556a2ab66b43e1c9f7a7860dfcf14551348c8c8925fb986d7cf61432e4a92

  • SSDEEP

    6144:KRy+bnr+Ip0yN90QEnWrRQVPIF0+1YqkyJZlEYnzbPs5qJpjl9iobv6dp3yYWn3V:DMrky90QGVPIFrKPyJZbnzSUERpjv0

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe
    "C:\Users\Admin\AppData\Local\Temp\42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
        3⤵
        • Executes dropped EXE
        PID:3504

Network

  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.36.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.36.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    84.150.43.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.150.43.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.b.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.b.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.38.195.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.38.195.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    160.145.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    160.145.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    141.145.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    141.145.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.103.197.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.103.197.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    177.17.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    177.17.30.184.in-addr.arpa
    IN PTR
    Response
    177.17.30.184.in-addr.arpa
    IN PTR
    a184-30-17-177deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    139.238.32.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.238.32.23.in-addr.arpa
    IN PTR
    Response
    139.238.32.23.in-addr.arpa
    IN PTR
    a23-32-238-139deploystaticakamaitechnologiescom
  • 52.242.101.226:443
    104 B
     2
  • 209.197.3.8:80
    322 B
     7
  • 52.242.101.226:443
    260 B
     5
  • 13.89.178.27:443
    322 B
     7
  • 52.242.101.226:443
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 52.242.101.226:443
    260 B
     5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 209.197.3.8:80
    322 B
     7
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 52.242.101.226:443
    260 B
     5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     160 B
     5
    4
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    260 B
     200 B
     5
    5
  • 77.91.124.111:19069
    l6355288.exe
    104 B
     80 B
     2
    2
  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    2.36.159.162.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    2.36.159.162.in-addr.arpa

  • 8.8.8.8:53
    84.150.43.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    84.150.43.20.in-addr.arpa

  • 8.8.8.8:53
    4.b.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    4.b.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa

  • 8.8.8.8:53
    76.38.195.152.in-addr.arpa
    dns
    72 B
     143 B
     1
    1

    DNS Request

    76.38.195.152.in-addr.arpa

  • 8.8.8.8:53
    45.8.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    45.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    160.145.190.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    160.145.190.20.in-addr.arpa

  • 8.8.8.8:53
    141.145.190.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    141.145.190.20.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    14.103.197.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.103.197.20.in-addr.arpa

  • 8.8.8.8:53
    177.17.30.184.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    177.17.30.184.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    139.238.32.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    139.238.32.23.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
    Filesize

    308KB

    MD5

    71049c4bc5ab36dc073cf7d8ddfc7648

    SHA1

    60d686b93cedb076e2d275441bd4a0eec20853d5

    SHA256

    a72842a24243d60b2cbf4bea83f8193b582f02e2f40f19b38bb79b81dfd13ef5

    SHA512

    2a925f78d2209ad202146d6a5a12eca0d2917edb697805f9fb72a30e15f5e923defd6ed727cdf0efea6d93592d6ef3cfddce0c00d2d83c64bcf466faee3593a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
    Filesize

    308KB

    MD5

    71049c4bc5ab36dc073cf7d8ddfc7648

    SHA1

    60d686b93cedb076e2d275441bd4a0eec20853d5

    SHA256

    a72842a24243d60b2cbf4bea83f8193b582f02e2f40f19b38bb79b81dfd13ef5

    SHA512

    2a925f78d2209ad202146d6a5a12eca0d2917edb697805f9fb72a30e15f5e923defd6ed727cdf0efea6d93592d6ef3cfddce0c00d2d83c64bcf466faee3593a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
    Filesize

    176KB

    MD5

    c84ba20ff49929fab6cd9b23e9e742a6

    SHA1

    d1325e3b07eccf4a1a2acbf030341493586aa76f

    SHA256

    ecc667cc08f5d444328e7fa1c04485dbbe79d553e85a12036b078c1319d0c3e7

    SHA512

    62988e40787bf41b43fc82c90f715d79206cc98f6e6a0b2318fbecfc73b4b07004b8a40f9c31bab374a57dbcbd26654d6ed98498264d588ca029ad276cbdedba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
    Filesize

    176KB

    MD5

    c84ba20ff49929fab6cd9b23e9e742a6

    SHA1

    d1325e3b07eccf4a1a2acbf030341493586aa76f

    SHA256

    ecc667cc08f5d444328e7fa1c04485dbbe79d553e85a12036b078c1319d0c3e7

    SHA512

    62988e40787bf41b43fc82c90f715d79206cc98f6e6a0b2318fbecfc73b4b07004b8a40f9c31bab374a57dbcbd26654d6ed98498264d588ca029ad276cbdedba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
    Filesize

    136KB

    MD5

    9a5f3a1f4992096ff6972577177ec5b2

    SHA1

    34018bea2cca77008975b86b601280e753782280

    SHA256

    2cece02c68cf8f7220d30614ffa7f4f8f30548511acd6bef8f4a4bbf1e6bf725

    SHA512

    247ed5a518d67dbded2440a409c76320a45364662ed6ae3bab1810f1b56e8f901ef6bbceb33d05ded118f9e68841c096cfb06969f4f06bc88d8fd0fc1cb68ff9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
    Filesize

    136KB

    MD5

    9a5f3a1f4992096ff6972577177ec5b2

    SHA1

    34018bea2cca77008975b86b601280e753782280

    SHA256

    2cece02c68cf8f7220d30614ffa7f4f8f30548511acd6bef8f4a4bbf1e6bf725

    SHA512

    247ed5a518d67dbded2440a409c76320a45364662ed6ae3bab1810f1b56e8f901ef6bbceb33d05ded118f9e68841c096cfb06969f4f06bc88d8fd0fc1cb68ff9

    Download Submit

  • memory/1912-169-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-177-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-149-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-155-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-159-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-157-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-161-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-163-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-165-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-167-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-153-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-173-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-171-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-175-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-176-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-151-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-178-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-179-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-180-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-181-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-148-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1912-147-0x0000000004A10000-0x0000000004FB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3504-186-0x00000000003A0000-0x00000000003C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3504-187-0x0000000007610000-0x0000000007C28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3504-188-0x00000000070B0000-0x00000000070C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3504-189-0x00000000071E0000-0x00000000072EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3504-190-0x0000000007140000-0x000000000717C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3504-191-0x00000000070F0000-0x0000000007100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3504-192-0x00000000070F0000-0x0000000007100000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.