Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0x00090000...78.exe

windows7-x64

10

0x00090000...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2023, 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x00090000000122f0-78.exe

  • Size

    173KB

  • MD5

    9985299c79d85861ea6054e7d3d4c8ea

  • SHA1

    0399b9100444773b07bbcfcbe4afdcb434bb1e31

  • SHA256

    748d43bd2a3f1d223e109989f65165d4c794bdbce6531ed70ad74e967122aaa0

  • SHA512

    1e727a9f643f68445c299c7e1566fd5fea9b43792d3f6ca6c3666a3004ac9bd48b6a3468d439e58bbd60fe86033cbfdb493ef2781482cc639346098b172b93af

  • SSDEEP

    1536:gtaPgzl736sv0W7Tp8JFrH4ySLn1nbAxNTIYQ/dbumgzeFra6l0GkR88e8hZ:g6gJBO0y6RbAxNjgOqFra6l/8e8hZ

Score
10/10
redlinedizadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x00090000000122f0-78.exe
    "C:\Users\Admin\AppData\Local\Temp\0x00090000000122f0-78.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4916-133-0x0000000000730000-0x0000000000760000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4916-134-0x000000000AB10000-0x000000000B128000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4916-135-0x000000000A680000-0x000000000A78A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4916-136-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4916-137-0x000000000A620000-0x000000000A65C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4916-138-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4916-139-0x000000000A930000-0x000000000A9A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4916-140-0x000000000AA50000-0x000000000AAE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4916-141-0x000000000B6E0000-0x000000000BC84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4916-142-0x000000000B230000-0x000000000B296000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4916-143-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4916-144-0x000000000BF60000-0x000000000C122000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4916-145-0x000000000C660000-0x000000000CB8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4916-146-0x000000000BE10000-0x000000000BE60000-memory.dmp

    Filesize

    320KB

    Download