Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

0f3fc05fe2...99.exe

windows10-2004-x64

10

1437361c67...55.exe

windows10-2004-x64

10

23bea5b85d...33.exe

windows10-2004-x64

10

27054c4ef8...56.exe

windows10-2004-x64

10

2b700615cb...c1.exe

windows10-2004-x64

10

30fb90dbd1...b4.exe

windows10-2004-x64

10

312c299a84...a6.exe

windows7-x64

3

312c299a84...a6.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

627c0990f7...d9.exe

windows10-2004-x64

10

65db5d7052...3e.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

85594a9dff...ab.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

9a0ecac5f6...8e.exe

windows10-2004-x64

10

adaea581d9...c2.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 15:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe

  • Size

    856KB

  • MD5

    42bfe71072750a81fe1d4dcdb2f04dc2

  • SHA1

    29ac9199d705da60cd8cf27229e8dda3e6188be5

  • SHA256

    27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556

  • SHA512

    2e0f763ffc407cfce7646b3d5318d5f507808bd0e0d63d81d39d767c754ae153fbfb3a5fcfe6331a57731cb2ca34a6c586c4ca1fc059dbe7d53a657580d37021

  • SSDEEP

    12288:BMrSy90bmxzzWSvRTkc64XzHqbv0t3CEfEkkOP3QBXD/n3HPdy2U3RMAManmlbCY:PyRSSZ56gzHqbv0ZCEBcn3VlcG+nm1

Score
10/10
redlinekirainfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe
    "C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
        3⤵
        • Executes dropped EXE
        PID:536

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    35.166.122.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.166.122.92.in-addr.arpa
    IN PTR
    Response
    35.166.122.92.in-addr.arpa
    IN PTR
    a92-122-166-35deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 77.91.68.48:19071
    f7897423.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    35.166.122.92.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    35.166.122.92.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
    Filesize

    755KB

    MD5

    c665ba7f1cc0ab9951da7bf197b04c01

    SHA1

    52a9a7b51d225fc7f8824e713043f5143cd98d85

    SHA256

    20e5aeb19eafd1131b3f25dcb9216eecd4f38e69de3b61fc3cf290f387c2d998

    SHA512

    03e97753a06da1cfd34c137ef0d158a5525508bfd7ce993816b772a2b60bb22f3c4676598be168a529202f8ee9e8790087a7708d9a92badc0eafc1945e7290fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
    Filesize

    692KB

    MD5

    40236ff6ad5d86ba9af49e6aa8feb830

    SHA1

    00c2712d3beecf509a295e340c5827db20f2e251

    SHA256

    e6a06e909f7d3e0117e5861c6ec36369f759bb0504e7f181c6ed74d997c5b25b

    SHA512

    a8cdf9c4e8e2abcae17303c6fd7a62ac63ecf07d28a069f2e4e7311352404505536c287080f5a9b617c00a3c108d3f1fc5617033a848bdda8d4ec604a36c55a3

    Download Submit

  • memory/536-14-0x0000000000520000-0x0000000000550000-memory.dmp

    Filesize

    192KB

    Download

  • memory/536-18-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-19-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/536-20-0x0000000002160000-0x0000000002166000-memory.dmp

    Filesize

    24KB

    Download

  • memory/536-21-0x00000000052B0000-0x00000000058C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/536-22-0x0000000004C90000-0x0000000004D9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/536-23-0x0000000004B20000-0x0000000004B32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/536-24-0x0000000004B40000-0x0000000004B7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/536-25-0x0000000004E00000-0x0000000004E4C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.