Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

07ebb70eb0...5f.exe

windows7-x64

3

07ebb70eb0...5f.exe

windows10-2004-x64

10

0b4bb67302...ca.exe

windows10-2004-x64

9

0fbb8ff4cb...49.exe

windows10-2004-x64

10

108e20eafa...c7.exe

windows7-x64

3

108e20eafa...c7.exe

windows10-2004-x64

10

1522207077...0f.exe

windows10-2004-x64

10

23fcf9bc69...25.exe

windows10-2004-x64

10

2ca9135451...23.exe

windows7-x64

3

2ca9135451...23.exe

windows10-2004-x64

10

42f53acaac...33.exe

windows10-2004-x64

10

45af188d23...c0.exe

windows10-2004-x64

10

82fa18f52c...32.exe

windows7-x64

3

82fa18f52c...32.exe

windows10-2004-x64

10

8672d19897...4f.exe

windows10-2004-x64

10

8ceedf9abd...f7.exe

windows10-2004-x64

10

99cc81196c...15.exe

windows7-x64

3

99cc81196c...15.exe

windows10-2004-x64

10

a2aa61942b...83.exe

windows7-x64

3

a2aa61942b...83.exe

windows10-2004-x64

10

c467adbd48...9e.exe

windows10-2004-x64

10

f7dfe59831...a0.exe

windows10-2004-x64

10

fc29a80a1c...7d.exe

windows10-2004-x64

10

fdc14a13fe...6d.exe

windows7-x64

fdc14a13fe...6d.exe

windows10-2004-x64

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe

  • Size

    488KB

  • MD5

    f5127b719ba22e54d6bcf513f4cbe0d7

  • SHA1

    a353c309287004081e231952b8c022fcfd97f156

  • SHA256

    c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e

  • SHA512

    2c13e2921750cbe16b12165464c42055cf3212635f242299b7b4e95774d294b058ebaba9fe53ed23755d88ade74af5e39e5ca9f22c456263071996f271628e7e

  • SSDEEP

    12288:MMrAy90NvJh+0ie0+oyxA/gQTxeEYdlF69CSrV:EyQj+U0+1xA/9TYEQF69ZV

Score
10/10
redlinedebroinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe
    "C:\Users\Admin\AppData\Local\Temp\c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe
        3⤵
        • Executes dropped EXE
        PID:2884

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=32F973B98F6C6E98273167C78E4B6F68; domain=.bing.com; expires=Sat, 07-Jun-2025 10:01:04 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6BDC4E1DEDE0436AB0C22903654B02C5 Ref B: LON04EDGE0612 Ref C: 2024-05-13T10:01:04Z
    date: Mon, 13 May 2024 10:01:03 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=32F973B98F6C6E98273167C78E4B6F68
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=LOHvqyJ-RIan7GOzNy3W_qNV0vdWP2TwkNSjOiNNDB4; domain=.bing.com; expires=Sat, 07-Jun-2025 10:01:04 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DE39412E123B4737AE84D3B34D1FCAC1 Ref B: LON04EDGE0612 Ref C: 2024-05-13T10:01:04Z
    date: Mon, 13 May 2024 10:01:03 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=32F973B98F6C6E98273167C78E4B6F68; MSPTC=LOHvqyJ-RIan7GOzNy3W_qNV0vdWP2TwkNSjOiNNDB4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3196F04DD05D4D50B6EFBC6BEAF3FE37 Ref B: LON04EDGE0612 Ref C: 2024-05-13T10:01:04Z
    date: Mon, 13 May 2024 10:01:03 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    6.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    2.17.107.129:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=32F973B98F6C6E98273167C78E4B6F68; MSPTC=LOHvqyJ-RIan7GOzNy3W_qNV0vdWP2TwkNSjOiNNDB4
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Mon, 13 May 2024 10:01:05 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.7d6b1102.1715594465.24824c6c
  • flag-us
    DNS
    129.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.107.17.2.in-addr.arpa
    IN PTR
    Response
    129.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-129deploystaticakamaitechnologiescom
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    139.53.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.53.16.96.in-addr.arpa
    IN PTR
    Response
    139.53.16.96.in-addr.arpa
    IN PTR
    a96-16-53-139deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c042270dabff421886aed4cd084e0102&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

    HTTP Response

    204
  • 2.17.107.129:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     16
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 185.161.248.75:4132
    f5957030.exe
    260 B
     5
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    6.181.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    6.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    129.107.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    129.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    139.53.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    139.53.16.96.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe
    Filesize

    316KB

    MD5

    acf2f1e7608dff6d13c0d7eb977d8fae

    SHA1

    521b70268d2d9ee9b88d92e018cc0b1e1617c2b5

    SHA256

    0691b5a648eb75146ff1c98264b40a610cecafe4f5a7c2399c6ae1e3ab936d08

    SHA512

    5ce95cd430ef5c5694cda6c9915d57492b9cc4b41880fc518eaeb4d982f9d4c0bc0e2bf40b58b207af77eadcefb4af7a03f8a8854a81d2592a0e2fcd48a0fa60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe
    Filesize

    168KB

    MD5

    24fcc03280e8514857d0f5d036c1c8f1

    SHA1

    8e14128b1ee347b66292d223b5c8a8de249d6a46

    SHA256

    de022de4f980f527032baaccf14f21c73aae534887b65d8112db10d395ed182a

    SHA512

    1d46f73ec4e2eafc90f6437877eb8123eebd26c200b33f2e600653164917041aeff645b56581e1f0b1b1c10ade0a641232d80d37d1d64ad1b23ec42d30c6739e

    Download Submit

  • memory/2884-14-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-15-0x00000000007D0000-0x00000000007FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2884-16-0x00000000029B0000-0x00000000029B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2884-17-0x000000000ABB0000-0x000000000B1C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2884-18-0x000000000A6A0000-0x000000000A7AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2884-19-0x00000000050E0000-0x00000000050F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2884-20-0x000000000A5D0000-0x000000000A60C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2884-21-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2884-22-0x0000000002AF0000-0x0000000002B3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2884-23-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-24-0x0000000074830000-0x0000000074FE0000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.