Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f78477275d...58.exe

windows7-x64

10

f78477275d...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 12:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe

  • Size

    488KB

  • MD5

    4c596d32f75e3a84e48c36e8fc8025fd

  • SHA1

    6a03c9d53e10c752b66b677e528fbcd1a70a6d0c

  • SHA256

    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858

  • SHA512

    0b159fe0b1766c27c89f65069fb3d33a59b3fc3efd7519629497df3ec07eda1b938819a2b0faa6cf2c305a736c3c93d409d42901c744644e11867a06bd7796c2

  • SSDEEP

    6144:k9Cq6V1jfMRWYYIveLu6SE8jvx09SJTs7ci4aMC7WGS3swOco36deigavwVfe5K0:fV1DopYIe1SE8juQOf4RCw3dJTxuuB

Score
10/10
neshtaredlineworld10discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

world10

C2

jamesmillion.xyz:15772

Attributes
  • auth_value

    a74a2e49cd85c6f93cb4e7fc8691721c

Signatures

  • Detect Neshta payload 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    "C:\Users\Admin\AppData\Local\Temp\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3952

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    jamesmillion.xyz
    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    Remote address:
    8.8.8.8:53
    Request
    jamesmillion.xyz
    IN A
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.112.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.112.168.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    jamesmillion.xyz
    dns
    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    62 B
     127 B
     1
    1

    DNS Request

    jamesmillion.xyz

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    67.112.168.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    67.112.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    Filesize

    448KB

    MD5

    0ac0c1ea046c89a6cc91855a4ce4df71

    SHA1

    16d53ce774b365a409fd959eb80e6367ccb34a3f

    SHA256

    388092169b96794dec2d6a0bcff4c60dfad79fdf5d49282cfe7bf6a6b59d75c0

    SHA512

    19a46366a3653f45e3e770259850601dd8fe618d009170944fbf23bf7375f3e840f81fa8ef5cfe8fef4de12879fdff6dd99f42cf2357dc97e50b74ae667d7716

    Download Submit

  • memory/3952-110-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-132-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-27-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3952-30-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/3952-42-0x0000000002680000-0x00000000026CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3952-62-0x0000000004BC0000-0x0000000005164000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3952-66-0x00000000051B0000-0x00000000051FA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3952-122-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-140-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-138-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-136-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-134-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-108-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-131-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-128-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-126-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-124-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-120-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-118-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-116-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-114-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-112-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-28-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/3952-29-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/3952-88-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-102-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-100-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-98-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-96-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-94-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-92-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-106-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-86-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-84-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-82-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-80-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-78-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-77-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-104-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-90-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-895-0x0000000005200000-0x0000000005818000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3952-896-0x00000000058A0000-0x00000000058B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3952-897-0x00000000058C0000-0x00000000059CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3952-898-0x00000000059D0000-0x0000000005A0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3952-899-0x0000000005A60000-0x0000000005AAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3952-900-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3952-902-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.