Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

27972e8832...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 20:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe

  • Size

    539KB

  • MD5

    769fc5c0048329d9658539f21aaef663

  • SHA1

    315578fe18b240c903e96549d7483c891e959c45

  • SHA256

    27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944

  • SHA512

    a7c02b034e34f528e19aea66a496a471fad4c9f57f45a27fb295545a85590a31af19b5063974e04fe70652dcbd3a96968eaa0013e930e032981a577448120bfb

  • SSDEEP

    12288:bMrny90BmkZgQAJOBoKFqNhqNtPD6QyopnHcIQQKZ:0yNkZgQpGKVP+QXYQKZ

Score
10/10
redlineromikdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

romik

C2

193.233.20.12:4132

Attributes
  • auth_value

    8fb78d2889ba0ca42678b59b884e88ff

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe
    "C:\Users\Admin\AppData\Local\Temp\27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRX40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRX40.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dML09.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dML09.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2764

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    133.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.190.18.2.in-addr.arpa
    IN PTR
    Response
    133.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-133deploystaticakamaitechnologiescom
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.12:4132
    dML09.exe
    260 B
     5
  • 193.233.20.12:4132
    dML09.exe
    260 B
     5
  • 193.233.20.12:4132
    dML09.exe
    260 B
     5
  • 193.233.20.12:4132
    dML09.exe
    260 B
     5
  • 193.233.20.12:4132
    dML09.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    133.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    133.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRX40.exe
    Filesize

    435KB

    MD5

    025e584798ae60c3461e43baec025ef5

    SHA1

    d95a885de9a9e0b0cdc48f113e4fe52a7aa47160

    SHA256

    9bc32623b541497b19257505b69de0438b3545835229b204c0b5aec7e5ebfed2

    SHA512

    90c1b873a65e340a262abc33074f29f02eadcf3ac2ca1036a720a99bda8414cd981553279f219bd2348f5c15fcd3ca42af0503c98d372b41007a1338b2a53e17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dML09.exe
    Filesize

    305KB

    MD5

    a97676767e51104d57e1d0ad956e4274

    SHA1

    518c54685f9d461424f96247c32d1d9db20fea32

    SHA256

    c5ab3172fb7e5ced3b6d009742e00e48698714a2c54f887eb80d15c12b8a6558

    SHA512

    0fad6360d1ac0f729181738ee02fa242ff925de13f64deea9bd0af4b2ee1e1891dfa952698fa1d8318e468c4a30908ef33ad592fb675d0521f5296828aafb87d

    Download Submit

  • memory/2764-15-0x00000000005B0000-0x00000000006B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2764-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2764-16-0x00000000007A0000-0x00000000007EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2764-18-0x0000000000400000-0x000000000057D000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2764-19-0x0000000002390000-0x00000000023D6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2764-20-0x0000000004BC0000-0x0000000005164000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2764-21-0x0000000002670000-0x00000000026B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2764-75-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-85-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-83-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-81-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-80-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-77-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-73-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-71-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-69-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-67-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-65-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-61-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-59-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-58-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-55-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-53-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-51-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-49-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-47-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-43-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-41-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-37-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-35-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-33-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-31-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-29-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-27-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-25-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-23-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-22-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-63-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-45-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-39-0x0000000002670000-0x00000000026AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2764-928-0x00000000051B0000-0x00000000057C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2764-929-0x0000000005850000-0x000000000595A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2764-930-0x0000000005990000-0x00000000059A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2764-931-0x00000000059B0000-0x00000000059EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2764-932-0x0000000005B00000-0x0000000005B4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2764-933-0x00000000005B0000-0x00000000006B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2764-934-0x00000000007A0000-0x00000000007EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2764-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.