Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6745c0c072...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 09:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe

  • Size

    765KB

  • MD5

    d78ae547fd24ad6009e0e8801c3fef69

  • SHA1

    383a24ed5c07644acd49caaf64bbac9cc5c3db01

  • SHA256

    6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167

  • SHA512

    db3ab0a8c73f02a633c21b3dc8e722beb8436f9a960ee073068f2b48f0e1d56b0bdf5f108dade8a25d44b6c6085eb5a0b8aad499ef4d7fd67973da3a2b6cee83

  • SSDEEP

    12288:vMruy90EkkocTOvswWccFmlebqWHHbdpBYoGqGlVwyeGhiV53cvt0e0zgA/OEk94:Jyhr/T2swemgHppijqG0vGhtvr0sFEk2

Score
10/10
redlineromikdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

romik

C2

193.233.20.12:4132

Attributes
  • auth_value

    8fb78d2889ba0ca42678b59b884e88ff

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe
    "C:\Users\Admin\AppData\Local\Temp\6745c0c072dfd813cdeccdf126997ab5c9942574b0a56a2b97a24e6c488e2167.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlR73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlR73.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vzT93.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vzT93.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyK91.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyK91.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1148

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.12:4132
    dyK91.exe
    260 B
     5
  • 193.233.20.12:4132
    dyK91.exe
    260 B
     5
  • 193.233.20.12:4132
    dyK91.exe
    260 B
     5
  • 193.233.20.12:4132
    dyK91.exe
    260 B
     5
  • 193.233.20.12:4132
    dyK91.exe
    260 B
     5
  • 193.233.20.12:4132
    dyK91.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vlR73.exe
    Filesize

    661KB

    MD5

    fe06b392541f8269c639a73df38bcc11

    SHA1

    060e938c02adffa90122e4e14d0a088e0eb74617

    SHA256

    cf979786b7f5e8ec4988c783d0d1d1337c32c2fb596c4602a6134c0883385edb

    SHA512

    ac10d502e43bbfb4ddac22fe19fe059750c9377da93f795e348218bb7b6327026c590fafcc283060124432dec39544214a621bd4714b50a26dba07129c45cd86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vzT93.exe
    Filesize

    516KB

    MD5

    e6ce69867b35f314cd2099f158fb931c

    SHA1

    228ce3fcedd3be15eb16111108bae42e97f10312

    SHA256

    2d36277f5ee2a7d0ff05c2f304e39b51a174fc5dbf13a82c2839ed5e393a0060

    SHA512

    60f7637c16d6600b5bcd3f97d2764a9f8f6c8ff63b1d49fd9f0caba8bd5ca7c03cceb245fdd019a86e47f2b331263ae75a5bd6f1d487e4a72baa1c919b1c0576

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyK91.exe
    Filesize

    296KB

    MD5

    39a31c690c4b02de4f1a661ffad29d08

    SHA1

    fe6268fe60696e0b85015784fe0b77d1cffc7e3d

    SHA256

    acb28abfb93e3a5e8c6686b995c13c07a40d77d8989d8bdf5ce92a23576583b1

    SHA512

    3aabe421382a7b91e66e954490f9ca74d158d1d74c6ed3ff61c5f88a24de3e260619d7404f1b62f049d6f7611f89f0db17a5d30f8c76de8fb5ed9ee2ae16604c

    Download Submit

  • memory/1148-22-0x0000000002770000-0x00000000027B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1148-23-0x0000000004E80000-0x0000000005424000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1148-24-0x0000000002820000-0x0000000002864000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1148-42-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-60-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-88-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-84-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-82-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-80-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-78-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-76-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-74-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-72-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-70-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-66-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-65-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-62-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-58-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-56-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-54-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-52-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-50-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-48-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-46-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-44-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-40-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-38-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-36-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-34-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-32-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-28-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-86-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-68-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-31-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-26-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-25-0x0000000002820000-0x000000000285E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1148-931-0x0000000005430000-0x0000000005A48000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1148-932-0x0000000005A90000-0x0000000005B9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1148-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1148-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1148-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.