Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2023, 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c12e93fc043fc7c6abc1f1ccb95715b7b9f9710450559c4340bf7a4c94d689c.exe

  • Size

    478KB

  • MD5

    7e278af5d1e46277e4dcc002de5bbe8e

  • SHA1

    d7d70f8baf60dfb08fff95dedb3e9312b98ae1d5

  • SHA256

    6c12e93fc043fc7c6abc1f1ccb95715b7b9f9710450559c4340bf7a4c94d689c

  • SHA512

    792223c63794d14f2f6c715dc6fe0251b7a8538b1449f222d3a02dce0a13202a7dace14cea3af0a5a61115e571f71086414adeec0c6ad15a1391b4cc5ddfd110

  • SSDEEP

    12288:gMrzy90Brj8q+VeYJs42ExkDWyKmxexDirMhzT5nhsHP:DyWrIRVm3fKkeOMzhsv

Score
10/10
redlinefusanocryptdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

redline

Botnet

nocrypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    4fc7cda1ab5883a6197f20f517ce2a8c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c12e93fc043fc7c6abc1f1ccb95715b7b9f9710450559c4340bf7a4c94d689c.exe
    "C:\Users\Admin\AppData\Local\Temp\6c12e93fc043fc7c6abc1f1ccb95715b7b9f9710450559c4340bf7a4c94d689c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyO67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyO67.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxo66.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxo66.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cyU70gJ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cyU70gJ.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dEs27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dEs27.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1084
        3⤵
        • Program crash
        PID:3388
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4792 -ip 4792
    1⤵
      PID:4564

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dEs27.exe
      Filesize

      239KB

      MD5

      6a9d16da046b68663fc402d83e2162ed

      SHA1

      b808ce659e1c589990dc87be267849b07e4c1b44

      SHA256

      0b4c1192e0570f3fad3bebf2dad051a9e83b02baefc6024c5bc6d3a7d55f8416

      SHA512

      6ecef488dccf356c8c5bd8a5137b2bfe5c43916be55d42474e01203094d0ccdd4824ebafe93037dbe8c051bf7e500e3120cb1420224e51647bae8409be47b832

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dEs27.exe
      Filesize

      239KB

      MD5

      6a9d16da046b68663fc402d83e2162ed

      SHA1

      b808ce659e1c589990dc87be267849b07e4c1b44

      SHA256

      0b4c1192e0570f3fad3bebf2dad051a9e83b02baefc6024c5bc6d3a7d55f8416

      SHA512

      6ecef488dccf356c8c5bd8a5137b2bfe5c43916be55d42474e01203094d0ccdd4824ebafe93037dbe8c051bf7e500e3120cb1420224e51647bae8409be47b832

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyO67.exe
      Filesize

      202KB

      MD5

      19ec4b207cc7ba493c0b611f6a66780a

      SHA1

      5af158d4c30728b4ade0351366ff26d3e6330682

      SHA256

      5c6b4b2eaaeaaf501ace7ff487c09e6178dd2ba9732710233a48971b26fb2a0d

      SHA512

      9e47669016ff1c3b9e1ab6423c17b5aca9c23bbcffedc592ea153fc2c8dac4fb6b8fdb4419a4eb211db50f013cea6d7afd948c35d405c6c5234283c1ee44c7fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyO67.exe
      Filesize

      202KB

      MD5

      19ec4b207cc7ba493c0b611f6a66780a

      SHA1

      5af158d4c30728b4ade0351366ff26d3e6330682

      SHA256

      5c6b4b2eaaeaaf501ace7ff487c09e6178dd2ba9732710233a48971b26fb2a0d

      SHA512

      9e47669016ff1c3b9e1ab6423c17b5aca9c23bbcffedc592ea153fc2c8dac4fb6b8fdb4419a4eb211db50f013cea6d7afd948c35d405c6c5234283c1ee44c7fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxo66.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxo66.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cyU70gJ.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cyU70gJ.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • memory/2084-153-0x00000000002A0000-0x00000000002D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4364-139-0x0000000005070000-0x0000000005688000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4364-141-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4364-145-0x0000000005A90000-0x0000000005AF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4364-146-0x0000000006640000-0x0000000006802000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4364-147-0x0000000006D40000-0x000000000726C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4364-148-0x00000000064F0000-0x0000000006566000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4364-149-0x0000000006570000-0x00000000065C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4364-143-0x0000000005EC0000-0x0000000006464000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4364-142-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4364-144-0x00000000059F0000-0x0000000005A82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4364-140-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4364-138-0x0000000000150000-0x0000000000182000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4792-157-0x0000000000A54000-0x0000000000A74000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4792-158-0x0000000000A00000-0x0000000000A2D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4792-159-0x0000000000400000-0x0000000000798000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/4792-160-0x0000000000A54000-0x0000000000A74000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4792-161-0x0000000000400000-0x0000000000798000-memory.dmp

      Filesize

      3.6MB

      Download