Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/02/2023, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    062182ded6524fbca137dde8873c6ffbc5961cd53316c5586183710e66e7b8ad.exe

  • Size

    855KB

  • MD5

    618ae8ec7a260d71ecfcac72361a7e32

  • SHA1

    bfa3976852195d18bfbf0c049191bdb65990b7b8

  • SHA256

    062182ded6524fbca137dde8873c6ffbc5961cd53316c5586183710e66e7b8ad

  • SHA512

    65ef4191f53b7942797b525de0de1ec20d8b516a6d2f9379c5ec54344132c29b1def28e652269bee55fd94a5bd3a6d242cca5bf479b14202be4d3a061d7ba743

  • SSDEEP

    24576:kygwf1xPy8bH3nfgJa/Bj2AAFvRu83vDpNiD/X:zgoK8b3nFBj2AA/LpNW

Score
10/10
redlinedubkadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5a9421183a033f283b2f23139b471f0

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\062182ded6524fbca137dde8873c6ffbc5961cd53316c5586183710e66e7b8ad.exe
    "C:\Users\Admin\AppData\Local\Temp\062182ded6524fbca137dde8873c6ffbc5961cd53316c5586183710e66e7b8ad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vYw2167.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vYw2167.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vOS8458.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vOS8458.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\riC1544.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\riC1544.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4148
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\swa9354.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\swa9354.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1092
            5⤵
            • Program crash
            PID:2228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRa42Pp.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRa42Pp.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVH20fs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVH20fs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1684
        3⤵
        • Program crash
        PID:5024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 224 -ip 224
    1⤵
      PID:752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3592 -ip 3592
      1⤵
        PID:2984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVH20fs.exe
        Filesize

        352KB

        MD5

        dd858415b75360783fdc870c89eb958f

        SHA1

        b3af4e657c2a0e4e1110d38cfc930cd814a28a5f

        SHA256

        1cd184e3f9576e553ec992f0fc60a05d0aee6fd7f98bc5bf1484d796902b9674

        SHA512

        fb0f42f6498c13147b04aad01f9d42b6f6ce79864f061ada0dc71fff35f4810a6790b8adc361c9616e83e55d0013b5617ac446b6649f4bbb62848d520ecc5179

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uVH20fs.exe
        Filesize

        352KB

        MD5

        dd858415b75360783fdc870c89eb958f

        SHA1

        b3af4e657c2a0e4e1110d38cfc930cd814a28a5f

        SHA256

        1cd184e3f9576e553ec992f0fc60a05d0aee6fd7f98bc5bf1484d796902b9674

        SHA512

        fb0f42f6498c13147b04aad01f9d42b6f6ce79864f061ada0dc71fff35f4810a6790b8adc361c9616e83e55d0013b5617ac446b6649f4bbb62848d520ecc5179

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vYw2167.exe
        Filesize

        499KB

        MD5

        99aa53c33a2332115d7593d965773746

        SHA1

        68592195d9710eef6cb6982869a5ea5c6fbadd4d

        SHA256

        44c5b4ebb98582b78bf64f7d2f6b9be7fe15b71da921a3713cb37daf1ae544f6

        SHA512

        a4249db50a6c009f0c5a3608b7d6e696844fef410288176ddebb75219cf37d710762c7adfbd7f8906873af5884a9b79b70df90b5669ef8dacf47d0b65801300a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vYw2167.exe
        Filesize

        499KB

        MD5

        99aa53c33a2332115d7593d965773746

        SHA1

        68592195d9710eef6cb6982869a5ea5c6fbadd4d

        SHA256

        44c5b4ebb98582b78bf64f7d2f6b9be7fe15b71da921a3713cb37daf1ae544f6

        SHA512

        a4249db50a6c009f0c5a3608b7d6e696844fef410288176ddebb75219cf37d710762c7adfbd7f8906873af5884a9b79b70df90b5669ef8dacf47d0b65801300a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRa42Pp.exe
        Filesize

        175KB

        MD5

        dd0c9e110c68ce1fa5308979ef718f7b

        SHA1

        473deb8069f0841d47b74b7f414dacc6f96eca78

        SHA256

        dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

        SHA512

        29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRa42Pp.exe
        Filesize

        175KB

        MD5

        dd0c9e110c68ce1fa5308979ef718f7b

        SHA1

        473deb8069f0841d47b74b7f414dacc6f96eca78

        SHA256

        dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

        SHA512

        29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vOS8458.exe
        Filesize

        355KB

        MD5

        fa9254494e9fd173a9faf6050641c389

        SHA1

        c4479bde8748bf6e7096440844698e99081746b7

        SHA256

        489ea3e6fdc40dbe07966ea5ce6ae0be2787ed10e1b1fc968b882097516d88a1

        SHA512

        7b830538b8322b62f89a851f51682e74c5bd2b341b8af6807215d572450f45710780dbfa59472693a39c1a895b87a733462771d99780466b8aeb3a9b5584ca04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vOS8458.exe
        Filesize

        355KB

        MD5

        fa9254494e9fd173a9faf6050641c389

        SHA1

        c4479bde8748bf6e7096440844698e99081746b7

        SHA256

        489ea3e6fdc40dbe07966ea5ce6ae0be2787ed10e1b1fc968b882097516d88a1

        SHA512

        7b830538b8322b62f89a851f51682e74c5bd2b341b8af6807215d572450f45710780dbfa59472693a39c1a895b87a733462771d99780466b8aeb3a9b5584ca04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\riC1544.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\riC1544.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\swa9354.exe
        Filesize

        295KB

        MD5

        dd0adf92524d842b17843e3a38769564

        SHA1

        4b34fbf5dade2193630f92053be9f0dcfe563d3c

        SHA256

        489cdd40de47bde8a31100897afafb3213c01de9cab0bc656e3cbf01c48e3682

        SHA512

        7fbb9c9ad3df3bfd0ae3741bf76c92bdd9ea3f23e1316f4948a60e1efc3ff6dcbd4d37d7da725659fa38a0cbc0fc41d1dc85515d56b15af5cbf891bfe6853bc2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\swa9354.exe
        Filesize

        295KB

        MD5

        dd0adf92524d842b17843e3a38769564

        SHA1

        4b34fbf5dade2193630f92053be9f0dcfe563d3c

        SHA256

        489cdd40de47bde8a31100897afafb3213c01de9cab0bc656e3cbf01c48e3682

        SHA512

        7fbb9c9ad3df3bfd0ae3741bf76c92bdd9ea3f23e1316f4948a60e1efc3ff6dcbd4d37d7da725659fa38a0cbc0fc41d1dc85515d56b15af5cbf891bfe6853bc2

        Download Submit

      • memory/224-152-0x00000000007A2000-0x00000000007C2000-memory.dmp

        Filesize

        128KB

        Download

      • memory/224-153-0x0000000000400000-0x00000000005C6000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/224-147-0x00000000007A2000-0x00000000007C2000-memory.dmp

        Filesize

        128KB

        Download

      • memory/224-148-0x0000000000730000-0x000000000075D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/224-149-0x0000000000400000-0x00000000005C6000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/224-150-0x0000000004C20000-0x00000000051C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/224-151-0x00000000007A2000-0x00000000007C2000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2812-165-0x0000000006C90000-0x00000000071BC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2812-163-0x0000000005B10000-0x0000000005BA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2812-167-0x0000000005F70000-0x0000000005FC0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2812-166-0x0000000006760000-0x00000000067D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2812-157-0x00000000001D0000-0x0000000000202000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2812-158-0x0000000005110000-0x0000000005728000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2812-159-0x0000000004C70000-0x0000000004D7A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2812-160-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2812-161-0x0000000004C00000-0x0000000004C3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2812-162-0x0000000004F20000-0x0000000004F86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2812-164-0x0000000006590000-0x0000000006752000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3592-172-0x0000000002250000-0x000000000229B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3592-171-0x00000000006C2000-0x00000000006F0000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3592-173-0x0000000000400000-0x00000000005D4000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3592-174-0x00000000006C2000-0x00000000006F0000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3592-175-0x0000000000400000-0x00000000005D4000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4148-143-0x00007FF8345A0000-0x00007FF835061000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4148-141-0x00000000001F0000-0x00000000001FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4148-142-0x00007FF8345A0000-0x00007FF835061000-memory.dmp

        Filesize

        10.8MB

        Download