Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    53s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/03/2023, 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    457b3e4ce0686241044fcc6677621b1d3b301871df105577057dbddb48fd58d4.exe

  • Size

    537KB

  • MD5

    d0bdd65ae866989edd8d112def99b69d

  • SHA1

    556d0643dc9b693da07284a9fe52057358668ab7

  • SHA256

    457b3e4ce0686241044fcc6677621b1d3b301871df105577057dbddb48fd58d4

  • SHA512

    367799f220bcd6cd7b0a2b09e523ff09ccf826517cf111e869aa03a3c6474a150c334494f5e53f322f0068d8e4031f4aa40d2aefdda3846dfe054c8fcf7327a7

  • SSDEEP

    12288:sMrvy90aT6AQfDq8c9yi3vBHahfBvf/PCy1w10Ih3KIoN6T:LyL69LQqJ/3s0KXoN+

Score
10/10
redlineformarumfadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Extracted

Family

redline

Botnet

forma

C2

193.233.20.24:4123

Attributes
  • auth_value

    50b8e065d7cb1e9e30786f7a370368f9

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\457b3e4ce0686241044fcc6677621b1d3b301871df105577057dbddb48fd58d4.exe
    "C:\Users\Admin\AppData\Local\Temp\457b3e4ce0686241044fcc6677621b1d3b301871df105577057dbddb48fd58d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzD2475Jv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzD2475Jv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw28eG29cA91.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw28eG29cA91.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTw60CR46.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTw60CR46.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:60
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uWg38GC30.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uWg38GC30.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uWg38GC30.exe
    Filesize

    177KB

    MD5

    d78b450b8b899bbe8dde182b0f19dd19

    SHA1

    a700b4fe092c9de4f754432fe55935a0b3eff264

    SHA256

    0c2f4fbf3afc1e0fef2b5d39d2d0cc3c9ed315920a0e2082116b78239b9ce091

    SHA512

    260fec47c089379a29246c59335e1100ea91a6911a7be053e4bcb601b3c1f15546d64082c2632c38802c1659dd1a85e85b831198b7c11a09a7c8aef47f59c282

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uWg38GC30.exe
    Filesize

    177KB

    MD5

    d78b450b8b899bbe8dde182b0f19dd19

    SHA1

    a700b4fe092c9de4f754432fe55935a0b3eff264

    SHA256

    0c2f4fbf3afc1e0fef2b5d39d2d0cc3c9ed315920a0e2082116b78239b9ce091

    SHA512

    260fec47c089379a29246c59335e1100ea91a6911a7be053e4bcb601b3c1f15546d64082c2632c38802c1659dd1a85e85b831198b7c11a09a7c8aef47f59c282

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzD2475Jv.exe
    Filesize

    392KB

    MD5

    5fca4c4bfccf987358152791b4e164f5

    SHA1

    14f05f3fab7da01cd229492ed1afc525dddfa7ff

    SHA256

    afecee4513adf88c8736430c7f6abd98b6721983af1829778f0404ee3539a386

    SHA512

    51fb94055db0d845509c26c913d9d0e36e5a92f847b8acfccf86d20cd9876b0ff5c11bae57c67a3f29ed61880b44e0b4639ae9e20c896a905ace0e75557d425f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzD2475Jv.exe
    Filesize

    392KB

    MD5

    5fca4c4bfccf987358152791b4e164f5

    SHA1

    14f05f3fab7da01cd229492ed1afc525dddfa7ff

    SHA256

    afecee4513adf88c8736430c7f6abd98b6721983af1829778f0404ee3539a386

    SHA512

    51fb94055db0d845509c26c913d9d0e36e5a92f847b8acfccf86d20cd9876b0ff5c11bae57c67a3f29ed61880b44e0b4639ae9e20c896a905ace0e75557d425f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw28eG29cA91.exe
    Filesize

    17KB

    MD5

    ed675101241809320ddc9f34b089e63d

    SHA1

    ec6f2dd439c76d8cb9b95befb5d417b63a7da0ff

    SHA256

    6bf2e00fd092d6314e694b71f8a91a7132ee2c65c430cc0a1a9e83cc13aae8fd

    SHA512

    739136196702517759d4b01c99e5b6d96d07a02d91cba84543c81a8d19865356e3ff7b5332821bc0438d2bf53203eaceca1ec82391d43fe54469d2b0c7a41e60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw28eG29cA91.exe
    Filesize

    17KB

    MD5

    ed675101241809320ddc9f34b089e63d

    SHA1

    ec6f2dd439c76d8cb9b95befb5d417b63a7da0ff

    SHA256

    6bf2e00fd092d6314e694b71f8a91a7132ee2c65c430cc0a1a9e83cc13aae8fd

    SHA512

    739136196702517759d4b01c99e5b6d96d07a02d91cba84543c81a8d19865356e3ff7b5332821bc0438d2bf53203eaceca1ec82391d43fe54469d2b0c7a41e60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTw60CR46.exe
    Filesize

    304KB

    MD5

    bc94778948460579a0739b42d8018118

    SHA1

    f960e87471a354673dc63408a7cfd07052a18561

    SHA256

    164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b

    SHA512

    ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTw60CR46.exe
    Filesize

    304KB

    MD5

    bc94778948460579a0739b42d8018118

    SHA1

    f960e87471a354673dc63408a7cfd07052a18561

    SHA256

    164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b

    SHA512

    ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b

    Download Submit

  • memory/60-139-0x0000000000660000-0x00000000006AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/60-140-0x00000000022D0000-0x0000000002316000-memory.dmp

    Filesize

    280KB

    Download

  • memory/60-141-0x0000000004DE0000-0x00000000052DE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/60-142-0x0000000002490000-0x00000000024D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/60-143-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-144-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-145-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-146-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-148-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-150-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-152-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-154-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-156-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-158-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-160-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-162-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-164-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-166-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-168-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-170-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-172-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-174-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-176-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-178-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-180-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-182-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-184-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-186-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-188-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-190-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-194-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-196-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-192-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-198-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-200-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-202-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-204-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-206-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-208-0x0000000002490000-0x00000000024CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-1051-0x00000000058F0000-0x0000000005EF6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/60-1052-0x0000000004C90000-0x0000000004D9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/60-1053-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/60-1054-0x00000000052E0000-0x000000000531E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/60-1055-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1056-0x0000000005420000-0x000000000546B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/60-1058-0x0000000005560000-0x00000000055C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/60-1059-0x0000000006260000-0x00000000062F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/60-1062-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1061-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1060-0x0000000006420000-0x00000000065E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/60-1063-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1064-0x00000000065F0000-0x0000000006B1C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/60-1065-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-1066-0x0000000006ED0000-0x0000000006F46000-memory.dmp

    Filesize

    472KB

    Download

  • memory/60-1067-0x0000000006F50000-0x0000000006FA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4648-133-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4720-1073-0x00000000002B0000-0x00000000002E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4720-1074-0x0000000004CF0000-0x0000000004D3B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4720-1075-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download