Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    126s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/03/2023, 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe

  • Size

    550KB

  • MD5

    9f67db2dead062c26f84bd9bcf060ce8

  • SHA1

    55b3e441b7f398d10920c71f3f976b60f85d466e

  • SHA256

    adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931

  • SHA512

    72e23ccc03b11d4d9a5f0121b9661d6574a272a4bafd03c575f57e234cad4596f69f14e568cd555a8c3ff5a8ac4c98de4d7527bd33349cb1bf7b9c24554863ee

  • SSDEEP

    12288:vMrOy90R7ZncbdZMq7FkLdiJ71kzC8D4bLrCHcB:ByUZncBx7aLdiJJkzebLrCHcB

Score
10/10
redlinefomichstekdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

stek

C2

melevv.eu:4162

Attributes
  • auth_value

    4205381daf6946b2df5fe3bc7eacc918

Extracted

Family

redline

Botnet

fomich

C2

melevv.eu:4162

Attributes
  • auth_value

    b018e52ac946001794d8b8c23e901859

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe
    "C:\Users\Admin\AppData\Local\Temp\adf91ca0c4c7dc56be25277cb2fb972b91c792908f9d74389a4eb1a24eaa3931.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exe
    Filesize

    175KB

    MD5

    2037601956ad9667a6534f251ecac9b8

    SHA1

    5936b0c1f566a54bff4484dc1a057fca59e004c9

    SHA256

    ec3cb5f02657df186f6ae2f88b4dd4741f452a25e7b0365fae815b7b7a8833ed

    SHA512

    deeea470938a3fed717d1f359db9e3e6b28abbfb6bbd686381478f96cf8f36fae095937c6517a3dce6de0505c1a9ba5efd9037961a01eeb1e07726cb10342b44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhF17eq93.exe
    Filesize

    175KB

    MD5

    2037601956ad9667a6534f251ecac9b8

    SHA1

    5936b0c1f566a54bff4484dc1a057fca59e004c9

    SHA256

    ec3cb5f02657df186f6ae2f88b4dd4741f452a25e7b0365fae815b7b7a8833ed

    SHA512

    deeea470938a3fed717d1f359db9e3e6b28abbfb6bbd686381478f96cf8f36fae095937c6517a3dce6de0505c1a9ba5efd9037961a01eeb1e07726cb10342b44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exe
    Filesize

    405KB

    MD5

    37d025efb71f1b3b3c7c089a221fa5a2

    SHA1

    46d95b9036b43801c6f72178b31c951ed8c11cd1

    SHA256

    cba9894adf6d1f39b689a0f90c1bef8a6726efb43c91e49a5050d673cfa952a7

    SHA512

    6f905c527bf93eba2ba3781413a76066e79df4e622f5b8ac46242b9309b4112d0c5bcf5b9e1418448f22cecd6bfcdcbd65788a59991401f24576f1e0388f73da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFX5538hU.exe
    Filesize

    405KB

    MD5

    37d025efb71f1b3b3c7c089a221fa5a2

    SHA1

    46d95b9036b43801c6f72178b31c951ed8c11cd1

    SHA256

    cba9894adf6d1f39b689a0f90c1bef8a6726efb43c91e49a5050d673cfa952a7

    SHA512

    6f905c527bf93eba2ba3781413a76066e79df4e622f5b8ac46242b9309b4112d0c5bcf5b9e1418448f22cecd6bfcdcbd65788a59991401f24576f1e0388f73da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exe
    Filesize

    12KB

    MD5

    64732fec05187a674cd4945215843bd5

    SHA1

    c9c96ae445631ad588d5edd10618181649bd7cce

    SHA256

    dc746a24fb73aa3a72e595c4957b6f4dc69c7117caac303749278fb987d9c336

    SHA512

    c8a235b79485ed63b81059235e435461edcb964c3932942fe1a5f383dc40feb03c433b43c4dec4c0bf277487009e08e6a7b6fa7f28e7f856dc5648e90404aca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw86Qw00Gi96.exe
    Filesize

    12KB

    MD5

    64732fec05187a674cd4945215843bd5

    SHA1

    c9c96ae445631ad588d5edd10618181649bd7cce

    SHA256

    dc746a24fb73aa3a72e595c4957b6f4dc69c7117caac303749278fb987d9c336

    SHA512

    c8a235b79485ed63b81059235e435461edcb964c3932942fe1a5f383dc40feb03c433b43c4dec4c0bf277487009e08e6a7b6fa7f28e7f856dc5648e90404aca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exe
    Filesize

    381KB

    MD5

    4662b9b6434d05f758ed7c02d2523e12

    SHA1

    e829ac10779358a8ca4d1baaca5bbb306b93355f

    SHA256

    183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b

    SHA512

    67b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tEG14mS16.exe
    Filesize

    381KB

    MD5

    4662b9b6434d05f758ed7c02d2523e12

    SHA1

    e829ac10779358a8ca4d1baaca5bbb306b93355f

    SHA256

    183e845988632d8990fd81690172e5ac410b3f9ca03f1f8df71d8e79b8278b3b

    SHA512

    67b75afdcb37f56552a51242ea6121ed075c027e6e28c35dbcbf20ad22377154b90089a56055515cff02cf5329e9db67729343ae40bad3758b6f15dcd9341c93

    Download Submit

  • memory/1012-141-0x0000000002BD0000-0x0000000002C1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1012-142-0x0000000004C60000-0x0000000004CA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1012-143-0x0000000007220000-0x000000000771E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1012-144-0x0000000007130000-0x0000000007174000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1012-145-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-146-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-147-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-148-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-149-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-151-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-153-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-155-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-157-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-161-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-163-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-159-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-165-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-167-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-169-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-171-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-173-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-179-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-177-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-175-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-181-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-185-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-183-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-187-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-189-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-191-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-195-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-193-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-197-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-199-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-201-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-205-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-203-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-207-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-211-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-209-0x0000000007130000-0x000000000716E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-1054-0x0000000007D30000-0x0000000008336000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1012-1055-0x0000000007760000-0x000000000786A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1012-1056-0x00000000078A0000-0x00000000078B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-1057-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-1058-0x00000000078C0000-0x00000000078FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1012-1059-0x0000000007A10000-0x0000000007A5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1012-1061-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-1062-0x0000000007BB0000-0x0000000007C16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1012-1063-0x0000000008890000-0x0000000008922000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1012-1064-0x0000000008B90000-0x0000000008C06000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1012-1065-0x0000000008C20000-0x0000000008C70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1012-1066-0x0000000007210000-0x0000000007220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-1067-0x0000000008C90000-0x0000000008E52000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1012-1068-0x0000000008E60000-0x000000000938C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2632-1075-0x0000000000F10000-0x0000000000F42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2632-1076-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2632-1077-0x0000000005960000-0x00000000059AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4192-135-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

    Filesize

    40KB

    Download