Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2023, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74c9111723d8381390bd276efe5fba3b942d6bd53f1a6abab63258c9327ba010.exe

  • Size

    694KB

  • MD5

    b5b28a29864da3f471c40f4150b5c145

  • SHA1

    c992401ac17883a5147025706b2ca1ed2916ef52

  • SHA256

    74c9111723d8381390bd276efe5fba3b942d6bd53f1a6abab63258c9327ba010

  • SHA512

    56cbd73a537308ba4e605eecbbc900200cb4e193c24fd5f5be087501e00e83d50b2ca751f9542ea3d8165a8865595508b12aa332daede5bb1c2555938fa8f1a4

  • SSDEEP

    12288:oMrOy90leU0VFU2PflrNkGyOk0xbC+9hqmw/TE8dTNIYHL:2yUKVFVP9JkGyOXgJx5L

Score
10/10
redlinefchanruzhpediscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Extracted

Family

redline

Botnet

fchan

C2

pepunn.com:4162

Attributes
  • auth_value

    127bd53d55e8c4f0dd2f6e1ea60deef4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74c9111723d8381390bd276efe5fba3b942d6bd53f1a6abab63258c9327ba010.exe
    "C:\Users\Admin\AppData\Local\Temp\74c9111723d8381390bd276efe5fba3b942d6bd53f1a6abab63258c9327ba010.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZC40gT63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZC40gT63.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcf56vD90.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcf56vD90.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4832
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1080
          4⤵
          • Program crash
          PID:1288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrel57Kg26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrel57Kg26.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1408
          4⤵
          • Program crash
          PID:3372
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuCU03VW44.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuCU03VW44.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4832 -ip 4832
    1⤵
      PID:528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4400 -ip 4400
      1⤵
        PID:844

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuCU03VW44.exe
        Filesize

        175KB

        MD5

        59c4c1bc546e6704a2c74a168ba05207

        SHA1

        9756cb356a84291ecc4e0abcc5cba7087a2a01dd

        SHA256

        b1ba79fd46f2060b5047891cabb428dfdd04cd8ab4b72f9664c2561a99a6b1fd

        SHA512

        8eec61c928dc0cfd776a80a61e3882937c0a1db42c07ca55f1f178e3da8a4e8bec11f85e1856b92a958051af2a9fe67a61797d91b7c6aa408f1a69105f1c646c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuCU03VW44.exe
        Filesize

        175KB

        MD5

        59c4c1bc546e6704a2c74a168ba05207

        SHA1

        9756cb356a84291ecc4e0abcc5cba7087a2a01dd

        SHA256

        b1ba79fd46f2060b5047891cabb428dfdd04cd8ab4b72f9664c2561a99a6b1fd

        SHA512

        8eec61c928dc0cfd776a80a61e3882937c0a1db42c07ca55f1f178e3da8a4e8bec11f85e1856b92a958051af2a9fe67a61797d91b7c6aa408f1a69105f1c646c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZC40gT63.exe
        Filesize

        550KB

        MD5

        7c3e56f336c83e99321178f8a011d467

        SHA1

        1eea1e295e2b9c7affb5656db6367d07695e4b69

        SHA256

        87b85255ddf1768f0052f88c5457f34d9ef147610679384a2b6e625b175a73d2

        SHA512

        889055c3250a4625526fd8793471a7442b998fa1cea39ea7b63e974fa68cbe1f7a8f5771c3ec812ff897950baa3d074d1bd6885c3beb5d1f385864ced2daa43f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZC40gT63.exe
        Filesize

        550KB

        MD5

        7c3e56f336c83e99321178f8a011d467

        SHA1

        1eea1e295e2b9c7affb5656db6367d07695e4b69

        SHA256

        87b85255ddf1768f0052f88c5457f34d9ef147610679384a2b6e625b175a73d2

        SHA512

        889055c3250a4625526fd8793471a7442b998fa1cea39ea7b63e974fa68cbe1f7a8f5771c3ec812ff897950baa3d074d1bd6885c3beb5d1f385864ced2daa43f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcf56vD90.exe
        Filesize

        352KB

        MD5

        946e45ca9ca57dbee2abd7de33d70086

        SHA1

        9003d342bb7b083b73c7b67e3a8059e1826d9695

        SHA256

        aa2990a947b4f237d68abb0193d1da436930d427eced5942132bd24fd0bd3bd9

        SHA512

        00743633925a810ce584991704d25034fd3d407838b245d456da54572b3558589acfa5dcbabf9ab09621f143dfc78767cfc979c18346a1e6baa55648405c8c3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcf56vD90.exe
        Filesize

        352KB

        MD5

        946e45ca9ca57dbee2abd7de33d70086

        SHA1

        9003d342bb7b083b73c7b67e3a8059e1826d9695

        SHA256

        aa2990a947b4f237d68abb0193d1da436930d427eced5942132bd24fd0bd3bd9

        SHA512

        00743633925a810ce584991704d25034fd3d407838b245d456da54572b3558589acfa5dcbabf9ab09621f143dfc78767cfc979c18346a1e6baa55648405c8c3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrel57Kg26.exe
        Filesize

        410KB

        MD5

        97581d18424b6968bffda63f4e27c2b0

        SHA1

        501bc8daae8308a502ceae32244e79e55d2282c3

        SHA256

        99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30

        SHA512

        bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrel57Kg26.exe
        Filesize

        410KB

        MD5

        97581d18424b6968bffda63f4e27c2b0

        SHA1

        501bc8daae8308a502ceae32244e79e55d2282c3

        SHA256

        99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30

        SHA512

        bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

        Download Submit

      • memory/4108-1120-0x00000000057D0000-0x00000000057E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4108-1119-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4400-1099-0x0000000008050000-0x000000000815A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4400-1101-0x0000000007430000-0x000000000746C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4400-1113-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-1112-0x00000000095A0000-0x00000000095F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4400-1111-0x0000000009510000-0x0000000009586000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4400-1110-0x0000000008EB0000-0x00000000093DC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4400-1109-0x0000000008CD0000-0x0000000008E92000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4400-1108-0x00000000084C0000-0x0000000008526000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4400-1107-0x0000000008420000-0x00000000084B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4400-1106-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-1105-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-1104-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-1102-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-1100-0x0000000007410000-0x0000000007422000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4400-1098-0x0000000007A30000-0x0000000008048000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4400-225-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-223-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-221-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-219-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-189-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4400-191-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-190-0x0000000007470000-0x0000000007480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-192-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-193-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-195-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-197-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-199-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-201-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-203-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-205-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-209-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-207-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-211-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-215-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-213-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4400-217-0x0000000004C20000-0x0000000004C5E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4832-175-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-179-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-184-0x0000000000400000-0x0000000002BC5000-memory.dmp

        Filesize

        39.8MB

        Download

      • memory/4832-182-0x0000000007320000-0x0000000007330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4832-181-0x0000000007320000-0x0000000007330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4832-152-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-180-0x0000000000400000-0x0000000002BC5000-memory.dmp

        Filesize

        39.8MB

        Download

      • memory/4832-171-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-173-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-177-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-155-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-153-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-157-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-169-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-167-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-165-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-163-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-161-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-159-0x0000000007150000-0x0000000007162000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4832-151-0x0000000007320000-0x0000000007330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4832-150-0x0000000007320000-0x0000000007330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4832-149-0x0000000002CA0000-0x0000000002CCD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4832-148-0x0000000007330000-0x00000000078D4000-memory.dmp

        Filesize

        5.6MB

        Download