Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/03/2023, 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a3486545ad0bd7a4e261859218f4e17e488c548754a179ef826ba2558431b03.exe

  • Size

    546KB

  • MD5

    a6a17ee1d667a8134347bdc23323ce98

  • SHA1

    320990bcb550a6d260fbf61beb3c9bed9700807a

  • SHA256

    5a3486545ad0bd7a4e261859218f4e17e488c548754a179ef826ba2558431b03

  • SHA512

    1d6ea325a7c0a02aa246d7d01af74d7eff742ea0869bd5ec0ee02e1777ba8fc90808068cafbd5d8bf2d13ec741568a2572642b190d4e7d72fca079d69da9573b

  • SSDEEP

    12288:YMrZy90sh2Do7vIxuSKsmlX1+1Z1NJOtslMfc4Niqn3MtDPFcxAjf+:hy/23uSKsmh1+1Z1N4tY4cnDdljm

Score
10/10
redlinefoksarostodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

redline

Botnet

foksa

C2

hueref.eu:4162

Attributes
  • auth_value

    6a9b2601a21672b285de3ed41b5402e4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a3486545ad0bd7a4e261859218f4e17e488c548754a179ef826ba2558431b03.exe
    "C:\Users\Admin\AppData\Local\Temp\5a3486545ad0bd7a4e261859218f4e17e488c548754a179ef826ba2558431b03.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkLe8461tk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkLe8461tk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59vd11Ia41.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59vd11Ia41.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4724
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkmm27gQ44pg.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkmm27gQ44pg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upXO70cC34ZB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upXO70cC34ZB.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upXO70cC34ZB.exe
    Filesize

    175KB

    MD5

    75ced8ad0d8cd237ebc9cb7b00852651

    SHA1

    adab63df3e0a40fd9f170ab57da66f01f226141c

    SHA256

    a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

    SHA512

    f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upXO70cC34ZB.exe
    Filesize

    175KB

    MD5

    75ced8ad0d8cd237ebc9cb7b00852651

    SHA1

    adab63df3e0a40fd9f170ab57da66f01f226141c

    SHA256

    a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

    SHA512

    f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkLe8461tk.exe
    Filesize

    401KB

    MD5

    62c638d526abb2340af4f92f6a396641

    SHA1

    d4b02edde82262460a83fbf0c82967a027fb0161

    SHA256

    d5743f3546bed22f9a5c9ab41743d5b62da0dc3938bdf1227a366bcb42891532

    SHA512

    db94494bd2f736f16765b3242d5270a7676c505f21c4be31bf254abfdb2633b9031afd0b2e12b80ea7c7204147d81d6cdc1132cc7107238ab96a93c0647e23b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkLe8461tk.exe
    Filesize

    401KB

    MD5

    62c638d526abb2340af4f92f6a396641

    SHA1

    d4b02edde82262460a83fbf0c82967a027fb0161

    SHA256

    d5743f3546bed22f9a5c9ab41743d5b62da0dc3938bdf1227a366bcb42891532

    SHA512

    db94494bd2f736f16765b3242d5270a7676c505f21c4be31bf254abfdb2633b9031afd0b2e12b80ea7c7204147d81d6cdc1132cc7107238ab96a93c0647e23b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59vd11Ia41.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59vd11Ia41.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkmm27gQ44pg.exe
    Filesize

    316KB

    MD5

    28f9cdc1d98a1cc75409868f47b97a28

    SHA1

    73357fb52e032b3e60adf4c1eba1c7e7eb8182d7

    SHA256

    4b45038bbb408abff26ca25e63c726796951c205acf661527c61dd095396d42e

    SHA512

    e347985e7387fccbf6f6f303f87b64a30e0016da1cec4abfeb9ea69859eb746470e4ef118a1ba7fd46615c67c5f816c6e0e47d606d4012473ba0242cdf6a2aa7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkmm27gQ44pg.exe
    Filesize

    316KB

    MD5

    28f9cdc1d98a1cc75409868f47b97a28

    SHA1

    73357fb52e032b3e60adf4c1eba1c7e7eb8182d7

    SHA256

    4b45038bbb408abff26ca25e63c726796951c205acf661527c61dd095396d42e

    SHA512

    e347985e7387fccbf6f6f303f87b64a30e0016da1cec4abfeb9ea69859eb746470e4ef118a1ba7fd46615c67c5f816c6e0e47d606d4012473ba0242cdf6a2aa7

    Download Submit

  • memory/1988-1075-0x0000000000D50000-0x0000000000D82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1988-1076-0x0000000005610000-0x000000000565B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-1077-0x0000000005600000-0x0000000005610000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-180-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-192-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-144-0x0000000005070000-0x00000000050B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3092-143-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-146-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-145-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-147-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-148-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-150-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-152-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-154-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-156-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-158-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-160-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-162-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-164-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-166-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-168-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-170-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-172-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-174-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-176-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-178-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-141-0x0000000004B70000-0x000000000506E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3092-182-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-184-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-186-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-188-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-190-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-142-0x00000000006B0000-0x00000000006FB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3092-194-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-196-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-198-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-200-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-202-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-204-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-206-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-208-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-210-0x0000000005070000-0x00000000050AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-1053-0x00000000051F0000-0x00000000057F6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3092-1054-0x0000000005880000-0x000000000598A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3092-1055-0x00000000059C0000-0x00000000059D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3092-1056-0x00000000059E0000-0x0000000005A1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3092-1057-0x0000000005B30000-0x0000000005B7B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3092-1058-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-1060-0x0000000005CD0000-0x0000000005D36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3092-1062-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-1061-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-1063-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-1064-0x00000000063A0000-0x0000000006432000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3092-1065-0x0000000006440000-0x00000000064B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3092-140-0x0000000004AE0000-0x0000000004B26000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3092-1066-0x00000000064D0000-0x0000000006520000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3092-1067-0x00000000067A0000-0x0000000006962000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3092-1068-0x0000000004B60000-0x0000000004B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-1069-0x0000000006970000-0x0000000006E9C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4724-134-0x0000000000610000-0x000000000061A000-memory.dmp

    Filesize

    40KB

    Download