Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/03/2023, 02:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    224cd11052d9b94eeaa9ee3ffa073a1452bdcb545eeb7a9702120df05240b347.exe

  • Size

    530KB

  • MD5

    a0ca8917c44dbabbad35ebfdf6247a60

  • SHA1

    2dbbb488d0fb0da3cb17e9dead3eead6450a3fb7

  • SHA256

    224cd11052d9b94eeaa9ee3ffa073a1452bdcb545eeb7a9702120df05240b347

  • SHA512

    dca5657e074f90151a5eb55e95c0c1d3ea206bb85e97bfb7d2279559c9e3b4cf4f32d7a41adae63b5764ba1208396f6ce22fa1b06bb7778ce15ed313fdd80313

  • SSDEEP

    12288:XMrcy90WFT+p6tkk77cX6HWQZzlQ3Zm/7hgqTPd:jyKFk7Zz2Q11

Score
10/10
redlinefoksarostodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

redline

Botnet

foksa

C2

hueref.eu:4162

Attributes
  • auth_value

    6a9b2601a21672b285de3ed41b5402e4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\224cd11052d9b94eeaa9ee3ffa073a1452bdcb545eeb7a9702120df05240b347.exe
    "C:\Users\Admin\AppData\Local\Temp\224cd11052d9b94eeaa9ee3ffa073a1452bdcb545eeb7a9702120df05240b347.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkEo8719Mh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkEo8719Mh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw44zS54bl52.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw44zS54bl52.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQj45Qv62Yx.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQj45Qv62Yx.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upZi56OY06bx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upZi56OY06bx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000

Network

  • flag-us
    DNS
    hueref.eu
    upZi56OY06bx.exe
    Remote address:
    8.8.8.8:53
    Request
    hueref.eu
    IN A
    Response
    hueref.eu
    IN A
    193.56.146.11
  • flag-us
    DNS
    11.146.56.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.146.56.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.13.109.52.in-addr.arpa
    IN PTR
    Response
  • 193.56.146.11:4162
    hueref.eu
    tkQj45Qv62Yx.exe
    2.4MB
     34.8kB
     1662
    717
  • 193.56.146.11:4162
    hueref.eu
    upZi56OY06bx.exe
    2.5MB
     36.2kB
     1673
    717
  • 8.8.8.8:53
    hueref.eu
    dns
    upZi56OY06bx.exe
    55 B
     71 B
     1
    1

    DNS Request

    hueref.eu

    DNS Response

    193.56.146.11

  • 8.8.8.8:53
    11.146.56.193.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    11.146.56.193.in-addr.arpa

  • 8.8.8.8:53
    64.13.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    64.13.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upZi56OY06bx.exe
    Filesize

    175KB

    MD5

    75ced8ad0d8cd237ebc9cb7b00852651

    SHA1

    adab63df3e0a40fd9f170ab57da66f01f226141c

    SHA256

    a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

    SHA512

    f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\upZi56OY06bx.exe
    Filesize

    175KB

    MD5

    75ced8ad0d8cd237ebc9cb7b00852651

    SHA1

    adab63df3e0a40fd9f170ab57da66f01f226141c

    SHA256

    a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

    SHA512

    f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkEo8719Mh.exe
    Filesize

    386KB

    MD5

    a25c331b24ed80c7e86a48735b6380eb

    SHA1

    f28bb2f2f71ac0e9cf9a47d4ffb33ef7d455010e

    SHA256

    e8efb9ff8dc8a649b8f9bd33b8dd1c9dcfa5370f1478201ed69ab991834aa8d5

    SHA512

    9911d2ba09ed176c23c82a4e3fba9d2f01a078e4cd8979609dd7a45e21683caf3a58749cc89ce7a2ddf3f5c8936f6bb2e4dbad1f34b29451b3fb25b33c5af709

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkEo8719Mh.exe
    Filesize

    386KB

    MD5

    a25c331b24ed80c7e86a48735b6380eb

    SHA1

    f28bb2f2f71ac0e9cf9a47d4ffb33ef7d455010e

    SHA256

    e8efb9ff8dc8a649b8f9bd33b8dd1c9dcfa5370f1478201ed69ab991834aa8d5

    SHA512

    9911d2ba09ed176c23c82a4e3fba9d2f01a078e4cd8979609dd7a45e21683caf3a58749cc89ce7a2ddf3f5c8936f6bb2e4dbad1f34b29451b3fb25b33c5af709

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw44zS54bl52.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw44zS54bl52.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQj45Qv62Yx.exe
    Filesize

    289KB

    MD5

    1c795044102f7759152f7661b15c22bf

    SHA1

    66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

    SHA256

    8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

    SHA512

    8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQj45Qv62Yx.exe
    Filesize

    289KB

    MD5

    1c795044102f7759152f7661b15c22bf

    SHA1

    66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

    SHA256

    8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

    SHA512

    8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

    Download Submit

  • memory/2516-135-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4592-141-0x0000000000A00000-0x0000000000A46000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4592-142-0x0000000004EB0000-0x00000000053AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4592-143-0x00000000024B0000-0x00000000024F4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4592-144-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-145-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-147-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-149-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-151-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-155-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-153-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-157-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-159-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-161-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-165-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-163-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-167-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-169-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-173-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-175-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-171-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-177-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-179-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-183-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-181-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-185-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-188-0x0000000000590000-0x00000000005DB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4592-191-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-192-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-190-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-187-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-194-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-196-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-198-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-202-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-210-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-208-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-206-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-204-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-200-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-1053-0x00000000053B0000-0x00000000059B6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4592-1054-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4592-1055-0x00000000026E0000-0x00000000026F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4592-1056-0x0000000004E00000-0x0000000004E3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4592-1057-0x0000000002710000-0x000000000275B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4592-1058-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-1060-0x0000000005B80000-0x0000000005C12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4592-1061-0x0000000005C20000-0x0000000005C86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4592-1062-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-1063-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-1064-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4592-1065-0x0000000006410000-0x00000000065D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4592-1066-0x0000000006600000-0x0000000006B2C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4592-1067-0x0000000006C60000-0x0000000006CD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4592-1068-0x0000000006CE0000-0x0000000006D30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4592-1069-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-1075-0x0000000000030000-0x0000000000062000-memory.dmp

    Filesize

    200KB

    Download

  • memory/5000-1076-0x0000000004950000-0x0000000004960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-1077-0x0000000004A70000-0x0000000004ABB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5000-1078-0x0000000004950000-0x0000000004960000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.