Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2023, 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4c1c0a99e5f74b64dde62c63e120b3cbe275e21e18d1386e3fd8391e18605e8.exe

  • Size

    525KB

  • MD5

    384aa64255a41ab456245fe9ce8651da

  • SHA1

    7bd8ef2658ea9ecbf4931fbb9412959b541e8889

  • SHA256

    a4c1c0a99e5f74b64dde62c63e120b3cbe275e21e18d1386e3fd8391e18605e8

  • SHA512

    abd7eb35a49b70b1dced17d30c352b57273b5885f0b9f707d154d80e0e7ced9829c2fb2221a23b7290ef9951b53fff249ef7dd3320e58da9b65ae66abf6b59cb

  • SSDEEP

    12288:XMr8y90bUI5kVrXoRgNNDDIcoWC1P4OSsi:nyaUI5kJXugNhAA5

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c1c0a99e5f74b64dde62c63e120b3cbe275e21e18d1386e3fd8391e18605e8.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c1c0a99e5f74b64dde62c63e120b3cbe275e21e18d1386e3fd8391e18605e8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCY2668Vs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCY2668Vs.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf74OF89BV53.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf74OF89BV53.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf91nE73cG36.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf91nE73cG36.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1340
          4⤵
          • Program crash
          PID:4708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhhl31wH91GZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhhl31wH91GZ.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3808 -ip 3808
    1⤵
      PID:1424
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhhl31wH91GZ.exe
      Filesize

      176KB

      MD5

      f3603a70dfc6175802a69e0a8608b912

      SHA1

      422f28879e2280ebf951c7469ac34fa79f3e9cd5

      SHA256

      af7f22fb13aa325eb72fa3128453407aac1b04f962baf0fe6bfd7eed3c9630f3

      SHA512

      766e6b37960c0a5e22653ad9c90fbbba746e4366b9f5244b872a93cf1f47dee3feb64cc52bd3dda53a9a364530a80fd27a200b6e9aaf3ffcc1750c61698fed99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhhl31wH91GZ.exe
      Filesize

      176KB

      MD5

      f3603a70dfc6175802a69e0a8608b912

      SHA1

      422f28879e2280ebf951c7469ac34fa79f3e9cd5

      SHA256

      af7f22fb13aa325eb72fa3128453407aac1b04f962baf0fe6bfd7eed3c9630f3

      SHA512

      766e6b37960c0a5e22653ad9c90fbbba746e4366b9f5244b872a93cf1f47dee3feb64cc52bd3dda53a9a364530a80fd27a200b6e9aaf3ffcc1750c61698fed99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCY2668Vs.exe
      Filesize

      380KB

      MD5

      edbbd7dc730a48e8bf5aba99ab254aac

      SHA1

      c500ca1f461c9ea29c4f99aa22dce386eddf4ef2

      SHA256

      aebd5c45aa2f58935f349a3e55f1a6cc4ec7df2ea1a23ae61af53f68023a809d

      SHA512

      255bd8a6e9924fe06a6a4bbd76369d4fa5ba4d3ae942a3b50afe788c5853d1f49c2d034e71daff1f9dd9f4c88be2f9f69eeffe9a31e336ce2e072467ff0423ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhCY2668Vs.exe
      Filesize

      380KB

      MD5

      edbbd7dc730a48e8bf5aba99ab254aac

      SHA1

      c500ca1f461c9ea29c4f99aa22dce386eddf4ef2

      SHA256

      aebd5c45aa2f58935f349a3e55f1a6cc4ec7df2ea1a23ae61af53f68023a809d

      SHA512

      255bd8a6e9924fe06a6a4bbd76369d4fa5ba4d3ae942a3b50afe788c5853d1f49c2d034e71daff1f9dd9f4c88be2f9f69eeffe9a31e336ce2e072467ff0423ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf74OF89BV53.exe
      Filesize

      12KB

      MD5

      f3d6faa289bef8560f30e04a9e46d3ea

      SHA1

      085f0ee273363955e353c79eb0c3e547d4d61a68

      SHA256

      200cb167ba253cbba789ebf9279fde649f2d33babb11233bc1ad8ec96723a828

      SHA512

      2612381c78a19e93d3d47c948f42f85acf1f9d6127ed912d06b3c9d8cd2a455407c39ab5d8277aa520f1b28740b3ba34b0250770de243ee86292c3b9bc67cfd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf74OF89BV53.exe
      Filesize

      12KB

      MD5

      f3d6faa289bef8560f30e04a9e46d3ea

      SHA1

      085f0ee273363955e353c79eb0c3e547d4d61a68

      SHA256

      200cb167ba253cbba789ebf9279fde649f2d33babb11233bc1ad8ec96723a828

      SHA512

      2612381c78a19e93d3d47c948f42f85acf1f9d6127ed912d06b3c9d8cd2a455407c39ab5d8277aa520f1b28740b3ba34b0250770de243ee86292c3b9bc67cfd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf91nE73cG36.exe
      Filesize

      291KB

      MD5

      249978248eadf5f91425671a026f54a0

      SHA1

      80596f205182dcbeb05b93e5cdb77a067c723cf1

      SHA256

      0acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682

      SHA512

      aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf91nE73cG36.exe
      Filesize

      291KB

      MD5

      249978248eadf5f91425671a026f54a0

      SHA1

      80596f205182dcbeb05b93e5cdb77a067c723cf1

      SHA256

      0acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682

      SHA512

      aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14

      Download Submit

    • memory/2456-147-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3808-153-0x0000000000660000-0x00000000006AB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3808-154-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-157-0x0000000004C90000-0x0000000005234000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3808-156-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-155-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-158-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-159-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-161-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-163-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-165-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-167-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-169-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-171-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-173-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-175-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-177-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-179-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-181-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-183-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-185-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-187-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-189-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-191-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-193-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-195-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-197-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-199-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-201-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-203-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-205-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-207-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-209-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-211-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-213-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-215-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-217-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-219-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-221-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3808-1064-0x0000000005340000-0x0000000005958000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3808-1065-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3808-1066-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3808-1067-0x0000000005BD0000-0x0000000005C0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3808-1068-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-1070-0x0000000005DC0000-0x0000000005E26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3808-1071-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-1072-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3808-1073-0x0000000006590000-0x0000000006622000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3808-1074-0x0000000006660000-0x00000000066D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3808-1075-0x00000000066F0000-0x0000000006740000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3808-1076-0x00000000068B0000-0x0000000006A72000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3808-1077-0x0000000006A90000-0x0000000006FBC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3808-1078-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4268-1084-0x00000000009D0000-0x0000000000A02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4268-1085-0x0000000005590000-0x00000000055A0000-memory.dmp

      Filesize

      64KB

      Download