Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1e7dfd049f963c0a7c248960ee93b4bea16713beb5f554de49040b24a380f1f.exe

  • Size

    526KB

  • MD5

    bdfa32d6ff3f8a09929cd5d2a29c9b76

  • SHA1

    dc236a94d7bf45af931439c773278b5fce43b689

  • SHA256

    f1e7dfd049f963c0a7c248960ee93b4bea16713beb5f554de49040b24a380f1f

  • SHA512

    5f552f2babb146b0e56a2a8700a0e3e9f770595f3ff8fac33aef7a1512bfdc3d9b5689745a58f8a28581eaaf55e61b25d23dd0ca159323862d942aba9fe45359

  • SSDEEP

    12288:UMrLy90bTt3sA0saZTVt9x0J/nUy4iNuoMkCyWk:Hyl/FZbc/UG/oA

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1e7dfd049f963c0a7c248960ee93b4bea16713beb5f554de49040b24a380f1f.exe
    "C:\Users\Admin\AppData\Local\Temp\f1e7dfd049f963c0a7c248960ee93b4bea16713beb5f554de49040b24a380f1f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSl9816Kx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSl9816Kx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf10fb22sb62.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf10fb22sb62.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf30Zu94Il92.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf30Zu94Il92.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1664
          4⤵
          • Program crash
          PID:404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhNE29de43cn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhNE29de43cn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5116 -ip 5116
    1⤵
      PID:2692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhNE29de43cn.exe
      Filesize

      175KB

      MD5

      1f4785d410d5cc26aff2e4fced4ef01f

      SHA1

      25c58dce2fb637ff4d0bed01f87f4989fc96baff

      SHA256

      35235ef55f6d67d77cfa12126b4059fd26a9a3adc042933a55402006a205b440

      SHA512

      72e836f7d61b00d163aeba005e9ec0fc88f1e72e7c2d225595369a61db640aa66d074348d9179ece0ac37b6258bbb0eabf1b4d2fba55456543dcbf4d3fc97967

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhNE29de43cn.exe
      Filesize

      175KB

      MD5

      1f4785d410d5cc26aff2e4fced4ef01f

      SHA1

      25c58dce2fb637ff4d0bed01f87f4989fc96baff

      SHA256

      35235ef55f6d67d77cfa12126b4059fd26a9a3adc042933a55402006a205b440

      SHA512

      72e836f7d61b00d163aeba005e9ec0fc88f1e72e7c2d225595369a61db640aa66d074348d9179ece0ac37b6258bbb0eabf1b4d2fba55456543dcbf4d3fc97967

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSl9816Kx.exe
      Filesize

      382KB

      MD5

      3e66f8852ff9e3a659f37e21b047f218

      SHA1

      75577144e58a3e8ce99bd6dca2bd3d0f4bd9160a

      SHA256

      3b9c35800b3a4f105025cc0172a1bbb3f48f0ff7c7b8a8f3f9e38da81be0eafe

      SHA512

      0ca35d48c50ce31b96c28c1a6d327f5fb449823aa3233457dd20206a3c66573cf903feec2dbfd224a912a34a3f1a49ce838d2608c4330dd956899633b0a8d956

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSl9816Kx.exe
      Filesize

      382KB

      MD5

      3e66f8852ff9e3a659f37e21b047f218

      SHA1

      75577144e58a3e8ce99bd6dca2bd3d0f4bd9160a

      SHA256

      3b9c35800b3a4f105025cc0172a1bbb3f48f0ff7c7b8a8f3f9e38da81be0eafe

      SHA512

      0ca35d48c50ce31b96c28c1a6d327f5fb449823aa3233457dd20206a3c66573cf903feec2dbfd224a912a34a3f1a49ce838d2608c4330dd956899633b0a8d956

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf10fb22sb62.exe
      Filesize

      11KB

      MD5

      72dd8134e04d4fa874a7035c66e72d44

      SHA1

      bd019ecc8f841401fd587389fc91966bf5e9a1b3

      SHA256

      d4fb61c25eed0fd20d4c3f3231c89402ab5218093758194b9dc1fb7f0aa2b4f7

      SHA512

      f95ca2c1894529095f1eb212698268f6aee2285fd737b28367c8847abf0c826e40f086e6c2643bff498fd70c7e3aac9025fec526e064a8a0a2e3712fe47785aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf10fb22sb62.exe
      Filesize

      11KB

      MD5

      72dd8134e04d4fa874a7035c66e72d44

      SHA1

      bd019ecc8f841401fd587389fc91966bf5e9a1b3

      SHA256

      d4fb61c25eed0fd20d4c3f3231c89402ab5218093758194b9dc1fb7f0aa2b4f7

      SHA512

      f95ca2c1894529095f1eb212698268f6aee2285fd737b28367c8847abf0c826e40f086e6c2643bff498fd70c7e3aac9025fec526e064a8a0a2e3712fe47785aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf30Zu94Il92.exe
      Filesize

      364KB

      MD5

      0fb36e6dfd2286b0bb7e48c476a3f73b

      SHA1

      38801c7ea1faf291cb471397c38630a305518828

      SHA256

      edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e

      SHA512

      95c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf30Zu94Il92.exe
      Filesize

      364KB

      MD5

      0fb36e6dfd2286b0bb7e48c476a3f73b

      SHA1

      38801c7ea1faf291cb471397c38630a305518828

      SHA256

      edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e

      SHA512

      95c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d

      Download Submit

    • memory/3044-1085-0x00000000002B0000-0x00000000002E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3044-1086-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3844-147-0x0000000000110000-0x000000000011A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5116-189-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-201-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-157-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-158-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-156-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-155-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-159-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-161-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-163-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-165-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-167-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-169-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-171-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-173-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-175-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-177-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-179-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-181-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-183-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-185-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-187-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-153-0x0000000004BF0000-0x0000000005194000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5116-191-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-193-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-195-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-197-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-199-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-154-0x00000000005A0000-0x00000000005EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5116-203-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-205-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-207-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-209-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-211-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-213-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-215-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-217-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-219-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-221-0x0000000004B40000-0x0000000004B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5116-1064-0x00000000052E0000-0x00000000058F8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5116-1065-0x0000000005980000-0x0000000005A8A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5116-1067-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-1066-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5116-1068-0x0000000005B20000-0x0000000005B5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5116-1070-0x0000000005DD0000-0x0000000005E36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5116-1071-0x00000000064A0000-0x0000000006532000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5116-1072-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-1074-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-1073-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-1075-0x0000000006590000-0x0000000006606000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5116-1076-0x0000000006620000-0x0000000006670000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5116-1077-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5116-1078-0x0000000006680000-0x0000000006842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5116-1079-0x0000000006860000-0x0000000006D8C000-memory.dmp

      Filesize

      5.2MB

      Download