Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe

  • Size

    560KB

  • MD5

    291421df6f7af2898e2ddeed7f67168d

  • SHA1

    96d55b36bd7bd9501cf515039dae0d94bc843b73

  • SHA256

    086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226

  • SHA512

    7c7b40be2348defe6abf89bbbb6c39c823f2f4791471f26d313d7e655773475a7d0c34a95beddaf1921af4c011dc18d4324b3a501d1ad84d484a0ec19b6a0d7c

  • SSDEEP

    12288:lMrjy90TSDQKCL6Xo0UTWTwW3EdFTVGKT/+ujT8HN05VE5YKr:uyOIQKCHxTEwW3MFTAuv8XX

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe
    "C:\Users\Admin\AppData\Local\Temp\086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1712
          4⤵
          • Program crash
          PID:2424
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4596
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4976 -ip 4976
    1⤵
      PID:3472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exe
      Filesize

      175KB

      MD5

      074f4204e6267a64ef26c723326d5ceb

      SHA1

      116e697dc862d8299264659bb57960513ad4fdc2

      SHA256

      6b765d5dd106f8dc11f38644991f1c22e2d6c3299817a5138bb3009accdd8c01

      SHA512

      f17e9cec446cd3ec2fd1d269f32b915d0ba5a330339214213424aa04c3fb8c3ecb5f70fc3ba60725da55956cc801bca0dfaf0b03a6ea5e6bb4ae2c08121e34e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhHC80LW80SJ.exe
      Filesize

      175KB

      MD5

      074f4204e6267a64ef26c723326d5ceb

      SHA1

      116e697dc862d8299264659bb57960513ad4fdc2

      SHA256

      6b765d5dd106f8dc11f38644991f1c22e2d6c3299817a5138bb3009accdd8c01

      SHA512

      f17e9cec446cd3ec2fd1d269f32b915d0ba5a330339214213424aa04c3fb8c3ecb5f70fc3ba60725da55956cc801bca0dfaf0b03a6ea5e6bb4ae2c08121e34e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exe
      Filesize

      415KB

      MD5

      f55b1789dca5686179ffe9d8137b4e9e

      SHA1

      c210dd8a69a442c9fdc77c629a9a1556c969a0f8

      SHA256

      cd9c2b4e15e513cef5bfe400369433d1d74a5bcf9681ed14b44117779320a87b

      SHA512

      d179392008142a16599d5405d774d7e875f575cf5ab88347442dc83829c35015cf7aa56433121970db7d09f4a06a0d8b9ea0c422eee86cff289d19e6a5a87ddf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSo1836RG.exe
      Filesize

      415KB

      MD5

      f55b1789dca5686179ffe9d8137b4e9e

      SHA1

      c210dd8a69a442c9fdc77c629a9a1556c969a0f8

      SHA256

      cd9c2b4e15e513cef5bfe400369433d1d74a5bcf9681ed14b44117779320a87b

      SHA512

      d179392008142a16599d5405d774d7e875f575cf5ab88347442dc83829c35015cf7aa56433121970db7d09f4a06a0d8b9ea0c422eee86cff289d19e6a5a87ddf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exe
      Filesize

      11KB

      MD5

      7f6b0d19eb465e3d5c9b7d7cc7ecfcdb

      SHA1

      9926bd748b6b11db1ad78962cf284267d5559b73

      SHA256

      36fe72b3737a3096cd932712efcf73ba1051202bb15e63cfd75d93a65524e606

      SHA512

      3b7c2cfd0a1093d70edd8d833720db82f8b0032a94b3a4be8ee0ad7559ca8f1308f8d5b2bfbcd47f92d10d2e12405143a085c2cc8ee44a7f9d1250c9dfe5c084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf43iD52aO12.exe
      Filesize

      11KB

      MD5

      7f6b0d19eb465e3d5c9b7d7cc7ecfcdb

      SHA1

      9926bd748b6b11db1ad78962cf284267d5559b73

      SHA256

      36fe72b3737a3096cd932712efcf73ba1051202bb15e63cfd75d93a65524e606

      SHA512

      3b7c2cfd0a1093d70edd8d833720db82f8b0032a94b3a4be8ee0ad7559ca8f1308f8d5b2bfbcd47f92d10d2e12405143a085c2cc8ee44a7f9d1250c9dfe5c084

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exe
      Filesize

      416KB

      MD5

      9ce8c74a533c9909e622ad2c5700ca63

      SHA1

      bcce3e38eaf3c3b741bad36507671231d94ef844

      SHA256

      a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

      SHA512

      98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Fr94ad10.exe
      Filesize

      416KB

      MD5

      9ce8c74a533c9909e622ad2c5700ca63

      SHA1

      bcce3e38eaf3c3b741bad36507671231d94ef844

      SHA256

      a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

      SHA512

      98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

      Download Submit

    • memory/4012-147-0x0000000000730000-0x000000000073A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4596-1085-0x00000000003C0000-0x00000000003F2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4596-1086-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-189-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-201-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-155-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-157-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-156-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-158-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-159-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-161-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-163-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-165-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-167-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-169-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-171-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-173-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-175-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-177-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-179-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-181-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-185-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-187-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-153-0x0000000007280000-0x0000000007824000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4976-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-193-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-195-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-197-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-199-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-154-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4976-203-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-205-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-209-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-211-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-213-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-215-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-217-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-219-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-221-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4976-1064-0x0000000007830000-0x0000000007E48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4976-1065-0x0000000007E90000-0x0000000007F9A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4976-1066-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4976-1067-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-1068-0x0000000007FE0000-0x000000000801C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4976-1070-0x00000000082D0000-0x0000000008362000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4976-1071-0x0000000008370000-0x00000000083D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4976-1072-0x0000000008A70000-0x0000000008AE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4976-1073-0x0000000008B00000-0x0000000008B50000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4976-1074-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-1075-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-1076-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-1077-0x0000000008B70000-0x0000000008D32000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4976-1078-0x0000000008D40000-0x000000000926C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4976-1079-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download