Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    60s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/03/2023, 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39da6daa95ea93726cc20cfaaf17ad7e7659b5a5fb2928f34be8679b6d987103.exe

  • Size

    560KB

  • MD5

    c157049b914f3024400917c2c1897836

  • SHA1

    fd4653c6777e729cf4f2393a3565643fb4340e09

  • SHA256

    39da6daa95ea93726cc20cfaaf17ad7e7659b5a5fb2928f34be8679b6d987103

  • SHA512

    1b90e3d6eff07d2e4e6cc0659095f447741c6d4b0e75ab24bb91c957e8b1e9931f4b2dc2968309b0ee6a5fdeb141f9c883ada06fd229e9b6f5eb506f780d0cbc

  • SSDEEP

    12288:xMrqy90stAM3tKcg8LQsLcBC8hXRP8FIBkiT:LyB3tAyZo7hXiIyiT

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39da6daa95ea93726cc20cfaaf17ad7e7659b5a5fb2928f34be8679b6d987103.exe
    "C:\Users\Admin\AppData\Local\Temp\39da6daa95ea93726cc20cfaaf17ad7e7659b5a5fb2928f34be8679b6d987103.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyO3143Ih.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyO3143Ih.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf75oP49Jw60.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf75oP49Jw60.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf94fi14aR66.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf94fi14aR66.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhtv26WF91Ew.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhtv26WF91Ew.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhtv26WF91Ew.exe
    Filesize

    176KB

    MD5

    9c5640137fe2a847a67c7cce7b17d806

    SHA1

    5b4fd8b167f30ae591461fe0f7c000f1406dae95

    SHA256

    61e9bf51f10aa80d33945c08a4885b22f73a6ea1d9a112f0c7fcf84bef827b59

    SHA512

    2b8cebcad34ed6abbbe04b01e98cbc6051d99df989ceb6e8f89b2eac44b4f2a0b56812d1dfa131560e9368874391a9dc9f25aa185b363ef388dca737f442f4b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhtv26WF91Ew.exe
    Filesize

    176KB

    MD5

    9c5640137fe2a847a67c7cce7b17d806

    SHA1

    5b4fd8b167f30ae591461fe0f7c000f1406dae95

    SHA256

    61e9bf51f10aa80d33945c08a4885b22f73a6ea1d9a112f0c7fcf84bef827b59

    SHA512

    2b8cebcad34ed6abbbe04b01e98cbc6051d99df989ceb6e8f89b2eac44b4f2a0b56812d1dfa131560e9368874391a9dc9f25aa185b363ef388dca737f442f4b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyO3143Ih.exe
    Filesize

    415KB

    MD5

    a42e97565d3f84d8cc054ec577020bc1

    SHA1

    8fb2e559e72638cdf9c2cfc1fad848ea0f7bad62

    SHA256

    401c804e592e5f973147c539f1fa2281a8127a32cf9c139dcb647bf93b9e0ac8

    SHA512

    c110a619ed85bec153e9bcda4e5469aa315585c0f6fdad1bf81f3764a6de5f41b65b9e311afcb52633eec870090a0f1a7ec7d12b20eec1b822cf2892f549bd54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyO3143Ih.exe
    Filesize

    415KB

    MD5

    a42e97565d3f84d8cc054ec577020bc1

    SHA1

    8fb2e559e72638cdf9c2cfc1fad848ea0f7bad62

    SHA256

    401c804e592e5f973147c539f1fa2281a8127a32cf9c139dcb647bf93b9e0ac8

    SHA512

    c110a619ed85bec153e9bcda4e5469aa315585c0f6fdad1bf81f3764a6de5f41b65b9e311afcb52633eec870090a0f1a7ec7d12b20eec1b822cf2892f549bd54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf75oP49Jw60.exe
    Filesize

    11KB

    MD5

    0c3d377a0c6e48ada16a67496e1fae1a

    SHA1

    cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422

    SHA256

    cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4

    SHA512

    b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf75oP49Jw60.exe
    Filesize

    11KB

    MD5

    0c3d377a0c6e48ada16a67496e1fae1a

    SHA1

    cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422

    SHA256

    cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4

    SHA512

    b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf94fi14aR66.exe
    Filesize

    415KB

    MD5

    79645f4c4f6de9b74ca0120b7a2ff217

    SHA1

    e093a94b5415be8ebbc90a52807b811eb339823e

    SHA256

    cfa90800c04f1f257f52d7f8d63b001b37796b3f1da67b271d6c76feeda8306a

    SHA512

    13ae7f81ffa0ff1196334f870cdcaa7ac46be0bd6de36caceda5251b77a3dac0ccc8b33dc2ec7ca4a06bb96bf5017d68ea74ba373ebcdebf0e9318bb11803cd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf94fi14aR66.exe
    Filesize

    415KB

    MD5

    79645f4c4f6de9b74ca0120b7a2ff217

    SHA1

    e093a94b5415be8ebbc90a52807b811eb339823e

    SHA256

    cfa90800c04f1f257f52d7f8d63b001b37796b3f1da67b271d6c76feeda8306a

    SHA512

    13ae7f81ffa0ff1196334f870cdcaa7ac46be0bd6de36caceda5251b77a3dac0ccc8b33dc2ec7ca4a06bb96bf5017d68ea74ba373ebcdebf0e9318bb11803cd0

    Download Submit

  • memory/448-136-0x00000000070E0000-0x0000000007126000-memory.dmp

    Filesize

    280KB

    Download

  • memory/448-137-0x0000000002D00000-0x0000000002D4B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/448-138-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-139-0x00000000072C0000-0x00000000077BE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/448-140-0x0000000007160000-0x00000000071A4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/448-141-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-142-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-144-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-146-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-148-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-150-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-154-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-156-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-152-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-158-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-161-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-160-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-164-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-163-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-166-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-168-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-170-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-172-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-174-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-176-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-178-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-180-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-182-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-184-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-186-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-188-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-190-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-192-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-194-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-196-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-198-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-200-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-202-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-204-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-206-0x0000000007160000-0x000000000719E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-1049-0x0000000007ED0000-0x00000000084D6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/448-1050-0x00000000078C0000-0x00000000079CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/448-1051-0x00000000079F0000-0x0000000007A02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/448-1052-0x0000000007A10000-0x0000000007A4E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/448-1053-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-1054-0x0000000007B60000-0x0000000007BAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/448-1056-0x0000000007CF0000-0x0000000007D56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/448-1057-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-1058-0x00000000089F0000-0x0000000008A82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/448-1059-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-1060-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-1061-0x0000000008CF0000-0x0000000008D66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/448-1062-0x0000000008D70000-0x0000000008DC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/448-1063-0x0000000008DE0000-0x0000000008FA2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/448-1064-0x00000000072B0000-0x00000000072C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/448-1065-0x0000000008FB0000-0x00000000094DC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1372-130-0x00000000002D0000-0x00000000002DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2884-1071-0x0000000000F10000-0x0000000000F42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2884-1072-0x0000000005950000-0x000000000599B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2884-1073-0x0000000005B20000-0x0000000005B30000-memory.dmp

    Filesize

    64KB

    Download