Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe

  • Size

    561KB

  • MD5

    58c9ca78b279871d0ff1cf16506a167f

  • SHA1

    92d1d776e34e53bee72bd68b304b7d305b476a33

  • SHA256

    fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c

  • SHA512

    640d99da3bc1ac97a87246f78818dddcd84223e5267d4fdf7a40c13f151e74ba513b6216073ac84bdabc8859cadf746895abd695f8b8686a4f7634a2589702aa

  • SSDEEP

    12288:XMrey90BoAm0CXayg1+zvgv72HD4y9bKqiLba2SihJH:JyCCqygYzIv72HDL9bYJ/JH

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe
    "C:\Users\Admin\AppData\Local\Temp\fdd783d91c2ecbf36e059f188ca2e5caa8adf02df37ae6eaf7f16f60a57dae5c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3288
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 996
          4⤵
          • Program crash
          PID:3988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3288 -ip 3288
    1⤵
      PID:4388

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exe
      Filesize

      176KB

      MD5

      189ea510d09a705a27202959556e80a7

      SHA1

      2395ef998728c9c18d146da39f9a4d7ac6f1599d

      SHA256

      9c899c73ed5019e5003cf258c4c2eff0ee4035369873c0d4d5ac3d8dc06b819f

      SHA512

      a5abe067aeb0ea9a48fbeb1c02feb95be850fb892c391055a11adf88d69adbf868c2edaa775a831e7e1d28f102a93773c65fd5663b0ef45ee4fc4b30dd00ea67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhmI91uw91Eh.exe
      Filesize

      176KB

      MD5

      189ea510d09a705a27202959556e80a7

      SHA1

      2395ef998728c9c18d146da39f9a4d7ac6f1599d

      SHA256

      9c899c73ed5019e5003cf258c4c2eff0ee4035369873c0d4d5ac3d8dc06b819f

      SHA512

      a5abe067aeb0ea9a48fbeb1c02feb95be850fb892c391055a11adf88d69adbf868c2edaa775a831e7e1d28f102a93773c65fd5663b0ef45ee4fc4b30dd00ea67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exe
      Filesize

      417KB

      MD5

      e517b7428cdc7cbbcab1dd56be0d1d6b

      SHA1

      f4412f79d04dd0865c18fffab353510cefc28cd2

      SHA256

      c9d227fe88d9e1340972bf80e1db86c2c35ebb929786ce9babf9ed0daae687e1

      SHA512

      1413645151a7ae09ebba266ce9b271444258cf3eea1dc505f16860c32e7b380a987a4689da8378adee54fed5e55e42d6f4e96c8594dc925314dd808301e5be62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhKy8243Rf.exe
      Filesize

      417KB

      MD5

      e517b7428cdc7cbbcab1dd56be0d1d6b

      SHA1

      f4412f79d04dd0865c18fffab353510cefc28cd2

      SHA256

      c9d227fe88d9e1340972bf80e1db86c2c35ebb929786ce9babf9ed0daae687e1

      SHA512

      1413645151a7ae09ebba266ce9b271444258cf3eea1dc505f16860c32e7b380a987a4689da8378adee54fed5e55e42d6f4e96c8594dc925314dd808301e5be62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exe
      Filesize

      11KB

      MD5

      8881bb2e0748c0ea4141ca241ccda005

      SHA1

      9f80fd8d747f1703bd782fd150c33f9f55ef51a8

      SHA256

      e39aa1b024cd6d15a7e18433a457faa4c532abe1db806cfd6430d09984570072

      SHA512

      6f9f638589a9ff44fdaba644720596be34bd08e01ff2d353ce5bfe3e63bfb5de0778ad8b8e0f6867e8eb32e64320fa0d932885e1dff27aedca71920977476dc5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf48EG04zG22.exe
      Filesize

      11KB

      MD5

      8881bb2e0748c0ea4141ca241ccda005

      SHA1

      9f80fd8d747f1703bd782fd150c33f9f55ef51a8

      SHA256

      e39aa1b024cd6d15a7e18433a457faa4c532abe1db806cfd6430d09984570072

      SHA512

      6f9f638589a9ff44fdaba644720596be34bd08e01ff2d353ce5bfe3e63bfb5de0778ad8b8e0f6867e8eb32e64320fa0d932885e1dff27aedca71920977476dc5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exe
      Filesize

      416KB

      MD5

      3298bce398b0b8db15538825fc22ec70

      SHA1

      97382a7c1ec70bd6549554c69ae3a8b18daddc9c

      SHA256

      c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

      SHA512

      4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf12bv42VO09.exe
      Filesize

      416KB

      MD5

      3298bce398b0b8db15538825fc22ec70

      SHA1

      97382a7c1ec70bd6549554c69ae3a8b18daddc9c

      SHA256

      c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

      SHA512

      4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

      Download Submit

    • memory/1308-1083-0x0000000000BD0000-0x0000000000C02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1308-1084-0x0000000005470000-0x0000000005480000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2804-147-0x0000000000540000-0x000000000054A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3288-201-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-207-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-155-0x0000000007330000-0x00000000078D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3288-156-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-157-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-159-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-161-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-163-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-165-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-167-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-169-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-171-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-173-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-175-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-177-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-179-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-181-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-189-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-187-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-153-0x0000000002F80000-0x0000000002FCB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3288-203-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-199-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-205-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-197-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-195-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-154-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-209-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-193-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-191-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-185-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-183-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-213-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-215-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-211-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-218-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-217-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-220-0x00000000071C0000-0x00000000071FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3288-1063-0x00000000079E0000-0x0000000007FF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3288-1064-0x0000000008000000-0x000000000810A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3288-1065-0x0000000008110000-0x0000000008122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3288-1066-0x0000000008130000-0x000000000816C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3288-1067-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-1069-0x0000000008410000-0x00000000084A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3288-1070-0x00000000084B0000-0x0000000008516000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3288-1071-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-1072-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-1073-0x0000000008CB0000-0x0000000008D26000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3288-1074-0x0000000008D40000-0x0000000008D90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3288-1075-0x0000000008F00000-0x00000000090C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3288-1076-0x00000000090E0000-0x000000000960C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3288-1077-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download