Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2023, 18:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe

  • Size

    551KB

  • MD5

    08399fbd2b2bfb73d66d93bdda8b7d48

  • SHA1

    4a01afecf211de913c551a697160b94c7ec229c6

  • SHA256

    0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc

  • SHA512

    36d58277ddb0a65e82948995c0949724d6b353b7c8b0eba16fa6c8e489018a4eb055d69c36c304452b79a1a1554ab0a70b69d4ccace9c9fb55414295e400cd93

  • SSDEEP

    12288:vMrey90ooJtTcJaWHcC9qWRP2XeUS3d7NAKSs:hyboLs8ul4XTiNAKL

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9e27416b5a34c7b7ab25b61a2b4c598d2e0ff5683e23fe59a7c60fa7ecfecc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1344
          4⤵
          • Program crash
          PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4224 -ip 4224
    1⤵
      PID:2084

    Network

    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.20.233.193.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.20.233.193.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      220.146.56.193.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      220.146.56.193.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      199.176.139.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      199.176.139.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      113.238.32.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      113.238.32.23.in-addr.arpa
      IN PTR
      Response
      113.238.32.23.in-addr.arpa
      IN PTR
      a23-32-238-113deploystaticakamaitechnologiescom
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.141.123.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.141.123.20.in-addr.arpa
      IN PTR
      Response
    • 193.233.20.28:4125
      c84WG97.exe
      2.7MB
       44.3kB
       2025
      919
    • 193.56.146.220:4174
      dFuRP83.exe
      2.7MB
       35.1kB
       1993
      722
    • 20.189.173.2:443
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 173.223.113.164:443
      322 B
       7
    • 204.79.197.203:80
      322 B
       7
    • 8.238.177.126:80
      322 B
       7
    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      28.20.233.193.in-addr.arpa
      dns
      72 B
       127 B
       1
      1

      DNS Request

      28.20.233.193.in-addr.arpa

    • 8.8.8.8:53
      220.146.56.193.in-addr.arpa
      dns
      73 B
       133 B
       1
      1

      DNS Request

      220.146.56.193.in-addr.arpa

    • 8.8.8.8:53
      199.176.139.52.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      199.176.139.52.in-addr.arpa

    • 8.8.8.8:53
      113.238.32.23.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      113.238.32.23.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      233.141.123.20.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      233.141.123.20.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      Filesize

      175KB

      MD5

      92f2a148b8f701e50e2f838f73d4d7b7

      SHA1

      324d8546e35d4f4285cac15b21620299ba5cb023

      SHA256

      9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

      SHA512

      3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dFuRP83.exe
      Filesize

      175KB

      MD5

      92f2a148b8f701e50e2f838f73d4d7b7

      SHA1

      324d8546e35d4f4285cac15b21620299ba5cb023

      SHA256

      9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

      SHA512

      3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      Filesize

      406KB

      MD5

      6d71f9388acecd60554cf4817e1bbd2a

      SHA1

      ca40b04f3b5f50a015d697882de08dd8ff00532b

      SHA256

      9db10788ffa62dedce8030529edf9d7d80a102f3c994b244a0e842d2b3ba07d4

      SHA512

      fc7160003015796614c6c13abda78eb84fbdd48f4ccc11b58c030d16883c1eff59a336d3de61f1259237fabaa3cddbc2c0cce8f83ade7625f78be08d54a64945

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7817.exe
      Filesize

      406KB

      MD5

      6d71f9388acecd60554cf4817e1bbd2a

      SHA1

      ca40b04f3b5f50a015d697882de08dd8ff00532b

      SHA256

      9db10788ffa62dedce8030529edf9d7d80a102f3c994b244a0e842d2b3ba07d4

      SHA512

      fc7160003015796614c6c13abda78eb84fbdd48f4ccc11b58c030d16883c1eff59a336d3de61f1259237fabaa3cddbc2c0cce8f83ade7625f78be08d54a64945

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1163pI.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
      Filesize

      373KB

      MD5

      dd7930d20da878defc3aafb3245b959d

      SHA1

      231d425066fdcab6a39deec4da1137562c137377

      SHA256

      3be662de8c33cc9ba26027c8fedde6cf95366f8c69dbb7eb1d1eac7820421144

      SHA512

      d0c9dc313c444a8a8fbc8fc5dc5f67dded8b7bc6997affecda16cde59b799b6ffa9730436002191fc1ad0663cf8fafeac3d1c992c5f793153f280a97565132e0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c84WG97.exe
      Filesize

      373KB

      MD5

      dd7930d20da878defc3aafb3245b959d

      SHA1

      231d425066fdcab6a39deec4da1137562c137377

      SHA256

      3be662de8c33cc9ba26027c8fedde6cf95366f8c69dbb7eb1d1eac7820421144

      SHA512

      d0c9dc313c444a8a8fbc8fc5dc5f67dded8b7bc6997affecda16cde59b799b6ffa9730436002191fc1ad0663cf8fafeac3d1c992c5f793153f280a97565132e0

      Download Submit

    • memory/1112-1085-0x0000000000590000-0x00000000005C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1112-1087-0x0000000004E70000-0x0000000004E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1112-1086-0x0000000004E70000-0x0000000004E80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-193-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-205-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-158-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-160-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-162-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-166-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-164-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-168-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-170-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-172-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-174-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-176-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-178-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-181-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-180-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-177-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-183-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-185-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-187-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-189-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-191-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-155-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-195-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-197-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-199-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-201-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-203-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-156-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-207-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-209-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-211-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-213-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-215-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-217-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-219-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-221-0x0000000004A80000-0x0000000004ABE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4224-1064-0x0000000005230000-0x0000000005848000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4224-1065-0x00000000058C0000-0x00000000059CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4224-1066-0x0000000005A00000-0x0000000005A12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4224-1067-0x0000000005A20000-0x0000000005A5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4224-1068-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-1069-0x0000000005D10000-0x0000000005DA2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4224-1070-0x0000000005DB0000-0x0000000005E16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4224-1072-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-1073-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-1074-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-1075-0x00000000065B0000-0x0000000006626000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4224-1076-0x0000000006640000-0x0000000006690000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4224-154-0x0000000004B80000-0x0000000005124000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4224-153-0x0000000001E80000-0x0000000001ECB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4224-1077-0x00000000066C0000-0x0000000006882000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4224-1078-0x0000000006890000-0x0000000006DBC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4224-1079-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4736-147-0x00000000004B0000-0x00000000004BA000-memory.dmp

      Filesize

      40KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.