Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/03/2023, 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3563dd9dcaab82663d0fe12eabdc8a5d8be00f85cb460ca6392eb99aa6affc18.exe

  • Size

    550KB

  • MD5

    a85330aac14de3fa2beb5d4bbc822333

  • SHA1

    851821c71c2ab4c541f3272ece5fad50a6dd07f4

  • SHA256

    3563dd9dcaab82663d0fe12eabdc8a5d8be00f85cb460ca6392eb99aa6affc18

  • SHA512

    2fbe8b89f89bbc3e84e8adf2046ce2f195d3d10eb62e4570acce5cb64c9fac4396d0fb2ce105b0415e43b1e074f6401b3ed72a8468254252793bc7ce7abcf662

  • SSDEEP

    12288:gMrGy90eOq+owy2hc40JqzQ50canEcwBVJBui:WyRfwyX4aDmEcwBVB

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3563dd9dcaab82663d0fe12eabdc8a5d8be00f85cb460ca6392eb99aa6affc18.exe
    "C:\Users\Admin\AppData\Local\Temp\3563dd9dcaab82663d0fe12eabdc8a5d8be00f85cb460ca6392eb99aa6affc18.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1491.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1491.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5488Vn.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5488Vn.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c45XY73.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c45XY73.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djfAo24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djfAo24.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djfAo24.exe
    Filesize

    175KB

    MD5

    92f2a148b8f701e50e2f838f73d4d7b7

    SHA1

    324d8546e35d4f4285cac15b21620299ba5cb023

    SHA256

    9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

    SHA512

    3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djfAo24.exe
    Filesize

    175KB

    MD5

    92f2a148b8f701e50e2f838f73d4d7b7

    SHA1

    324d8546e35d4f4285cac15b21620299ba5cb023

    SHA256

    9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

    SHA512

    3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1491.exe
    Filesize

    405KB

    MD5

    dbdfa53b1822bfc9dbb393627f7ff680

    SHA1

    fe994026fc8cbd819b0ce21a2cf6f3a8853726e8

    SHA256

    989637e42808651aca00aa71c2e1b390f4861c20968e299a2d519efe4b99399c

    SHA512

    68279436122287734410ad997cb3e3b9eb2998c720763d9877248c8b4375a9fab07a92551ea41406352b028ff67b91aa328c8218621fcef169a95c404cc016c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1491.exe
    Filesize

    405KB

    MD5

    dbdfa53b1822bfc9dbb393627f7ff680

    SHA1

    fe994026fc8cbd819b0ce21a2cf6f3a8853726e8

    SHA256

    989637e42808651aca00aa71c2e1b390f4861c20968e299a2d519efe4b99399c

    SHA512

    68279436122287734410ad997cb3e3b9eb2998c720763d9877248c8b4375a9fab07a92551ea41406352b028ff67b91aa328c8218621fcef169a95c404cc016c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5488Vn.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5488Vn.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c45XY73.exe
    Filesize

    373KB

    MD5

    daaf03783a48918495bfa8bf8a54e9a1

    SHA1

    8134d5b7f9293f034c637dad31c3cce0e9ba97f5

    SHA256

    ac0d29166950289292b6cd17423c60ae3be7b27000ed4754931a4ca4897c2f77

    SHA512

    5c70b79fb9a33342cae3e0776cc43916f26a5076e90cf40eed9519b438b9de03510a55b26bffc5fa98ce3c3c46eb7397220a7bd94cf6d193f8bd05c33c2800a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c45XY73.exe
    Filesize

    373KB

    MD5

    daaf03783a48918495bfa8bf8a54e9a1

    SHA1

    8134d5b7f9293f034c637dad31c3cce0e9ba97f5

    SHA256

    ac0d29166950289292b6cd17423c60ae3be7b27000ed4754931a4ca4897c2f77

    SHA512

    5c70b79fb9a33342cae3e0776cc43916f26a5076e90cf40eed9519b438b9de03510a55b26bffc5fa98ce3c3c46eb7397220a7bd94cf6d193f8bd05c33c2800a2

    Download Submit

  • memory/1468-135-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2384-141-0x00000000004E0000-0x000000000052B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2384-142-0x0000000004A60000-0x0000000004AA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2384-143-0x0000000004AC0000-0x0000000004FBE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2384-144-0x0000000005000000-0x0000000005044000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2384-145-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-146-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-147-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-148-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-149-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-151-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-153-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-155-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-157-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-159-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-163-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-161-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-165-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-169-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-167-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-171-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-173-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-175-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-179-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-177-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-183-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-181-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-187-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-189-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-193-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-191-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-197-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-199-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-203-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-211-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-209-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-207-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-205-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-201-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-195-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-185-0x0000000005000000-0x000000000503E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-1054-0x0000000005040000-0x0000000005646000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2384-1055-0x0000000005690000-0x000000000579A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2384-1056-0x00000000057C0000-0x00000000057D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2384-1058-0x00000000057E0000-0x000000000581E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2384-1057-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-1059-0x0000000005930000-0x000000000597B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2384-1061-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-1062-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-1063-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-1064-0x0000000005AC0000-0x0000000005B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2384-1065-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2384-1066-0x0000000006260000-0x0000000006422000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2384-1067-0x0000000006430000-0x000000000695C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2384-1068-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2384-1069-0x0000000006CE0000-0x0000000006D56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2384-1070-0x0000000006D60000-0x0000000006DB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3820-1076-0x0000000000530000-0x0000000000562000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3820-1077-0x0000000004F70000-0x0000000004FBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3820-1078-0x0000000005070000-0x0000000005080000-memory.dmp

    Filesize

    64KB

    Download