Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2023, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b40664a5c8ae772513a95df5bab618fba6b5f46e358a5125a7a3d6f100c6c33.exe

  • Size

    811KB

  • MD5

    7d828de85b3454cbc9e7b29cf3a2740b

  • SHA1

    cdfd30be8b7f97926acf004a9df645650c4c9d82

  • SHA256

    0b40664a5c8ae772513a95df5bab618fba6b5f46e358a5125a7a3d6f100c6c33

  • SHA512

    ef6ed6ad80060a7371625641c6392556c2a0be1a445b5ea313dd70e7fc8d609dd063d6000c1f1ed3e8770b02df8238eb6e4e800b84583992f61bc320555b421f

  • SSDEEP

    12288:7Mrzy90SFskTOaJhwhphUGzmsMyJLD44S9llOVdEBmWUpV6NfcY4VJ33JY:Myai7woIo4ScVdamWUmNkVTY

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b40664a5c8ae772513a95df5bab618fba6b5f46e358a5125a7a3d6f100c6c33.exe
    "C:\Users\Admin\AppData\Local\Temp\0b40664a5c8ae772513a95df5bab618fba6b5f46e358a5125a7a3d6f100c6c33.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6932.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6932.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice0053.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice0053.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0957rh.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0957rh.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c09Qv36.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c09Qv36.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3068
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1064
            5⤵
            • Program crash
            PID:4748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dcrsr86.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dcrsr86.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1324
          4⤵
          • Program crash
          PID:2632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e09sy34.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e09sy34.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3068 -ip 3068
    1⤵
      PID:432
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2668 -ip 2668
      1⤵
        PID:4812

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e09sy34.exe
        Filesize

        175KB

        MD5

        92f2a148b8f701e50e2f838f73d4d7b7

        SHA1

        324d8546e35d4f4285cac15b21620299ba5cb023

        SHA256

        9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

        SHA512

        3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e09sy34.exe
        Filesize

        175KB

        MD5

        92f2a148b8f701e50e2f838f73d4d7b7

        SHA1

        324d8546e35d4f4285cac15b21620299ba5cb023

        SHA256

        9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

        SHA512

        3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6932.exe
        Filesize

        666KB

        MD5

        880fd83abb5e49e22bb6b088268c5b26

        SHA1

        232235b66ceae4518fa75b59926a9bbfdf721364

        SHA256

        bb9c2173faa06536eda6930f20422471fb16bf38d89dbc9b1b8a0459d09f99e7

        SHA512

        0d85b6cf93db6368a2a07e56b5e41643fec7fa49d2d1e6ee6619fa3a67dbf4a68537da3a9b8c51e00706e60f0c01840c803db77d28d097f4c0a162a1b9da65b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6932.exe
        Filesize

        666KB

        MD5

        880fd83abb5e49e22bb6b088268c5b26

        SHA1

        232235b66ceae4518fa75b59926a9bbfdf721364

        SHA256

        bb9c2173faa06536eda6930f20422471fb16bf38d89dbc9b1b8a0459d09f99e7

        SHA512

        0d85b6cf93db6368a2a07e56b5e41643fec7fa49d2d1e6ee6619fa3a67dbf4a68537da3a9b8c51e00706e60f0c01840c803db77d28d097f4c0a162a1b9da65b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dcrsr86.exe
        Filesize

        307KB

        MD5

        15ee8175ccc1b29ffe3b1896e0dbf881

        SHA1

        3f5b431493de7674b8351fa05bb275ae9480e073

        SHA256

        7e54f3e339592474aaef58750cdec582e41dceb8c243b378f53f6649d34ac795

        SHA512

        664be0268d30959af40cb33cf02d6bbe00962b1ca7a29234d2b2cd96ee53e61d7d65d5fe0efeee6237bddfaada7dcfd47c55668368b5a437d8d88206216e6685

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dcrsr86.exe
        Filesize

        307KB

        MD5

        15ee8175ccc1b29ffe3b1896e0dbf881

        SHA1

        3f5b431493de7674b8351fa05bb275ae9480e073

        SHA256

        7e54f3e339592474aaef58750cdec582e41dceb8c243b378f53f6649d34ac795

        SHA512

        664be0268d30959af40cb33cf02d6bbe00962b1ca7a29234d2b2cd96ee53e61d7d65d5fe0efeee6237bddfaada7dcfd47c55668368b5a437d8d88206216e6685

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice0053.exe
        Filesize

        333KB

        MD5

        b3e4d77a213420de3b2098cab67e3b05

        SHA1

        de4ab63c56664db89e7cca052e37760b4c6e5445

        SHA256

        8c59f4d3eac91e8a41eca6f9187c73b8147cb3da6a20fb613084a235d0cf54e3

        SHA512

        cf0de23efdd604fe5eb3e97afc9650c8d566ef6e22abe41180f101fba5090f4164a2c5b25b175a703e0ad19537bcb3f9cac8da8fc83fa0467583b588fbe8c51b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice0053.exe
        Filesize

        333KB

        MD5

        b3e4d77a213420de3b2098cab67e3b05

        SHA1

        de4ab63c56664db89e7cca052e37760b4c6e5445

        SHA256

        8c59f4d3eac91e8a41eca6f9187c73b8147cb3da6a20fb613084a235d0cf54e3

        SHA512

        cf0de23efdd604fe5eb3e97afc9650c8d566ef6e22abe41180f101fba5090f4164a2c5b25b175a703e0ad19537bcb3f9cac8da8fc83fa0467583b588fbe8c51b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0957rh.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0957rh.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c09Qv36.exe
        Filesize

        250KB

        MD5

        7c231442db768c4779a18beac2db1bfa

        SHA1

        9a1923fb3f81f40c01efc549fc24e868b7aef46c

        SHA256

        6294ecc54de074bf41bba18ce7ccc737fa4f9f88d44eab1dab0be3019695ace6

        SHA512

        40b1da69bd3655f2d1684417cdca05b7ec1824b015ad873643af00ced6dd01dd60babf9fabd51c808c8d6b5c125035da17ef55aefb7a3d1ded1ca9909eeefca2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c09Qv36.exe
        Filesize

        250KB

        MD5

        7c231442db768c4779a18beac2db1bfa

        SHA1

        9a1923fb3f81f40c01efc549fc24e868b7aef46c

        SHA256

        6294ecc54de074bf41bba18ce7ccc737fa4f9f88d44eab1dab0be3019695ace6

        SHA512

        40b1da69bd3655f2d1684417cdca05b7ec1824b015ad873643af00ced6dd01dd60babf9fabd51c808c8d6b5c125035da17ef55aefb7a3d1ded1ca9909eeefca2

        Download Submit

      • memory/2668-348-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1113-0x00000000059F0000-0x0000000005A02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2668-1126-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1125-0x00000000069C0000-0x0000000006EEC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2668-1124-0x00000000067F0000-0x00000000069B2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2668-1123-0x00000000067A0000-0x00000000067F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2668-1122-0x0000000006720000-0x0000000006796000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2668-1121-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1120-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1119-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1118-0x0000000005DA0000-0x0000000005E06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2668-1117-0x0000000005D00000-0x0000000005D92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2668-1115-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-1114-0x0000000005A10000-0x0000000005A4C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2668-1112-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2668-1111-0x0000000005210000-0x0000000005828000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2668-344-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-347-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2668-343-0x00000000005A0000-0x00000000005EB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2668-234-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-232-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-230-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-201-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-202-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-204-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-206-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-208-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-210-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-212-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-214-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-216-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-218-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-220-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-222-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-224-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-226-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2668-228-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2804-154-0x0000000000D90000-0x0000000000D9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3068-183-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-160-0x0000000004B00000-0x00000000050A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3068-194-0x0000000004AF0000-0x0000000004B00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-193-0x0000000004AF0000-0x0000000004B00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-161-0x0000000000590000-0x00000000005BD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3068-192-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/3068-191-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-189-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-164-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-187-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-185-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-162-0x0000000004AF0000-0x0000000004B00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-196-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/3068-177-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-181-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-175-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-173-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-171-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-169-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-167-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-165-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-179-0x0000000002590000-0x00000000025A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3068-163-0x0000000004AF0000-0x0000000004B00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4120-1132-0x0000000000AF0000-0x0000000000B22000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4120-1133-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

        Download