Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    361740fc7659a56bce2628a9f14f25369cceec3f5440aa4862951898cdf64ea6.exe

  • Size

    866KB

  • MD5

    c83218e70dbb9541577160e0d2dc423a

  • SHA1

    240497c3f45113e1f0f0eb79930701602fdba79c

  • SHA256

    361740fc7659a56bce2628a9f14f25369cceec3f5440aa4862951898cdf64ea6

  • SHA512

    dc638948ec1cc2bbcb5d6c63b502531a2b9abf0a2ad2b10cce7423a3650eb02891697d85a3693622c8ef79ee325c7a7f9e055aeffe342638386547df20dada34

  • SSDEEP

    24576:syOmU/08GrDn3+P6XQG/3fTpFGZj+W/5hspKU:bOs8EDn3+yAG/r2Zj+CIpK

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\361740fc7659a56bce2628a9f14f25369cceec3f5440aa4862951898cdf64ea6.exe
    "C:\Users\Admin\AppData\Local\Temp\361740fc7659a56bce2628a9f14f25369cceec3f5440aa4862951898cdf64ea6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0212.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6626.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6626.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2010rV.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2010rV.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c94TC65.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c94TC65.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dusOn40.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dusOn40.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1664
          4⤵
          • Program crash
          PID:4152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e98cp12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e98cp12.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:404
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4156 -ip 4156
    1⤵
      PID:1188

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e98cp12.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e98cp12.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0212.exe
      Filesize

      721KB

      MD5

      d23e867d07b9e9b4525326818f680389

      SHA1

      beeafdeb957c0886d52e5f64f8d6e2d37b4b5617

      SHA256

      a14a9cdcc327ec378f2425878b06a90da93a08829d4ece98df704c7ee551f339

      SHA512

      c39f3b60cdcbac17ce19edd8f14fdc15fdac591a373a0f89fce859f99c36bb3525287246784c4be6415f04ee56701193a0a157fe75f62db8be5693daf9b03e29

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice0212.exe
      Filesize

      721KB

      MD5

      d23e867d07b9e9b4525326818f680389

      SHA1

      beeafdeb957c0886d52e5f64f8d6e2d37b4b5617

      SHA256

      a14a9cdcc327ec378f2425878b06a90da93a08829d4ece98df704c7ee551f339

      SHA512

      c39f3b60cdcbac17ce19edd8f14fdc15fdac591a373a0f89fce859f99c36bb3525287246784c4be6415f04ee56701193a0a157fe75f62db8be5693daf9b03e29

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dusOn40.exe
      Filesize

      391KB

      MD5

      a3e89cd853ba3d955973ab35cfe492f1

      SHA1

      f177ee3f9b087e92d7811d3a62b43bd5d6474762

      SHA256

      96dd9153f262f38bc6bfa33deac2cb88294ad39f7ef7c337f27df28bc9bad8da

      SHA512

      bdc4652154f9fdcf35b9a37d2563dcf2d1b82516e53600664efac4a917f2bbc719125d25e5087f9262381344d1e3b48b7552ad84e90e48acf24bbf69b3a630a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dusOn40.exe
      Filesize

      391KB

      MD5

      a3e89cd853ba3d955973ab35cfe492f1

      SHA1

      f177ee3f9b087e92d7811d3a62b43bd5d6474762

      SHA256

      96dd9153f262f38bc6bfa33deac2cb88294ad39f7ef7c337f27df28bc9bad8da

      SHA512

      bdc4652154f9fdcf35b9a37d2563dcf2d1b82516e53600664efac4a917f2bbc719125d25e5087f9262381344d1e3b48b7552ad84e90e48acf24bbf69b3a630a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6626.exe
      Filesize

      368KB

      MD5

      5cc652d304a340b23a5a87c274efdff5

      SHA1

      a4b4aacdcc113321309a84abd94c06e4a21eb3a0

      SHA256

      cd4d8ed5b7892de7980290edaf54f82e502bc236c7121405d3622087730a4e62

      SHA512

      8c2fb2ede42f9202e5e96eab014fa37ee547dcab7a5296e69bf0220f2fa2d35e6220707457793025be812ab20b9151494a6ebcdf2318a32fe5e276273bdeca9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6626.exe
      Filesize

      368KB

      MD5

      5cc652d304a340b23a5a87c274efdff5

      SHA1

      a4b4aacdcc113321309a84abd94c06e4a21eb3a0

      SHA256

      cd4d8ed5b7892de7980290edaf54f82e502bc236c7121405d3622087730a4e62

      SHA512

      8c2fb2ede42f9202e5e96eab014fa37ee547dcab7a5296e69bf0220f2fa2d35e6220707457793025be812ab20b9151494a6ebcdf2318a32fe5e276273bdeca9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2010rV.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2010rV.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c94TC65.exe
      Filesize

      371KB

      MD5

      603e073218d96a5f4c9842ec6335f1ce

      SHA1

      fe6979acc8621d5d7be3d0eb2ce91edb9c7fb6e5

      SHA256

      c6d8f4c9e1792f08cbb338450c72af2be8a46bc0c2d3765f508f5aa932af9c4d

      SHA512

      4321a004a891f0c08d4a26f0d6640452a281372619e8c0f84a40c571b76306ac3d19a84e4ddd40f44342eb3d6df90c4b820c8b07413577c0f0f819a1dd9f0faa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c94TC65.exe
      Filesize

      371KB

      MD5

      603e073218d96a5f4c9842ec6335f1ce

      SHA1

      fe6979acc8621d5d7be3d0eb2ce91edb9c7fb6e5

      SHA256

      c6d8f4c9e1792f08cbb338450c72af2be8a46bc0c2d3765f508f5aa932af9c4d

      SHA512

      4321a004a891f0c08d4a26f0d6640452a281372619e8c0f84a40c571b76306ac3d19a84e4ddd40f44342eb3d6df90c4b820c8b07413577c0f0f819a1dd9f0faa

      Download Submit

    • memory/404-1135-0x0000000005810000-0x0000000005820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/404-1134-0x0000000000F60000-0x0000000000F92000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3292-173-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-187-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-165-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-167-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-169-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-171-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-162-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-175-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-177-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-179-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-183-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-181-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-185-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-163-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-189-0x00000000049F0000-0x0000000004A02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3292-190-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-191-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-192-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-193-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3292-195-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-197-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-198-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3292-196-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3292-160-0x0000000002D70000-0x0000000002D9D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3292-161-0x0000000007340000-0x00000000078E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3780-154-0x00000000003A0000-0x00000000003AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4156-203-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4156-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-210-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-208-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-206-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-212-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-214-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-216-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-218-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-220-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-222-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-224-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-226-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-228-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-230-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-232-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-234-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-236-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-238-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-240-0x0000000004C80000-0x0000000004CBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4156-1113-0x0000000007840000-0x0000000007E58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4156-1114-0x0000000007E60000-0x0000000007F6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4156-1115-0x0000000007210000-0x0000000007222000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4156-1116-0x0000000007230000-0x000000000726C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4156-1117-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-1119-0x0000000008210000-0x00000000082A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4156-1120-0x00000000082B0000-0x0000000008316000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4156-1121-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-1122-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-1123-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-1124-0x0000000008BF0000-0x0000000008C66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4156-1125-0x0000000008C80000-0x0000000008CD0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4156-1126-0x0000000008D00000-0x0000000008EC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4156-205-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-204-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4156-1127-0x0000000008F10000-0x000000000943C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4156-1128-0x0000000007280000-0x0000000007290000-memory.dmp

      Filesize

      64KB

      Download