Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2023, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3060a915a0de999f02be41d938ad086ccc0c9785173f4e7b7496440a8f0a9cac.exe

  • Size

    776KB

  • MD5

    5339c155ce93c8d4fe7e5d360270bf60

  • SHA1

    4bb54ba80e655c01fa7db55ee3dbac8f3ee4bd92

  • SHA256

    3060a915a0de999f02be41d938ad086ccc0c9785173f4e7b7496440a8f0a9cac

  • SHA512

    aca064dd0804c4fce3d8583fe70a949839d014eecfd17e1bed18ab7c006c129135e51fb8706237d720cea2ac878042fe27eda23b8f6c801751d60528ba13c31b

  • SSDEEP

    24576:cyWm1EXjVtBcnO7XmabwiTs5IlOg+RAoN:LWrX7sS3EiSqCA

Score
10/10
redlinegenarukadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

ruka

C2

193.233.20.28:4125

Attributes
  • auth_value

    5d1d0e51ebe1e3f16cca573ff651c43c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3060a915a0de999f02be41d938ad086ccc0c9785173f4e7b7496440a8f0a9cac.exe
    "C:\Users\Admin\AppData\Local\Temp\3060a915a0de999f02be41d938ad086ccc0c9785173f4e7b7496440a8f0a9cac.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2092.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7565.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7565.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3523OP.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3523OP.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1224
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h19Db97.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h19Db97.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080
            5⤵
            • Program crash
            PID:776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imfin41.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imfin41.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1824
          4⤵
          • Program crash
          PID:4680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80HT60.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80HT60.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4908 -ip 4908
    1⤵
      PID:5084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3856 -ip 3856
      1⤵
        PID:4720

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80HT60.exe
        Filesize

        175KB

        MD5

        6c4c2a56d5dd785adbe4fe60fa3cc1f2

        SHA1

        f8bd4379310258f8e54c47b56f5eec7394adb9a2

        SHA256

        b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

        SHA512

        f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80HT60.exe
        Filesize

        175KB

        MD5

        6c4c2a56d5dd785adbe4fe60fa3cc1f2

        SHA1

        f8bd4379310258f8e54c47b56f5eec7394adb9a2

        SHA256

        b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

        SHA512

        f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2092.exe
        Filesize

        634KB

        MD5

        bcbd35e5289b3790b7dba2e4acf543e5

        SHA1

        56444bb63721d14c937fda4ccab0e5d50b3c5368

        SHA256

        3ee03365bcc68fec412f67bdc69ab0a34aea9ff84b22a3d150f6744734ee59b8

        SHA512

        2314ed834fad795b129de6f27b45bd28a204138a0ff99ea625fb3c1d8cf7ab48be3cba35074b0e81f97579288ad35cb2b2c668f113433196425269ac6c30343e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2092.exe
        Filesize

        634KB

        MD5

        bcbd35e5289b3790b7dba2e4acf543e5

        SHA1

        56444bb63721d14c937fda4ccab0e5d50b3c5368

        SHA256

        3ee03365bcc68fec412f67bdc69ab0a34aea9ff84b22a3d150f6744734ee59b8

        SHA512

        2314ed834fad795b129de6f27b45bd28a204138a0ff99ea625fb3c1d8cf7ab48be3cba35074b0e81f97579288ad35cb2b2c668f113433196425269ac6c30343e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imfin41.exe
        Filesize

        288KB

        MD5

        1ec4bff0d6d26ab15311405e669ce517

        SHA1

        2573381f261b317ff45b9e83028546d5d27316de

        SHA256

        f26730ff54dbb24307812804c93d90a02ea60873d63f4df7f839a48cde4bb0fb

        SHA512

        7ed8576d42ee8e8d9f77ff7f0aa78f3522a78a7b9550af5decec779943e12dfcc4957ee51691c7926649d8a64593b1652a67a9f49628da186748b5912bd80d7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imfin41.exe
        Filesize

        288KB

        MD5

        1ec4bff0d6d26ab15311405e669ce517

        SHA1

        2573381f261b317ff45b9e83028546d5d27316de

        SHA256

        f26730ff54dbb24307812804c93d90a02ea60873d63f4df7f839a48cde4bb0fb

        SHA512

        7ed8576d42ee8e8d9f77ff7f0aa78f3522a78a7b9550af5decec779943e12dfcc4957ee51691c7926649d8a64593b1652a67a9f49628da186748b5912bd80d7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7565.exe
        Filesize

        314KB

        MD5

        5bd1dcc55729344e4d752ebb0d606cd0

        SHA1

        7cf1320246bdb5d98e0e0ef68a13fc39bd835e07

        SHA256

        5ddc3308956ed80bf62006295e7c276ea6a31b20eb2ff95da654b1d0f71ddc61

        SHA512

        2dbb06687285356672281a6c8ccb825ae74352a6069048368a357a0836732efd0af5d90f7fb3b4c31a22cbbc7dfd593d5a78dab570d307db6fa1182923ef0e6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7565.exe
        Filesize

        314KB

        MD5

        5bd1dcc55729344e4d752ebb0d606cd0

        SHA1

        7cf1320246bdb5d98e0e0ef68a13fc39bd835e07

        SHA256

        5ddc3308956ed80bf62006295e7c276ea6a31b20eb2ff95da654b1d0f71ddc61

        SHA512

        2dbb06687285356672281a6c8ccb825ae74352a6069048368a357a0836732efd0af5d90f7fb3b4c31a22cbbc7dfd593d5a78dab570d307db6fa1182923ef0e6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3523OP.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3523OP.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h19Db97.exe
        Filesize

        230KB

        MD5

        570f37fde7295683541bf11674e6d8f1

        SHA1

        190276527c427cd7180c1df378a9947b70983196

        SHA256

        84b8d5269670ee281c53f4710774e7b3cf55639414df97ef370ab01f8edab0ba

        SHA512

        ba26c90e7a73e853ddac3a284491b04f80691eab13dca227ed378c817c7cd20c31f019d26567a2ec5779f89f85522e7abbd45689cebb8bb5985b216711b1eafa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h19Db97.exe
        Filesize

        230KB

        MD5

        570f37fde7295683541bf11674e6d8f1

        SHA1

        190276527c427cd7180c1df378a9947b70983196

        SHA256

        84b8d5269670ee281c53f4710774e7b3cf55639414df97ef370ab01f8edab0ba

        SHA512

        ba26c90e7a73e853ddac3a284491b04f80691eab13dca227ed378c817c7cd20c31f019d26567a2ec5779f89f85522e7abbd45689cebb8bb5985b216711b1eafa

        Download Submit

      • memory/1224-154-0x00000000002F0000-0x00000000002FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3384-1133-0x00000000007F0000-0x0000000000822000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3384-1134-0x0000000005140000-0x0000000005150000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-240-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-1116-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-1127-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-1126-0x0000000006640000-0x0000000006B6C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3856-1125-0x0000000006470000-0x0000000006632000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3856-1124-0x0000000006400000-0x0000000006450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3856-1123-0x0000000006380000-0x00000000063F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3856-1122-0x0000000005C60000-0x0000000005CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3856-1121-0x0000000005BC0000-0x0000000005C52000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3856-1120-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-1119-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-1117-0x00000000058D0000-0x000000000590C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3856-1115-0x00000000058B0000-0x00000000058C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3856-1114-0x0000000004B90000-0x0000000004C9A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3856-1113-0x0000000005280000-0x0000000005898000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3856-238-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-236-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-234-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-232-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-227-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-230-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-203-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-204-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-206-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-208-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-210-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-212-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-214-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-216-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-218-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-220-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-222-0x00000000005A0000-0x00000000005EB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3856-224-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-226-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3856-223-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3856-228-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-186-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-163-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-198-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4908-196-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-195-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-194-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-164-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-193-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4908-192-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-190-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-168-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-188-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-166-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-182-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-165-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-180-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-176-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-178-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-174-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-172-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-170-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-184-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4908-162-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4908-161-0x0000000004BF0000-0x0000000005194000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4908-160-0x00000000006C0000-0x00000000006ED000-memory.dmp

        Filesize

        180KB

        Download