Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe

  • Size

    835KB

  • MD5

    0295b2e207a0a0c604a8367f9e8dbad4

  • SHA1

    e3dc94860e7f15e1847836705e3c44ec38573fd0

  • SHA256

    64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947

  • SHA512

    50c336435f2da23c5887150019546ef53204d4995b7e76e6cc738b8c3d79f2edd4a8e6526c011efd0120e5a5a32d39a58ce99983f066aee68e317ec65a1cc345

  • SSDEEP

    12288:pMrry90jDudG71dAlve24r6sMIPTmYww2AJyscYTqD7WGjM0a7pJsAnnN/K:+yaHAlWbrvMomYvJysDTs7WGg7Xn1K

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe
    "C:\Users\Admin\AppData\Local\Temp\64419fb6e19dcf871fe9cc0ab64f9397007641af50f1bf6fcc362ecacfb4d947.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4688
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:968
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1080
            5⤵
            • Program crash
            PID:4464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1344
          4⤵
          • Program crash
          PID:4948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 968 -ip 968
    1⤵
      PID:540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4116 -ip 4116
      1⤵
        PID:4600

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si299873.exe
        Filesize

        175KB

        MD5

        6fbff2d7c9ba7f0a71f02a5c70df9dfc

        SHA1

        003da0075734cd2d7f201c5b0e4779b8e1f33621

        SHA256

        cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

        SHA512

        25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exe
        Filesize

        693KB

        MD5

        fbad86a7595d8260a8c0ae189ddbe3ce

        SHA1

        b96d6e31e8f1e599decf87885e6a16ea03aaae04

        SHA256

        7a16065ba86c3b59126e034660b97698f5cc1e5a83c2ee9eb465f44165dfa12f

        SHA512

        b1bbf07fa6acf239e5b8ace6ad36f9dd954c6b28ae4c1769726fb256518b43487f121313649710b86c2cb10a1f4df9e042f7ccfe61735058b3c93e43f7bdd29a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2832.exe
        Filesize

        693KB

        MD5

        fbad86a7595d8260a8c0ae189ddbe3ce

        SHA1

        b96d6e31e8f1e599decf87885e6a16ea03aaae04

        SHA256

        7a16065ba86c3b59126e034660b97698f5cc1e5a83c2ee9eb465f44165dfa12f

        SHA512

        b1bbf07fa6acf239e5b8ace6ad36f9dd954c6b28ae4c1769726fb256518b43487f121313649710b86c2cb10a1f4df9e042f7ccfe61735058b3c93e43f7bdd29a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exe
        Filesize

        362KB

        MD5

        6c03c4f4cab5a2c43a80fc39250ea402

        SHA1

        4352dccdcb0867ebe26b0e13ba4937c392ecd878

        SHA256

        2f69eedd164859533b4b3bca48da459abbe0d07f20d8a056d291ac0be67de2fa

        SHA512

        e94d52d5c4932ba660afe9c1e9ba6e97154a29c63ec4e665ffc0a663fffeda2bc61397d75b87829c31744e7e467e69551e1d6216d4365d1d069d1f5b8c00ce28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rMh83s20.exe
        Filesize

        362KB

        MD5

        6c03c4f4cab5a2c43a80fc39250ea402

        SHA1

        4352dccdcb0867ebe26b0e13ba4937c392ecd878

        SHA256

        2f69eedd164859533b4b3bca48da459abbe0d07f20d8a056d291ac0be67de2fa

        SHA512

        e94d52d5c4932ba660afe9c1e9ba6e97154a29c63ec4e665ffc0a663fffeda2bc61397d75b87829c31744e7e467e69551e1d6216d4365d1d069d1f5b8c00ce28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exe
        Filesize

        343KB

        MD5

        32473e68e1a9761867aa652721efd149

        SHA1

        6f2288624d7d0dab31c29bb0e25e9700876b6678

        SHA256

        a2f1c109375457de2f7a6f00e9426eae36d1ba1ec0cf52343932e069b5cd5e9c

        SHA512

        fa7afd2701f496fca44942e304cd324523efd5f0723781fff9489cfbb62165823fb452009efce8ff0876e5e5a35d4fa0bf6234c9cc29e90d0938c8b05aa06ce0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio2114.exe
        Filesize

        343KB

        MD5

        32473e68e1a9761867aa652721efd149

        SHA1

        6f2288624d7d0dab31c29bb0e25e9700876b6678

        SHA256

        a2f1c109375457de2f7a6f00e9426eae36d1ba1ec0cf52343932e069b5cd5e9c

        SHA512

        fa7afd2701f496fca44942e304cd324523efd5f0723781fff9489cfbb62165823fb452009efce8ff0876e5e5a35d4fa0bf6234c9cc29e90d0938c8b05aa06ce0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8969.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exe
        Filesize

        303KB

        MD5

        63f98196817dc2c0732ded0f7e33e8ee

        SHA1

        121c5e745bc33197c29a205d27b9434790cafcc2

        SHA256

        304d2b9aa75d247aae300392efbd90b22ba07fb098d347a76623d9d860994487

        SHA512

        03fe033aae21f793ac9f93197c7305368062dcf15395acfbdd0a7a82b42257a34cb4b2323825ead324328e57771e474ade429c44817a1b4e627d9133021b004d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5747.exe
        Filesize

        303KB

        MD5

        63f98196817dc2c0732ded0f7e33e8ee

        SHA1

        121c5e745bc33197c29a205d27b9434790cafcc2

        SHA256

        304d2b9aa75d247aae300392efbd90b22ba07fb098d347a76623d9d860994487

        SHA512

        03fe033aae21f793ac9f93197c7305368062dcf15395acfbdd0a7a82b42257a34cb4b2323825ead324328e57771e474ade429c44817a1b4e627d9133021b004d

        Download Submit

      • memory/968-167-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-183-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-162-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-165-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-163-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-169-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-160-0x0000000000840000-0x000000000086D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/968-171-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-175-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-179-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-177-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-173-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-181-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-161-0x0000000004E60000-0x0000000005404000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/968-185-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-187-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-189-0x0000000002850000-0x0000000002862000-memory.dmp

        Filesize

        72KB

        Download

      • memory/968-190-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-191-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-192-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-193-0x0000000000400000-0x0000000000833000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/968-195-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-196-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-197-0x00000000028E0000-0x00000000028F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-198-0x0000000000400000-0x0000000000833000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/3056-1134-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3056-1133-0x0000000000390000-0x00000000003C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4116-203-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-208-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-210-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-212-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-214-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-216-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-218-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-220-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-222-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-224-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-226-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-228-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-230-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-232-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-234-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-236-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-372-0x0000000000920000-0x000000000096B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4116-374-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-378-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-376-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-1113-0x0000000005490000-0x0000000005AA8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4116-1114-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4116-1115-0x0000000005C30000-0x0000000005C42000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4116-1116-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-1117-0x0000000005C50000-0x0000000005C8C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4116-1118-0x0000000005F40000-0x0000000005FA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4116-1119-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4116-1121-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-1122-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-1123-0x0000000006940000-0x0000000006B02000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4116-1124-0x0000000006B30000-0x000000000705C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4116-1125-0x0000000007180000-0x00000000071F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4116-206-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-204-0x00000000026D0000-0x000000000270E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4116-1126-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4116-1127-0x0000000007220000-0x0000000007270000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4688-154-0x0000000000730000-0x000000000073A000-memory.dmp

        Filesize

        40KB

        Download