Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2023, 15:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1960fa9ddf31b5a542af111dcc14be67b1dd4981b859b44ae2cebb9230bb070.exe

  • Size

    679KB

  • MD5

    8fb46db3d79d3258fd79f1b1aceda763

  • SHA1

    f63023489530e3b45b18afb1d5e7277312d8e7d6

  • SHA256

    c1960fa9ddf31b5a542af111dcc14be67b1dd4981b859b44ae2cebb9230bb070

  • SHA512

    650586dcdfa3582454ff6dd727d230e59796bce6482f0f6152b956de55c21cc05ed06dcdc3c3bd683d0e1934de3d87596add635808b83df997dd1154f8e26849

  • SSDEEP

    12288:tH1pUm5YOZdyT8xt49RuwydFaySKZ0koWb0QNRnZfB/4fW6z99:xMCdyee9RuwSayShHWbpdBQfWQ99

Score
10/10
redlinedownrealdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

real

C2

193.233.20.31:4125

Attributes
  • auth_value

    bb22a50228754849387d5f4d1611e71b

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 32 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1960fa9ddf31b5a542af111dcc14be67b1dd4981b859b44ae2cebb9230bb070.exe
    "C:\Users\Admin\AppData\Local\Temp\c1960fa9ddf31b5a542af111dcc14be67b1dd4981b859b44ae2cebb9230bb070.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyu1605.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyu1605.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr664407.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr664407.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku396740.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku396740.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1340
          4⤵
          • Program crash
          PID:1788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr127957.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr127957.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 476
      2⤵
      • Program crash
      PID:4800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
    1⤵
      PID:600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2852 -ip 2852
      1⤵
        PID:1356

      Network

      • flag-us
        DNS
        254.111.26.67.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        254.111.26.67.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        185.130.69.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        185.130.69.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        31.20.233.193.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.20.233.193.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        1.77.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.77.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        144.168.210.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        144.168.210.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        216.74.101.95.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        216.74.101.95.in-addr.arpa
        IN PTR
        Response
        216.74.101.95.in-addr.arpa
        IN PTR
        a95-101-74-216deploystaticakamaitechnologiescom
      • flag-us
        DNS
        154.210.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.210.82.20.in-addr.arpa
        IN PTR
        Response
      • 95.101.78.82:80
        322 B
         7
      • 193.233.20.31:4125
        ku396740.exe
        3.6MB
         47.8kB
         2610
        1042
      • 193.233.20.31:4125
        lr127957.exe
        3.6MB
         54.3kB
         2606
        1203
      • 178.79.208.1:80
        322 B
         7
      • 178.79.208.1:80
        322 B
         7
      • 173.223.113.164:443
        322 B
         7
      • 173.223.113.131:80
        322 B
         7
      • 204.79.197.203:80
        322 B
         7
      • 8.8.8.8:53
        254.111.26.67.in-addr.arpa
        dns
        72 B
         126 B
         1
        1

        DNS Request

        254.111.26.67.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        185.130.69.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        185.130.69.20.in-addr.arpa

      • 8.8.8.8:53
        31.20.233.193.in-addr.arpa
        dns
        72 B
         127 B
         1
        1

        DNS Request

        31.20.233.193.in-addr.arpa

      • 8.8.8.8:53
        1.77.109.52.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        1.77.109.52.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        144.168.210.20.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        144.168.210.20.in-addr.arpa

      • 8.8.8.8:53
        216.74.101.95.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        216.74.101.95.in-addr.arpa

      • 8.8.8.8:53
        154.210.82.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        154.210.82.20.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr127957.exe
        Filesize

        175KB

        MD5

        41707338e1e2d868aa699ac0dd2e77b0

        SHA1

        36e0dfba09f9fb409faf0f9a99217d0d0c524b82

        SHA256

        8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

        SHA512

        80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr127957.exe
        Filesize

        175KB

        MD5

        41707338e1e2d868aa699ac0dd2e77b0

        SHA1

        36e0dfba09f9fb409faf0f9a99217d0d0c524b82

        SHA256

        8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

        SHA512

        80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyu1605.exe
        Filesize

        402KB

        MD5

        518b04ba64616f0c983c465195bb272b

        SHA1

        725a5976fabf6827df5618081a05d3bc852aad9a

        SHA256

        dca49399288362d252e53016e407897b9951c58c4de6ce1e3b17bb0289293985

        SHA512

        1c2b119e79f1f58af1062dd1cc72558e48b5cf871dbad79d8d4f34938c46156dddb9675850ca059700a27e88ef8edf8bc62b95ed35f56a39b7881df360596731

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyu1605.exe
        Filesize

        402KB

        MD5

        518b04ba64616f0c983c465195bb272b

        SHA1

        725a5976fabf6827df5618081a05d3bc852aad9a

        SHA256

        dca49399288362d252e53016e407897b9951c58c4de6ce1e3b17bb0289293985

        SHA512

        1c2b119e79f1f58af1062dd1cc72558e48b5cf871dbad79d8d4f34938c46156dddb9675850ca059700a27e88ef8edf8bc62b95ed35f56a39b7881df360596731

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr664407.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr664407.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku396740.exe
        Filesize

        349KB

        MD5

        2d2e7f883609b2952e13fc14f1055ddc

        SHA1

        7cd63c64d30e026f9f6be9afabde1f463685f082

        SHA256

        cccad3304cfc62139cc7e78a31b2246f7112336573d690eb05036c70d2ee8c7b

        SHA512

        412768cc8e7e1b4f454a9425fb16ef64b4fecdb13793567e57011eb7db50c30e8717560b2a677b37c8b48bf6da036e4967ceda81e697006b80186bbd36f08828

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku396740.exe
        Filesize

        349KB

        MD5

        2d2e7f883609b2952e13fc14f1055ddc

        SHA1

        7cd63c64d30e026f9f6be9afabde1f463685f082

        SHA256

        cccad3304cfc62139cc7e78a31b2246f7112336573d690eb05036c70d2ee8c7b

        SHA512

        412768cc8e7e1b4f454a9425fb16ef64b4fecdb13793567e57011eb7db50c30e8717560b2a677b37c8b48bf6da036e4967ceda81e697006b80186bbd36f08828

        Download Submit

      • memory/2188-1090-0x0000000005210000-0x0000000005220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2188-1089-0x0000000000900000-0x0000000000932000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2852-150-0x0000000000400000-0x000000000076C000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/2852-134-0x00000000025B0000-0x000000000263A000-memory.dmp

        Filesize

        552KB

        Download

      • memory/4080-149-0x00000000007E0000-0x00000000007EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4876-194-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-206-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-161-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-162-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-164-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-166-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-168-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-170-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-172-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-174-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-176-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-178-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-180-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-182-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-184-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-186-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-188-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-190-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-192-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-159-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-196-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-198-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-200-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-202-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-204-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-160-0x0000000004EB0000-0x0000000005454000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4876-208-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-210-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-212-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-214-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-216-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-218-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-220-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-222-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4876-1068-0x0000000005560000-0x0000000005B78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4876-1069-0x0000000005B80000-0x0000000005C8A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4876-1070-0x0000000004E50000-0x0000000004E62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4876-1071-0x0000000005C90000-0x0000000005CCC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4876-1072-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-1074-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-1075-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-1076-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4876-1077-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4876-1078-0x0000000006710000-0x00000000068D2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4876-1079-0x00000000068F0000-0x0000000006E1C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4876-1080-0x0000000006F70000-0x0000000006FE6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4876-1081-0x0000000006FF0000-0x0000000007040000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4876-158-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-157-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4876-156-0x0000000002380000-0x00000000023CB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4876-1083-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.