Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/03/2023, 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c6533f4ee9fd5f6e903874d8c439bc03a9d7f37788e3c6514ef753afd04e7f5.exe

  • Size

    553KB

  • MD5

    cd7c96583527342c076d5ac485148238

  • SHA1

    bdf4286f81ab6ef72e47cb9ff4e12ae8fb8f51aa

  • SHA256

    2c6533f4ee9fd5f6e903874d8c439bc03a9d7f37788e3c6514ef753afd04e7f5

  • SHA512

    c2a181c9df06d2ea663e0d521f26fbb9bd08280dd2c562036f207f5192849364827de499d335b56926db260c2aec787188dead6198f4838624dc731d97e8ef1b

  • SSDEEP

    12288:QMrRy90Fqk4yFM3qEj8vijV0Y43xxnMTKb1qULONVf+iDlm:RySLFmDA6L4htM+5qvNpT8

Score
10/10
redlineborisrotikdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

rotik

C2

193.233.20.32:4125

Attributes
  • auth_value

    74863478ae154e921eb729354d2bb4bd

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c6533f4ee9fd5f6e903874d8c439bc03a9d7f37788e3c6514ef753afd04e7f5.exe
    "C:\Users\Admin\AppData\Local\Temp\2c6533f4ee9fd5f6e903874d8c439bc03a9d7f37788e3c6514ef753afd04e7f5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3733.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3733.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h66EN48.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h66EN48.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDGgi95.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDGgi95.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88XJ13.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88XJ13.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88XJ13.exe
    Filesize

    175KB

    MD5

    efc3b1703bec9a0e79d4a9fdcedf4a20

    SHA1

    d019bfe5fbf05fde5cae0029f9580dca9677a3b2

    SHA256

    1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

    SHA512

    f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l88XJ13.exe
    Filesize

    175KB

    MD5

    efc3b1703bec9a0e79d4a9fdcedf4a20

    SHA1

    d019bfe5fbf05fde5cae0029f9580dca9677a3b2

    SHA256

    1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

    SHA512

    f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3733.exe
    Filesize

    411KB

    MD5

    e5fc1f8bb064c65dadfc9a19b5fe8a61

    SHA1

    c183e50593c2dbc2e3daf4136baf47e569f23d89

    SHA256

    b0216c207b2fed6203de381a0f9b835be5ebd2bd9ceb63cbaff1465e00dce578

    SHA512

    c2c916d081921c9f55be92336a984f59d641b6087f12817efb570b5b605ab53586d4b8daa9b5c275f86db0c113e5e7ea8e19f5d83569d3fcf24c0c628ddc7689

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba3733.exe
    Filesize

    411KB

    MD5

    e5fc1f8bb064c65dadfc9a19b5fe8a61

    SHA1

    c183e50593c2dbc2e3daf4136baf47e569f23d89

    SHA256

    b0216c207b2fed6203de381a0f9b835be5ebd2bd9ceb63cbaff1465e00dce578

    SHA512

    c2c916d081921c9f55be92336a984f59d641b6087f12817efb570b5b605ab53586d4b8daa9b5c275f86db0c113e5e7ea8e19f5d83569d3fcf24c0c628ddc7689

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h66EN48.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h66EN48.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDGgi95.exe
    Filesize

    386KB

    MD5

    2b7e0808578f36e60bc4931ba05b0523

    SHA1

    4cfbf4c91e6df6e51dfa3e1e8e912ce76800223d

    SHA256

    0dd8a773f4bfee30ddaf2dbfa0dfb910cec32685a79b4744cf64403231ee29b8

    SHA512

    99162201c93ccc2784be1eb0590ecfc9659d8a89af7cec4cecb96075eca50ffdbe2219b7b74b92ad86c981f0b2b162399b88e52d63d7356be560b9ae7fd04687

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDGgi95.exe
    Filesize

    386KB

    MD5

    2b7e0808578f36e60bc4931ba05b0523

    SHA1

    4cfbf4c91e6df6e51dfa3e1e8e912ce76800223d

    SHA256

    0dd8a773f4bfee30ddaf2dbfa0dfb910cec32685a79b4744cf64403231ee29b8

    SHA512

    99162201c93ccc2784be1eb0590ecfc9659d8a89af7cec4cecb96075eca50ffdbe2219b7b74b92ad86c981f0b2b162399b88e52d63d7356be560b9ae7fd04687

    Download Submit

  • memory/1856-130-0x00000000002F0000-0x00000000002FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4348-136-0x0000000002B90000-0x0000000002BDB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4348-137-0x0000000004BB0000-0x0000000004BF6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4348-138-0x0000000007130000-0x000000000762E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4348-139-0x0000000007670000-0x00000000076B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4348-140-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-141-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-143-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-145-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-147-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-149-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-151-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-153-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-155-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-157-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-160-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-159-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-164-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-161-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-163-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-166-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-168-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-170-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-172-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-174-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-176-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-178-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-180-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-184-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-182-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-188-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-186-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-190-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-192-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-194-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-196-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-198-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-200-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-202-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-204-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-206-0x0000000007670000-0x00000000076AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4348-1049-0x0000000007E00000-0x0000000008406000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4348-1050-0x0000000007860000-0x000000000796A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4348-1051-0x00000000079A0000-0x00000000079B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4348-1052-0x00000000079C0000-0x00000000079FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4348-1053-0x0000000007B10000-0x0000000007B5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4348-1054-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-1056-0x0000000007CA0000-0x0000000007D32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4348-1057-0x0000000007D40000-0x0000000007DA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4348-1058-0x0000000008B60000-0x0000000008D22000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4348-1059-0x0000000008D30000-0x000000000925C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4348-1060-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-1061-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-1062-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4348-1063-0x00000000093A0000-0x0000000009416000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4348-1064-0x0000000009420000-0x0000000009470000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4348-1065-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-1071-0x0000000000330000-0x0000000000362000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4848-1072-0x0000000004D70000-0x0000000004DBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4848-1073-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-1074-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

    Filesize

    64KB

    Download