Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2023, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe

  • Size

    688KB

  • MD5

    99e418ce87c996c8685a18a1a72da80d

  • SHA1

    c94ba833e4f4c0e2a45f9dfad14b6b77d420fe5f

  • SHA256

    5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e

  • SHA512

    90f936150e0703f383b4ba1968ed978e344608189a24976d98035b00e07f78628f218e127949167f6f7f6c8c7abd0bea335f4a66bb09c678efd6a7020db2aded

  • SSDEEP

    12288:0Mruy90u16Wwc9QRRHZyRXkPzgOUftibMcZN49NzyaIW8T9MZckjuosp+r:ayVk/5C0hUfCMcM8TKikjuof

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe
    "C:\Users\Admin\AppData\Local\Temp\5c6b2ba1e752bcb3fc994b6c90a775ddbe8e4f83d7a1776943d24ef5b5da516e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1080
          4⤵
          • Program crash
          PID:3876
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1924
          4⤵
          • Program crash
          PID:436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1872 -ip 1872
    1⤵
      PID:1644
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 4572
      1⤵
        PID:2264

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exe
        Filesize

        175KB

        MD5

        0070bc16e790c6757d508dfb61a679d1

        SHA1

        11597801bdb0c36c764f0be9bc2dfeca268a609b

        SHA256

        2d35b241496015bbd4fd2afa6cf4fa279be28d1ede29a1a4043ed8cc7f62e491

        SHA512

        20b462074968ed07b747ff6631c7a12f2dd414dd89e4bc581cb37e6253127146536825c2837c77d654456a2f7b649a411f2e612a869e8d038c6f28e4d2922704

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si375827.exe
        Filesize

        175KB

        MD5

        0070bc16e790c6757d508dfb61a679d1

        SHA1

        11597801bdb0c36c764f0be9bc2dfeca268a609b

        SHA256

        2d35b241496015bbd4fd2afa6cf4fa279be28d1ede29a1a4043ed8cc7f62e491

        SHA512

        20b462074968ed07b747ff6631c7a12f2dd414dd89e4bc581cb37e6253127146536825c2837c77d654456a2f7b649a411f2e612a869e8d038c6f28e4d2922704

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exe
        Filesize

        545KB

        MD5

        c25e01f90166339f356cd8457c2458da

        SHA1

        992b2d6336489699e4385a15052d6a95bccb606e

        SHA256

        09e7756cb5df3ac01053c927164c8ecebd0006a811052ee0db6f6a9727be6d7d

        SHA512

        8736853a56ac92b762d8af30c4c7a9dc5511bed26ef1ce0cb910d6e5bbec4f2628d7aca8ebb7d1b80b1c9108e1c056d1407a5bd93afec9ae454872e9d0ad2ad2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un834933.exe
        Filesize

        545KB

        MD5

        c25e01f90166339f356cd8457c2458da

        SHA1

        992b2d6336489699e4385a15052d6a95bccb606e

        SHA256

        09e7756cb5df3ac01053c927164c8ecebd0006a811052ee0db6f6a9727be6d7d

        SHA512

        8736853a56ac92b762d8af30c4c7a9dc5511bed26ef1ce0cb910d6e5bbec4f2628d7aca8ebb7d1b80b1c9108e1c056d1407a5bd93afec9ae454872e9d0ad2ad2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exe
        Filesize

        300KB

        MD5

        3912e8dad537418748cb6e54f82b227e

        SHA1

        bd5f5605b3f63825e0467a4978a15b5c96ce1553

        SHA256

        05fddb056182acb7ae5b94e3afe451117534d34c4bb6d681cc18e93eb591daa4

        SHA512

        76d2376fdcf6db3ec8e9ec4865c42f98ab20a9976b9966f1395260fde1d5450bd8634024370b4e875f61aac2574e2d0400c6f28e5dae7349c4798ac71e9cd2c5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6281.exe
        Filesize

        300KB

        MD5

        3912e8dad537418748cb6e54f82b227e

        SHA1

        bd5f5605b3f63825e0467a4978a15b5c96ce1553

        SHA256

        05fddb056182acb7ae5b94e3afe451117534d34c4bb6d681cc18e93eb591daa4

        SHA512

        76d2376fdcf6db3ec8e9ec4865c42f98ab20a9976b9966f1395260fde1d5450bd8634024370b4e875f61aac2574e2d0400c6f28e5dae7349c4798ac71e9cd2c5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exe
        Filesize

        359KB

        MD5

        8ce82a4e7530452d64d7027581065ffc

        SHA1

        7bcffe1aec2734c121bb8f0db658b15dede8bf3b

        SHA256

        48b65cfc856785faca4a6db2d04e19146942170adfce3a720c48bf73b6d3b85c

        SHA512

        401db4c97e711403458da0e2b0185f62a782e3ffdb74232c10b41fbab65f73db6babce0a69d3c546a0382521666cefd9ac14948ecd84e7b730353f3d6450ede7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7529.exe
        Filesize

        359KB

        MD5

        8ce82a4e7530452d64d7027581065ffc

        SHA1

        7bcffe1aec2734c121bb8f0db658b15dede8bf3b

        SHA256

        48b65cfc856785faca4a6db2d04e19146942170adfce3a720c48bf73b6d3b85c

        SHA512

        401db4c97e711403458da0e2b0185f62a782e3ffdb74232c10b41fbab65f73db6babce0a69d3c546a0382521666cefd9ac14948ecd84e7b730353f3d6450ede7

        Download Submit

      • memory/1872-148-0x0000000002230000-0x000000000225D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1872-149-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-150-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-151-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-152-0x0000000004E60000-0x0000000005404000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1872-153-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-154-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-156-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-158-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-160-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-162-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-164-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-166-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-168-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-170-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-172-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-174-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-176-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-178-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-180-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1872-181-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1872-182-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-184-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-183-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-186-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4572-192-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-191-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-194-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-196-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-198-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-200-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-202-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-204-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-206-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-208-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-210-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-212-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-214-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-216-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-218-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-220-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-222-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-224-0x00000000026F0000-0x000000000272E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4572-238-0x0000000002350000-0x000000000239B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4572-240-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-242-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-244-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-1101-0x0000000005550000-0x0000000005B68000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4572-1102-0x0000000005B70000-0x0000000005C7A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4572-1103-0x0000000004E50000-0x0000000004E62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4572-1104-0x0000000005C80000-0x0000000005CBC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4572-1105-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4572-1107-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4572-1109-0x0000000006720000-0x00000000068E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4572-1110-0x00000000068F0000-0x0000000006E1C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4572-1111-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-1112-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-1113-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-1114-0x0000000007180000-0x00000000071F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4572-1115-0x0000000007210000-0x0000000007260000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4572-1116-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4920-1122-0x0000000000390000-0x00000000003C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4920-1123-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

        Filesize

        64KB

        Download