Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2023, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57c9ed1e90bdb5e303f41f752fdf53705cfb5023b54a595d905d99c131ff036e.exe

  • Size

    685KB

  • MD5

    1f851af091a208dbe440bb1b75f308bc

  • SHA1

    be0de3b49d258b5dc8d88956c6b07fc845f5e012

  • SHA256

    57c9ed1e90bdb5e303f41f752fdf53705cfb5023b54a595d905d99c131ff036e

  • SHA512

    c40be3344ea456a8a18bc1a464fb99f83bd806d645645a55f5f08904341228b4af0366290955a24705f11c3b88b52c988605c34833c3b8173ed88a12a4c8aebe

  • SSDEEP

    12288:cMrMy90NwzFmppj1QiksARksdmZKZIh/K/7B0KiE6L0Aqcc:AyalQiWis/ZAyjOKiE6xqcc

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57c9ed1e90bdb5e303f41f752fdf53705cfb5023b54a595d905d99c131ff036e.exe
    "C:\Users\Admin\AppData\Local\Temp\57c9ed1e90bdb5e303f41f752fdf53705cfb5023b54a595d905d99c131ff036e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un184619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un184619.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1065.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1065.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1084
          4⤵
          • Program crash
          PID:1336
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2081.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2081.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4228
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1960
          4⤵
          • Program crash
          PID:3392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si572555.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si572555.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2988 -ip 2988
    1⤵
      PID:3348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4228 -ip 4228
      1⤵
        PID:4312

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si572555.exe
        Filesize

        175KB

        MD5

        0207fb9837f600deb2393ac48441eb98

        SHA1

        13b4b265550d26cdde45f5aae78a60a1869463d1

        SHA256

        06e3491d1ec3f00467f52c69dddebfd5d751274704b66a7551eae0a36eb3efb2

        SHA512

        e6228d3d302425e554ccddbd6f67588516bc239cf1887486fa04df3ae942192fec04b93e0c9229f6eadbaa7d9bee67b51b435b2d2cfb48cab4ff0e1574fe278e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si572555.exe
        Filesize

        175KB

        MD5

        0207fb9837f600deb2393ac48441eb98

        SHA1

        13b4b265550d26cdde45f5aae78a60a1869463d1

        SHA256

        06e3491d1ec3f00467f52c69dddebfd5d751274704b66a7551eae0a36eb3efb2

        SHA512

        e6228d3d302425e554ccddbd6f67588516bc239cf1887486fa04df3ae942192fec04b93e0c9229f6eadbaa7d9bee67b51b435b2d2cfb48cab4ff0e1574fe278e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un184619.exe
        Filesize

        543KB

        MD5

        5d151e3dfbffccda0cd77a2e1ebeef8b

        SHA1

        2fcd5bfa350cb8d2b602186648f84f53e44b5212

        SHA256

        07376eee26d1b6587fcbe2a5512e0b6e2d950906052d4a887613413142a13e59

        SHA512

        d270e29bdd734d078cec69787a886612f3b34a83f572c3cbc7e322420497c3fa2ac2f3ff8fd8f978aae8cc52d7c57e9828a3d56583ad023fe0975d83935de939

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un184619.exe
        Filesize

        543KB

        MD5

        5d151e3dfbffccda0cd77a2e1ebeef8b

        SHA1

        2fcd5bfa350cb8d2b602186648f84f53e44b5212

        SHA256

        07376eee26d1b6587fcbe2a5512e0b6e2d950906052d4a887613413142a13e59

        SHA512

        d270e29bdd734d078cec69787a886612f3b34a83f572c3cbc7e322420497c3fa2ac2f3ff8fd8f978aae8cc52d7c57e9828a3d56583ad023fe0975d83935de939

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1065.exe
        Filesize

        292KB

        MD5

        3da2eda961ec514d5656041d0a2932df

        SHA1

        f92101ade9a9a76644c29195208a752ea3a7e99f

        SHA256

        f86e3d85cd21fb0c801e2b99f2605123d72cc0a75c119237344809b4c435fe91

        SHA512

        4cf80c45a699144128779bf7fae7f19923567c16c23da959248e59eb25caa424c94aa33c6a120c91608ba632965bc49fb4476a37410c11a2b3cc8f9fc0731210

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1065.exe
        Filesize

        292KB

        MD5

        3da2eda961ec514d5656041d0a2932df

        SHA1

        f92101ade9a9a76644c29195208a752ea3a7e99f

        SHA256

        f86e3d85cd21fb0c801e2b99f2605123d72cc0a75c119237344809b4c435fe91

        SHA512

        4cf80c45a699144128779bf7fae7f19923567c16c23da959248e59eb25caa424c94aa33c6a120c91608ba632965bc49fb4476a37410c11a2b3cc8f9fc0731210

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2081.exe
        Filesize

        350KB

        MD5

        900186eec9ea71b1f5a84697bb7ae5e8

        SHA1

        857fb1d4d8f70a892837256a47dd775da6c0ce8c

        SHA256

        149006bc9d47d06e95040f123b52ad4d45e6862668b48ef2d4d1d09b17b44a9d

        SHA512

        152cf0783ead90dff3622919c8487a41fd6d15aa105ae37623401338efb1e1aa58aa13a0767d17e8c2dbe8f152f791b841cd9787b3a295886688402a0d1e1317

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2081.exe
        Filesize

        350KB

        MD5

        900186eec9ea71b1f5a84697bb7ae5e8

        SHA1

        857fb1d4d8f70a892837256a47dd775da6c0ce8c

        SHA256

        149006bc9d47d06e95040f123b52ad4d45e6862668b48ef2d4d1d09b17b44a9d

        SHA512

        152cf0783ead90dff3622919c8487a41fd6d15aa105ae37623401338efb1e1aa58aa13a0767d17e8c2dbe8f152f791b841cd9787b3a295886688402a0d1e1317

        Download Submit

      • memory/2988-148-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2988-149-0x0000000004ED0000-0x0000000005474000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2988-150-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-151-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-153-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-155-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-157-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-159-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-161-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-163-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-165-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-167-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-169-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-171-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-173-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-175-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-177-0x0000000002600000-0x0000000002612000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2988-178-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-179-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-180-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-181-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2988-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-184-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-185-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2988-186-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3628-1122-0x00000000009B0000-0x00000000009E2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3628-1123-0x0000000005240000-0x0000000005250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-194-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-230-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-196-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-198-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-200-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-202-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-204-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-206-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-208-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-210-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-212-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-214-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-218-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-216-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-220-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-222-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-224-0x0000000000720000-0x000000000076B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4228-225-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-227-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-192-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-229-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-1101-0x0000000005320000-0x0000000005938000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4228-1102-0x00000000059C0000-0x0000000005ACA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4228-1103-0x0000000005B00000-0x0000000005B12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4228-1104-0x0000000005B20000-0x0000000005B5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4228-1105-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-1107-0x0000000005E10000-0x0000000005EA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4228-1108-0x0000000005EB0000-0x0000000005F16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4228-1109-0x00000000065B0000-0x0000000006626000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4228-1110-0x0000000006640000-0x0000000006690000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4228-1111-0x00000000066B0000-0x0000000006872000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4228-1112-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-1113-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-191-0x0000000002770000-0x00000000027AE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4228-1114-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-1115-0x0000000006880000-0x0000000006DAC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4228-1116-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download