Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    90s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/03/2023, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3a0472b8ae378c5948292cae5c612e21718755c667322853af45cbd50c95939.exe

  • Size

    695KB

  • MD5

    834ae0339567c8e0bc57d356480e5ac5

  • SHA1

    f3f0cb75291bd459f0edb6fe54c7aa461b53171f

  • SHA256

    d3a0472b8ae378c5948292cae5c612e21718755c667322853af45cbd50c95939

  • SHA512

    e3ebbf2155fdcc853d375afd661b5c338c2df8dd22f16dc0e35eb156e18dcbce2660e1f485873a0a829e702338f2660a9988931e6f09bb651ae8664faeecf2cf

  • SSDEEP

    12288:/Mrqy90reOTNoYD/W7ULq/fDtU+AXumlJDQ4BJ/TfLZ0q8n8zmNjJepKwQ5Lf5xT:RyepNoYLW7UmxQXHlBQ43/F80mlg45DL

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3a0472b8ae378c5948292cae5c612e21718755c667322853af45cbd50c95939.exe
    "C:\Users\Admin\AppData\Local\Temp\d3a0472b8ae378c5948292cae5c612e21718755c667322853af45cbd50c95939.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221267.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1081.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1081.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9604.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9604.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si941493.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si941493.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si941493.exe
    Filesize

    175KB

    MD5

    227426d584c5e1f57214e7f12bb219ec

    SHA1

    8c1f4c83cf022fd3a23fd09f266ae0425f51d695

    SHA256

    98dc8c1e1e161cba434a05d20aaef7624d2a7c51351a5c5159c9c281555c97c2

    SHA512

    a4590ccdad4e832ddcf979ad3c13120387153fde6c0b34a180421c70a7fee3b5983a2027d252bf4df53768044d3453ef76b6596416b10e51f487ba3118fe12b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si941493.exe
    Filesize

    175KB

    MD5

    227426d584c5e1f57214e7f12bb219ec

    SHA1

    8c1f4c83cf022fd3a23fd09f266ae0425f51d695

    SHA256

    98dc8c1e1e161cba434a05d20aaef7624d2a7c51351a5c5159c9c281555c97c2

    SHA512

    a4590ccdad4e832ddcf979ad3c13120387153fde6c0b34a180421c70a7fee3b5983a2027d252bf4df53768044d3453ef76b6596416b10e51f487ba3118fe12b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221267.exe
    Filesize

    553KB

    MD5

    e44e899851ba7ae3d903f74b971fca48

    SHA1

    4668cb5091a8b6d564cef2325365cc24f4ddf42b

    SHA256

    703bf15ff8e9f20d392b8ad7d7d5fc832acd0227983a793163d945c8a35df2b2

    SHA512

    91cc5cbe6a46c3d714b419d19bb34b8c5c62619c2c22fdecd80ab3e01016f4a106cfe60cb8d25750d5c6775ecd6c69f17fd5bce3fe4557984624bc131476b91d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221267.exe
    Filesize

    553KB

    MD5

    e44e899851ba7ae3d903f74b971fca48

    SHA1

    4668cb5091a8b6d564cef2325365cc24f4ddf42b

    SHA256

    703bf15ff8e9f20d392b8ad7d7d5fc832acd0227983a793163d945c8a35df2b2

    SHA512

    91cc5cbe6a46c3d714b419d19bb34b8c5c62619c2c22fdecd80ab3e01016f4a106cfe60cb8d25750d5c6775ecd6c69f17fd5bce3fe4557984624bc131476b91d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1081.exe
    Filesize

    308KB

    MD5

    7c0f074b27e62dee65be5e18fb336e00

    SHA1

    a553c93218f0a3b9e22fa8e0162003427040d92d

    SHA256

    222ccd6021db3de6155b674eb0f37ecb072b79846e4c7f484ca3c5adb14d718e

    SHA512

    f66ce84f46fda01b1aff05277ed7c8ab4a2e083a5459f7e227c7071365566995616ecb55bec7c4d8a13ed169897c83bf1271fd537477c2f6a903082ba0c6b8aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1081.exe
    Filesize

    308KB

    MD5

    7c0f074b27e62dee65be5e18fb336e00

    SHA1

    a553c93218f0a3b9e22fa8e0162003427040d92d

    SHA256

    222ccd6021db3de6155b674eb0f37ecb072b79846e4c7f484ca3c5adb14d718e

    SHA512

    f66ce84f46fda01b1aff05277ed7c8ab4a2e083a5459f7e227c7071365566995616ecb55bec7c4d8a13ed169897c83bf1271fd537477c2f6a903082ba0c6b8aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9604.exe
    Filesize

    366KB

    MD5

    1ea306c617a0177c9372308c040b89dd

    SHA1

    a0a0383cb327e91dadd841350609d3c33ff6c86f

    SHA256

    936b356f35d2a15bda05ef0fca312ec48e0434e51d1a192ea2a2516a5f5c7811

    SHA512

    edba6742c7e9ea2881f293883630d6e8028aab75431beda46235e4a4703af6c92a5882c8cc452bc898266f150b28d1c8bc81213ae2a35595bf2447a963c6e0ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9604.exe
    Filesize

    366KB

    MD5

    1ea306c617a0177c9372308c040b89dd

    SHA1

    a0a0383cb327e91dadd841350609d3c33ff6c86f

    SHA256

    936b356f35d2a15bda05ef0fca312ec48e0434e51d1a192ea2a2516a5f5c7811

    SHA512

    edba6742c7e9ea2881f293883630d6e8028aab75431beda46235e4a4703af6c92a5882c8cc452bc898266f150b28d1c8bc81213ae2a35595bf2447a963c6e0ae

    Download Submit

  • memory/1588-1112-0x0000000000930000-0x0000000000962000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1588-1113-0x0000000005370000-0x00000000053BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1588-1114-0x00000000054D0000-0x00000000054E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-144-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-156-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-140-0x00000000024F0000-0x0000000002508000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2592-141-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-142-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-138-0x00000000024E0000-0x00000000024F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-146-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-148-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-150-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-152-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-154-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-139-0x0000000004D80000-0x000000000527E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2592-158-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-160-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-162-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-164-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-166-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-168-0x00000000024F0000-0x0000000002502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2592-169-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2592-170-0x00000000024E0000-0x00000000024F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-171-0x00000000024E0000-0x00000000024F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-173-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2592-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2592-136-0x0000000002350000-0x000000000236A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4708-180-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-211-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-183-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-185-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-187-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-189-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-191-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-193-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-195-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-197-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-199-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-201-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-203-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-205-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-207-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-208-0x0000000000930000-0x000000000097B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4708-210-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-213-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-212-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-181-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-215-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-217-0x0000000004C90000-0x0000000004CCF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4708-1090-0x0000000005870000-0x0000000005E76000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4708-1091-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4708-1092-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4708-1093-0x0000000005410000-0x000000000544E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4708-1094-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-1095-0x0000000005560000-0x00000000055AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4708-1097-0x00000000056F0000-0x0000000005756000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4708-1098-0x00000000063C0000-0x0000000006452000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4708-1099-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-1100-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-1101-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-1102-0x00000000066F0000-0x00000000068B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4708-1103-0x00000000068D0000-0x0000000006DFC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4708-179-0x0000000004C90000-0x0000000004CD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4708-178-0x00000000027A0000-0x00000000027E6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4708-1104-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-1105-0x0000000006F40000-0x0000000006FB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4708-1106-0x0000000006FC0000-0x0000000007010000-memory.dmp

    Filesize

    320KB

    Download