Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2023, 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe

  • Size

    696KB

  • MD5

    4082d95eeaff939a6efbc2e31323d666

  • SHA1

    dfb0d5aeebdd09a25e51f8a2749df35ab433ff62

  • SHA256

    8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457

  • SHA512

    d742f8a8f1a2c20d9fc3f17c851170028bf95c8b2427539728d8d72fcc38ea44a107578155c6209bab084321f7435888c47a0398d4f80bd6048d0af458026e1a

  • SSDEEP

    12288:aMrJy90Q/JCjcn2H3pLl/MqGd4aDz2WhlQobiwFVj5eZ6Le2fk:DyMjb3pLFMqGd4OyWhZbiwFje4S

Score
10/10
redlinemuserosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes
  • auth_value

    b91988a63a24940038d9262827a5320c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe
    "C:\Users\Admin\AppData\Local\Temp\8db813bdace2b9bf0c4407bb90bedd3ad9b88d969dcd2b3d0cdf76533b0da457.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1064
          4⤵
          • Program crash
          PID:3856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1620
          4⤵
          • Program crash
          PID:4572
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4676 -ip 4676
    1⤵
      PID:3756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1068 -ip 1068
      1⤵
        PID:4372

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exe
        Filesize

        175KB

        MD5

        87073b64d6d90d223a7f8edcf815dfc3

        SHA1

        324550dfc8213b8b0fdb7f798ec30238a2a2098f

        SHA256

        c978089ded55e962391bfd6c2b275945d523b18a191a904dd340af1eebff9d84

        SHA512

        1e121f43335ae1c453382dec6b637a031b367c77c085a0027d7526ce17693be614a3f57936fdd9a128586cdb11d892d7ce508e58ab0c3b584df3a221f2588402

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si631607.exe
        Filesize

        175KB

        MD5

        87073b64d6d90d223a7f8edcf815dfc3

        SHA1

        324550dfc8213b8b0fdb7f798ec30238a2a2098f

        SHA256

        c978089ded55e962391bfd6c2b275945d523b18a191a904dd340af1eebff9d84

        SHA512

        1e121f43335ae1c453382dec6b637a031b367c77c085a0027d7526ce17693be614a3f57936fdd9a128586cdb11d892d7ce508e58ab0c3b584df3a221f2588402

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exe
        Filesize

        554KB

        MD5

        509fa936b31c8576cba54dae9172adff

        SHA1

        a3b85f7a0bceb9137f474a1b87f3a03384814d41

        SHA256

        bf06ca91d0aaf073698bbcbdaf21a6d1025a5a505fca9ac780d33ce1249c46af

        SHA512

        5467e978286c6b31e11d273e22771ffc0e4f132dc2ce4f104f779bb5b7c03ab3b49f49237c19c1752981b60e63443a3c7712db0e944a3efcddd9cd2a11de84f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un643181.exe
        Filesize

        554KB

        MD5

        509fa936b31c8576cba54dae9172adff

        SHA1

        a3b85f7a0bceb9137f474a1b87f3a03384814d41

        SHA256

        bf06ca91d0aaf073698bbcbdaf21a6d1025a5a505fca9ac780d33ce1249c46af

        SHA512

        5467e978286c6b31e11d273e22771ffc0e4f132dc2ce4f104f779bb5b7c03ab3b49f49237c19c1752981b60e63443a3c7712db0e944a3efcddd9cd2a11de84f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exe
        Filesize

        347KB

        MD5

        c975c9c123d30919393c7e8f25715a53

        SHA1

        21df7c1769cce2c3bf092dc109f4f0624eb2667e

        SHA256

        9392e1c2cbb31cca7818ca90421417dfd8643949a104f84323b670d2f6e24db0

        SHA512

        39da8a2739ef7df83c9f686100d496731c5d021dd8a688d3569aae71b9f8fd905f1a060dca6e2b98da87d8dee7c1ad980c10ef6a3aebe08e5aad739121cf29f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9529.exe
        Filesize

        347KB

        MD5

        c975c9c123d30919393c7e8f25715a53

        SHA1

        21df7c1769cce2c3bf092dc109f4f0624eb2667e

        SHA256

        9392e1c2cbb31cca7818ca90421417dfd8643949a104f84323b670d2f6e24db0

        SHA512

        39da8a2739ef7df83c9f686100d496731c5d021dd8a688d3569aae71b9f8fd905f1a060dca6e2b98da87d8dee7c1ad980c10ef6a3aebe08e5aad739121cf29f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exe
        Filesize

        405KB

        MD5

        21c362c02f899ff1e3b94581f36578f9

        SHA1

        099b405180e057765615148ac7c26f096281c70a

        SHA256

        789f7b8d4a8b2e15044f1275f25cd41ebea5588b87765a39d28da89f9332d315

        SHA512

        d35363b92bba72377f01052fe636636285c7aa171459bdffeb7889994ee20a9d7e85d180f5fb40275055c2dcfe6f1ef8ab8bc4184521e96bf94cbd41cceb3ea7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3765.exe
        Filesize

        405KB

        MD5

        21c362c02f899ff1e3b94581f36578f9

        SHA1

        099b405180e057765615148ac7c26f096281c70a

        SHA256

        789f7b8d4a8b2e15044f1275f25cd41ebea5588b87765a39d28da89f9332d315

        SHA512

        d35363b92bba72377f01052fe636636285c7aa171459bdffeb7889994ee20a9d7e85d180f5fb40275055c2dcfe6f1ef8ab8bc4184521e96bf94cbd41cceb3ea7

        Download Submit

      • memory/1068-227-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-1102-0x00000000080C0000-0x00000000080D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1068-1114-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-1113-0x00000000090A0000-0x00000000095CC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1068-1112-0x0000000008EC0000-0x0000000009082000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1068-1111-0x0000000008E60000-0x0000000008EB0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1068-1110-0x0000000008DD0000-0x0000000008E46000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1068-1109-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-1108-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-1107-0x0000000008470000-0x00000000084D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1068-1106-0x00000000083D0000-0x0000000008462000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1068-1104-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-1103-0x00000000080E0000-0x000000000811C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1068-1101-0x0000000007F80000-0x000000000808A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1068-1100-0x0000000007940000-0x0000000007F58000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1068-225-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-223-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-221-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-219-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-217-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-215-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-213-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-190-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1068-191-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-192-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-193-0x0000000007280000-0x0000000007290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-195-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-197-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-199-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-201-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-205-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-207-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1068-211-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4652-1120-0x0000000000AA0000-0x0000000000AD2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4652-1121-0x0000000005330000-0x0000000005340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-172-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-178-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-182-0x00000000049B0000-0x00000000049C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-181-0x0000000000400000-0x0000000002B84000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/4676-180-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-150-0x00000000049B0000-0x00000000049C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-170-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-176-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-153-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-174-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-183-0x00000000049B0000-0x00000000049C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-152-0x00000000049B0000-0x00000000049C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-160-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-166-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-164-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-162-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-168-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-158-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-156-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-154-0x00000000049D0000-0x00000000049E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4676-151-0x00000000073C0000-0x0000000007964000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4676-148-0x0000000002C60000-0x0000000002C8D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4676-185-0x0000000000400000-0x0000000002B84000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/4676-149-0x00000000049B0000-0x00000000049C0000-memory.dmp

        Filesize

        64KB

        Download