Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/04/2023, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe

  • Size

    534KB

  • MD5

    c0971643c438954b7d61e88c4cd0d604

  • SHA1

    a581e5c45199a37646b1acc90820ee128fbe0232

  • SHA256

    0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22

  • SHA512

    d440f871a16c2a4fe963f8e1be97921473b10ad17e7535eb308f5eb8d19caa25da3ecef9eb4243255ab6b553cc7f0277ed01e8166bffaf603c581020dc920c3b

  • SSDEEP

    12288:EMr4y90Z7hQ5lStI+nqNb+zSbeWzifg/PIf:MyE7hQEx4b+z6eysf

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe
    "C:\Users\Admin\AppData\Local\Temp\0acc009d52a355bfa98cf3eedc01be67aaeaa1b3451c07a9c5980d90fb9bed22.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3624

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exe
    Filesize

    176KB

    MD5

    4d13ceb3d7542c2d024cba0af6efbb5d

    SHA1

    ca79e7e4d2680fbee860a27d4ff6a630c08c77f6

    SHA256

    3f7bb181b45f9679f99e36e6d1b6bf48e04f9276bdf5d084a6bfa8d1ce98b1b5

    SHA512

    63465e3b49799358bf1038a2065b50cd57a1612bca04cf5dfc9e50bfba28d928125fbace4bada8ae180d3959fbc197e5ea9c1cacfafb7a0930b6accde3c16d58

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr115091.exe
    Filesize

    176KB

    MD5

    4d13ceb3d7542c2d024cba0af6efbb5d

    SHA1

    ca79e7e4d2680fbee860a27d4ff6a630c08c77f6

    SHA256

    3f7bb181b45f9679f99e36e6d1b6bf48e04f9276bdf5d084a6bfa8d1ce98b1b5

    SHA512

    63465e3b49799358bf1038a2065b50cd57a1612bca04cf5dfc9e50bfba28d928125fbace4bada8ae180d3959fbc197e5ea9c1cacfafb7a0930b6accde3c16d58

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exe
    Filesize

    392KB

    MD5

    9453f737ccb442c5929aabb045be325f

    SHA1

    dfe3fe13b65ec2c618ef204fecc4dfc060e177c3

    SHA256

    a8ec2bbcb9561ad47acb05a650ce78c6257903ce93cd8a7e6cafa0c6d741fb67

    SHA512

    92bf2336c80d78d7e6afa0a6611347ba7e4771a4338577284c4471082c125c13624559b471322f7b954bd5c4f2aed342833fb5397b65ad4e17bbcec65ef9c8b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXM0912.exe
    Filesize

    392KB

    MD5

    9453f737ccb442c5929aabb045be325f

    SHA1

    dfe3fe13b65ec2c618ef204fecc4dfc060e177c3

    SHA256

    a8ec2bbcb9561ad47acb05a650ce78c6257903ce93cd8a7e6cafa0c6d741fb67

    SHA512

    92bf2336c80d78d7e6afa0a6611347ba7e4771a4338577284c4471082c125c13624559b471322f7b954bd5c4f2aed342833fb5397b65ad4e17bbcec65ef9c8b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exe
    Filesize

    12KB

    MD5

    1ed6d22b694fc9366f873e4d7df7cf2a

    SHA1

    cf1313030b45b1286d3ef8c8065da3acfc70702d

    SHA256

    fe0ec79fe583ca372a3dae5cabaa13fc872b55d095822baf6b224c2eba43686d

    SHA512

    07906f0e7f53d24c33a2d2dfefa392bedc37541c496191889951372e43fc7243f7585badc435a5d3a8b5eadecd771730bf757ac5f93478580ee6f7369d91131b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr542141.exe
    Filesize

    12KB

    MD5

    1ed6d22b694fc9366f873e4d7df7cf2a

    SHA1

    cf1313030b45b1286d3ef8c8065da3acfc70702d

    SHA256

    fe0ec79fe583ca372a3dae5cabaa13fc872b55d095822baf6b224c2eba43686d

    SHA512

    07906f0e7f53d24c33a2d2dfefa392bedc37541c496191889951372e43fc7243f7585badc435a5d3a8b5eadecd771730bf757ac5f93478580ee6f7369d91131b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exe
    Filesize

    319KB

    MD5

    5a3916e7685e26b10b049e7f1c4b3523

    SHA1

    e50a263bdc1ee4317f653e804f191031f08393bb

    SHA256

    9aa75a294568f0e0544a178fff874c2655130a63b9650e250f5a961c5f80646b

    SHA512

    26f1ba525271caae5bded135468447570f2e4f7fd7fca0365178ec4f98d9d7961c16bdcc78ea2550643283f23438345a6885d7ac5d70fdbcb5ec5f6c8e74a3f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku724473.exe
    Filesize

    319KB

    MD5

    5a3916e7685e26b10b049e7f1c4b3523

    SHA1

    e50a263bdc1ee4317f653e804f191031f08393bb

    SHA256

    9aa75a294568f0e0544a178fff874c2655130a63b9650e250f5a961c5f80646b

    SHA512

    26f1ba525271caae5bded135468447570f2e4f7fd7fca0365178ec4f98d9d7961c16bdcc78ea2550643283f23438345a6885d7ac5d70fdbcb5ec5f6c8e74a3f0

    Download Submit

  • memory/2984-135-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3624-1076-0x0000000000490000-0x00000000004C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3624-1077-0x0000000004ED0000-0x0000000004F1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3624-1078-0x0000000004D90000-0x0000000004DA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-175-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-189-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-144-0x0000000004C90000-0x000000000518E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4888-145-0x0000000002470000-0x00000000024B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4888-146-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-147-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-148-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-149-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-151-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-153-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-155-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-157-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-159-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-161-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-163-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-165-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-167-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-169-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-171-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-173-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-142-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-177-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-179-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-181-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-183-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-185-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-187-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-143-0x0000000002120000-0x0000000002166000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4888-191-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-193-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-195-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-197-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-199-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-201-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-203-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-205-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-207-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-209-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-211-0x0000000002470000-0x00000000024AF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4888-1054-0x0000000005190000-0x0000000005796000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4888-1055-0x0000000004B40000-0x0000000004C4A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4888-1056-0x00000000057A0000-0x00000000057B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4888-1057-0x00000000057C0000-0x00000000057FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4888-1059-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-1060-0x0000000005910000-0x000000000595B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4888-1061-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-1062-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-1063-0x0000000005AA0000-0x0000000005B32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4888-1064-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4888-1066-0x0000000004C80000-0x0000000004C90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-141-0x0000000000540000-0x000000000058B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4888-1067-0x0000000007730000-0x00000000078F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4888-1068-0x0000000007920000-0x0000000007E4C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4888-1069-0x0000000004610000-0x0000000004686000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4888-1070-0x0000000007F70000-0x0000000007FC0000-memory.dmp

    Filesize

    320KB

    Download