Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe

  • Size

    531KB

  • MD5

    c31c248209a2523466fa0e841a6d52d0

  • SHA1

    b47db6f63703ada7c7fd68e0e9560d8248df841e

  • SHA256

    fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0

  • SHA512

    4a694980324289fe47244ca6396acce6e853b4acfead13fd86fda36255ba81c2abfbb39b6ab22735562ada9d7c1ae5ccb761bcdad3121a93123201c70f82fce4

  • SSDEEP

    12288:/MrZy90rcxaVM8DYjRE/uXxj2Iv6ff0+wJAeIU:eyTE+8sj8+j2IvWUWU

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe
    "C:\Users\Admin\AppData\Local\Temp\fdfd2ea8b4272499685b3dc9a2c44856eecc34ddd79dfccf48ed1243603755e0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:848
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1348
          4⤵
          • Program crash
          PID:4656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1256 -ip 1256
    1⤵
      PID:524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exe
      Filesize

      176KB

      MD5

      b61fdbf445bf7bd8ee5b674fb6bc508f

      SHA1

      25532401081ec06b3c6042bdb9bdf029fe41fde0

      SHA256

      698f432e971bd0a6243d8c4c0e702c878968bce4e9c266b0f0b6d32903eae76f

      SHA512

      5bd3823b32ac121bd69aedc14bbbe0d49127653e7771eec2f957333cb67f34620fc87270bd5f49def9ca1ef291aacc9d1cecffd0b5cf32be20b86e25d738a841

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr925006.exe
      Filesize

      176KB

      MD5

      b61fdbf445bf7bd8ee5b674fb6bc508f

      SHA1

      25532401081ec06b3c6042bdb9bdf029fe41fde0

      SHA256

      698f432e971bd0a6243d8c4c0e702c878968bce4e9c266b0f0b6d32903eae76f

      SHA512

      5bd3823b32ac121bd69aedc14bbbe0d49127653e7771eec2f957333cb67f34620fc87270bd5f49def9ca1ef291aacc9d1cecffd0b5cf32be20b86e25d738a841

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exe
      Filesize

      389KB

      MD5

      ba61b169084cf9e3eff6e7294a4ceae3

      SHA1

      5a9c5e56dd597811b42c1a5badd2121e4d79afeb

      SHA256

      96d226dfc52b109f45ea9b2c95a4f8f8081ca3a855d6b5039648feb7b731decd

      SHA512

      fc9cb7461cf1c8e789b45a5e6fb754546e5cdf3415f539ec5b8f0c36b110a3a9d911598508cc288e03f9c79da6281d8ea9ef342e9f288dae5660a2b107320bbc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuP8574.exe
      Filesize

      389KB

      MD5

      ba61b169084cf9e3eff6e7294a4ceae3

      SHA1

      5a9c5e56dd597811b42c1a5badd2121e4d79afeb

      SHA256

      96d226dfc52b109f45ea9b2c95a4f8f8081ca3a855d6b5039648feb7b731decd

      SHA512

      fc9cb7461cf1c8e789b45a5e6fb754546e5cdf3415f539ec5b8f0c36b110a3a9d911598508cc288e03f9c79da6281d8ea9ef342e9f288dae5660a2b107320bbc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exe
      Filesize

      12KB

      MD5

      5092b44f4f627eced613c3bb696bceca

      SHA1

      6f847da6bfac1074fac8cd55520130477da8bc9e

      SHA256

      7936ddf9158d156bcc0a5ce94f7c39b0314a03ef83c74871c56d3ec99db7e60d

      SHA512

      d96630e57e100df7cf8af958ab337c83416e2722c8b22b07fffdebbd1e82a3ae955a1504539fe944bb12e0c616135d7dd9e86430e5cd87ad913f5b2480a29f3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr473268.exe
      Filesize

      12KB

      MD5

      5092b44f4f627eced613c3bb696bceca

      SHA1

      6f847da6bfac1074fac8cd55520130477da8bc9e

      SHA256

      7936ddf9158d156bcc0a5ce94f7c39b0314a03ef83c74871c56d3ec99db7e60d

      SHA512

      d96630e57e100df7cf8af958ab337c83416e2722c8b22b07fffdebbd1e82a3ae955a1504539fe944bb12e0c616135d7dd9e86430e5cd87ad913f5b2480a29f3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exe
      Filesize

      435KB

      MD5

      a5f56037e628ce339c37047af9c29320

      SHA1

      5109b706b6d2945d48194f3e57dc5ec4d279b3fc

      SHA256

      a65aa3136a2cdeb1421bd53e405a94d9621dc90fada9a85182ea20de01218ee3

      SHA512

      101f14316aa34fa36a9b80dac290fffd9087f38983e74b9e66a5f8c01c4755f7fd4116e6fa256bab772d3278a65efbe7359f37c37a300e7a736464ecff982f62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku759341.exe
      Filesize

      435KB

      MD5

      a5f56037e628ce339c37047af9c29320

      SHA1

      5109b706b6d2945d48194f3e57dc5ec4d279b3fc

      SHA256

      a65aa3136a2cdeb1421bd53e405a94d9621dc90fada9a85182ea20de01218ee3

      SHA512

      101f14316aa34fa36a9b80dac290fffd9087f38983e74b9e66a5f8c01c4755f7fd4116e6fa256bab772d3278a65efbe7359f37c37a300e7a736464ecff982f62

      Download Submit

    • memory/848-147-0x0000000000E10000-0x0000000000E1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1256-153-0x0000000003FE0000-0x000000000402B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1256-154-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-155-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-156-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-157-0x0000000006A50000-0x0000000006FF4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1256-158-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-159-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-163-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-161-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-165-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-175-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-181-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-183-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-179-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-191-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-193-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-195-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-199-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-209-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-211-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-219-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-221-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-217-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-215-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-213-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-207-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-205-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-203-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-201-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-197-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-189-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-187-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-185-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-177-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-173-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-171-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-169-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-167-0x00000000068D0000-0x000000000690F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1256-1064-0x0000000007000000-0x0000000007618000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1256-1065-0x0000000007620000-0x000000000772A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1256-1066-0x00000000069D0000-0x00000000069E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-1067-0x00000000069F0000-0x0000000006A2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1256-1068-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-1070-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-1071-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-1072-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1256-1073-0x00000000079D0000-0x0000000007A62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1256-1074-0x0000000007A70000-0x0000000007AD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1256-1075-0x0000000008170000-0x00000000081E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1256-1076-0x0000000008200000-0x0000000008250000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1256-1077-0x0000000008280000-0x0000000008442000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1256-1078-0x0000000008450000-0x000000000897C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1256-1079-0x0000000006A40000-0x0000000006A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2944-1086-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2944-1087-0x0000000005A20000-0x0000000005A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2944-1089-0x0000000005A20000-0x0000000005A30000-memory.dmp

      Filesize

      64KB

      Download