Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    948d20d23b4d9dfdc66cb4e715c0dcf82c15830517946225e55d9253467f8682.exe

  • Size

    538KB

  • MD5

    e2260b7168ba8118a059853ecf094425

  • SHA1

    78bc1408535e01beb53b1c5f5106204006d0370c

  • SHA256

    948d20d23b4d9dfdc66cb4e715c0dcf82c15830517946225e55d9253467f8682

  • SHA512

    9e55a7b85453b39aa8cccb94585f3081360b86c5cf7d05505b052d8f00fd6a2ee28c1e663b1ca746a7da3a33a0283f18a44b4f6d70f06d87c4a8e6e4195fecd3

  • SSDEEP

    12288:0MrDy90GpVP1yygCq94SjABX1qphe4URtTo:HyNpVPTgCq6S8qpU3o

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\948d20d23b4d9dfdc66cb4e715c0dcf82c15830517946225e55d9253467f8682.exe
    "C:\Users\Admin\AppData\Local\Temp\948d20d23b4d9dfdc66cb4e715c0dcf82c15830517946225e55d9253467f8682.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJN2878.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJN2878.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr807953.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr807953.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku506008.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku506008.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1800
          4⤵
          • Program crash
          PID:3344
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr609651.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr609651.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2516 -ip 2516
    1⤵
      PID:2812

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr609651.exe
      Filesize

      175KB

      MD5

      bd754101b178f5dcb67f47eff40887f0

      SHA1

      ba8b8de34afc48f2e9557482fb2096887b5a341e

      SHA256

      1086e0b6d21a4450b133598c6e6e096db654257b851b003558b9abeafa2b1355

      SHA512

      d965e6fa93f1f89a90a74fb58c43e7f4ecbf826fe67b65bdbdad73fa940d326af353aebebd5877a9e4b392c88e539a234a8a8f032c72553cab2070c6dda79723

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr609651.exe
      Filesize

      175KB

      MD5

      bd754101b178f5dcb67f47eff40887f0

      SHA1

      ba8b8de34afc48f2e9557482fb2096887b5a341e

      SHA256

      1086e0b6d21a4450b133598c6e6e096db654257b851b003558b9abeafa2b1355

      SHA512

      d965e6fa93f1f89a90a74fb58c43e7f4ecbf826fe67b65bdbdad73fa940d326af353aebebd5877a9e4b392c88e539a234a8a8f032c72553cab2070c6dda79723

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJN2878.exe
      Filesize

      395KB

      MD5

      3c78ab44427fe003ed08c0d36c71e67c

      SHA1

      3ccc9c5eb16cd0ae99fc461515e2e3acb2bccde7

      SHA256

      5c47949b52b06671e9962b8b5033e5ec7dd82e8ccbf8fff354c932ccf5846116

      SHA512

      82380a6cb6a1ed8436e9041a9a417142ab5f3c937efc3c5668389cdc55cd787861e7e72d93b29e089f6b99ad50307d2d24a187aa7d2743506c5731e8723906a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJN2878.exe
      Filesize

      395KB

      MD5

      3c78ab44427fe003ed08c0d36c71e67c

      SHA1

      3ccc9c5eb16cd0ae99fc461515e2e3acb2bccde7

      SHA256

      5c47949b52b06671e9962b8b5033e5ec7dd82e8ccbf8fff354c932ccf5846116

      SHA512

      82380a6cb6a1ed8436e9041a9a417142ab5f3c937efc3c5668389cdc55cd787861e7e72d93b29e089f6b99ad50307d2d24a187aa7d2743506c5731e8723906a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr807953.exe
      Filesize

      13KB

      MD5

      35aa4cf38a3045ec7dcc423ae73cca96

      SHA1

      ecaed7bbcc81c11fc8b85f9063a944904dd6bcde

      SHA256

      92ada96e3d008531b6953d2e5b1cc9660538b550ebb5fcc39c3f8f1244993fd8

      SHA512

      eccbbeb0d81d34a0e553b10eadb9feac831b41d5bbe5107cc4df98452cbd175b0f3808b6c54a91b63e4c2249e147cfa11272576f4aaa9decd77c7ee14149283e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr807953.exe
      Filesize

      13KB

      MD5

      35aa4cf38a3045ec7dcc423ae73cca96

      SHA1

      ecaed7bbcc81c11fc8b85f9063a944904dd6bcde

      SHA256

      92ada96e3d008531b6953d2e5b1cc9660538b550ebb5fcc39c3f8f1244993fd8

      SHA512

      eccbbeb0d81d34a0e553b10eadb9feac831b41d5bbe5107cc4df98452cbd175b0f3808b6c54a91b63e4c2249e147cfa11272576f4aaa9decd77c7ee14149283e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku506008.exe
      Filesize

      353KB

      MD5

      1a7fcd9d4ff1200c0c298735b2acb4ca

      SHA1

      53d14c881edaaeb793bf350036464af35383c98a

      SHA256

      33aa824cd22fcdd347b5753e06953459ce27681374014df3a2c295b882983cee

      SHA512

      39b91a93dcfd7be4ded352a59039f5af51a511abe372cd9e63e2172c4c6df54a1a48ab94e7dec72b4e6d6bd434ef15833782de5e73c173b44255dc7f7ac8546b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku506008.exe
      Filesize

      353KB

      MD5

      1a7fcd9d4ff1200c0c298735b2acb4ca

      SHA1

      53d14c881edaaeb793bf350036464af35383c98a

      SHA256

      33aa824cd22fcdd347b5753e06953459ce27681374014df3a2c295b882983cee

      SHA512

      39b91a93dcfd7be4ded352a59039f5af51a511abe372cd9e63e2172c4c6df54a1a48ab94e7dec72b4e6d6bd434ef15833782de5e73c173b44255dc7f7ac8546b

      Download Submit

    • memory/464-147-0x0000000000900000-0x000000000090A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1540-1086-0x0000000000270000-0x00000000002A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1540-1087-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1540-1088-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-189-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-203-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-156-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-157-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-158-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-159-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-161-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-163-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-165-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-167-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-169-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-171-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-173-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-175-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-177-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-179-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-181-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-183-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-185-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-187-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-154-0x0000000004F20000-0x00000000054C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2516-191-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-193-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-195-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-197-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-199-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-201-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-155-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-205-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-207-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-209-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-211-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-213-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-215-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-217-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-219-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-221-0x0000000004E00000-0x0000000004E3F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2516-1064-0x00000000054D0000-0x0000000005AE8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2516-1065-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2516-1066-0x0000000005C00000-0x0000000005C12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2516-1067-0x0000000005C20000-0x0000000005C5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2516-1068-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1070-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1071-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1072-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1073-0x0000000005F00000-0x0000000005F92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2516-1074-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2516-1075-0x0000000006900000-0x0000000006AC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2516-153-0x0000000000AF0000-0x0000000000B3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2516-1076-0x0000000006AE0000-0x000000000700C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2516-1077-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1078-0x0000000007290000-0x0000000007306000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2516-1079-0x0000000007310000-0x0000000007360000-memory.dmp

      Filesize

      320KB

      Download