Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 17:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c143c819ee626f1eddd1f1123ee50959e1018f09f0520bb306dad4fa385e654.exe

  • Size

    536KB

  • MD5

    dd517fb70791391913f071f9f367ed03

  • SHA1

    64ef403426038958ee2ccf519efecf17836d4799

  • SHA256

    0c143c819ee626f1eddd1f1123ee50959e1018f09f0520bb306dad4fa385e654

  • SHA512

    e8faef5a2bacdb72302b9b57e50bbeb92db4c6646068f128d09bfecf31ddbbc9c1b5b767052d678784454e3440a03fd935d386d002b585fd99c3e0fd32daa3c8

  • SSDEEP

    6144:Kry+bnr+Fp0yN90QEsJwNPjOh+Pqnl+mu6cm+EnF0doaE29Ohsb8NswO2kaeX/6p:5MrZy90djbIzmL9DANRz9GyGMdUrAOO

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c143c819ee626f1eddd1f1123ee50959e1018f09f0520bb306dad4fa385e654.exe
    "C:\Users\Admin\AppData\Local\Temp\0c143c819ee626f1eddd1f1123ee50959e1018f09f0520bb306dad4fa385e654.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziik2448.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziik2448.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453833.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453833.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776257.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776257.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1328
          4⤵
          • Program crash
          PID:4500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr254724.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr254724.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 556 -ip 556
    1⤵
      PID:5044

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      145.115.113.176.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      145.115.113.176.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.77.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.77.109.52.in-addr.arpa
      IN PTR
      Response
    • 117.18.232.240:80
      276 B
       6
    • 176.113.115.145:4125
      ku776257.exe
      2.0MB
       33.1kB
       1518
      674
    • 176.113.115.145:4125
      lr254724.exe
      2.1MB
       33.5kB
       1517
      660
    • 52.182.143.208:443
      322 B
       7
    • 117.18.232.240:80
      322 B
       7
    • 117.18.232.240:80
      322 B
       7
    • 173.223.113.164:443
      322 B
       7
    • 173.223.113.131:80
      322 B
       7
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      71.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      71.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      145.115.113.176.in-addr.arpa
      dns
      74 B
       134 B
       1
      1

      DNS Request

      145.115.113.176.in-addr.arpa

    • 8.8.8.8:53
      2.77.109.52.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      2.77.109.52.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr254724.exe
      Filesize

      175KB

      MD5

      480a16635cd91aeeb7660139fe35eebb

      SHA1

      a387b08a45904b86f81a8b94c251f2ef50e9dd21

      SHA256

      a138a5669d5fad2449b2b0dcc79e66961b0d129fe2f861d7e9ebc08844c784b7

      SHA512

      f6e2cd3f1c0f4945b79248f06126f0e1002cfbbeba5e595739aec1027b510e1e9f038da4f8b8d41aed77ea77946f59b5ee3182457526d20b31542ebc2e4c4767

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr254724.exe
      Filesize

      175KB

      MD5

      480a16635cd91aeeb7660139fe35eebb

      SHA1

      a387b08a45904b86f81a8b94c251f2ef50e9dd21

      SHA256

      a138a5669d5fad2449b2b0dcc79e66961b0d129fe2f861d7e9ebc08844c784b7

      SHA512

      f6e2cd3f1c0f4945b79248f06126f0e1002cfbbeba5e595739aec1027b510e1e9f038da4f8b8d41aed77ea77946f59b5ee3182457526d20b31542ebc2e4c4767

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziik2448.exe
      Filesize

      394KB

      MD5

      54745737678657b7e761db79b876bea1

      SHA1

      fbd741f6637925c852a8e8c52c0092197da442d1

      SHA256

      655ea96e9be1fa521e32c1ad21b7982f860dd5fa1bd5a529e658c2ec311fa6ac

      SHA512

      6dd56eec0d7931053a84b9cd56c8aabf0ce997c571426890069c0ca42a87c4503ac24ec4b2ac3479fb6035274dffb5300197cbc020f4134766b7476fa8f53c5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziik2448.exe
      Filesize

      394KB

      MD5

      54745737678657b7e761db79b876bea1

      SHA1

      fbd741f6637925c852a8e8c52c0092197da442d1

      SHA256

      655ea96e9be1fa521e32c1ad21b7982f860dd5fa1bd5a529e658c2ec311fa6ac

      SHA512

      6dd56eec0d7931053a84b9cd56c8aabf0ce997c571426890069c0ca42a87c4503ac24ec4b2ac3479fb6035274dffb5300197cbc020f4134766b7476fa8f53c5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453833.exe
      Filesize

      13KB

      MD5

      c966c8b55b260dfdb3a4738d1099cd68

      SHA1

      92e22b5a11edb4034fc086cce18171ebe40905e7

      SHA256

      d6fde8a730932bbb4eabe230c48ad62033dd95cf03194e2876b3369ac53ab7c9

      SHA512

      a9bdeb275c357fa5fc680f056bb16a093e67d905105a4c1acdf76abc55bc29cef5373a462a9cd02747e8fa669b59dd6bc82eae077f2cd8def1519b8aef95d7c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr453833.exe
      Filesize

      13KB

      MD5

      c966c8b55b260dfdb3a4738d1099cd68

      SHA1

      92e22b5a11edb4034fc086cce18171ebe40905e7

      SHA256

      d6fde8a730932bbb4eabe230c48ad62033dd95cf03194e2876b3369ac53ab7c9

      SHA512

      a9bdeb275c357fa5fc680f056bb16a093e67d905105a4c1acdf76abc55bc29cef5373a462a9cd02747e8fa669b59dd6bc82eae077f2cd8def1519b8aef95d7c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776257.exe
      Filesize

      353KB

      MD5

      28c7e291e5985b356a7333e926193f1f

      SHA1

      97856059f3bd9db78d1edff05da18be3961ad596

      SHA256

      d1cba10b9bf7faed28c9693eeaedef881569414537733215076a483fa402871b

      SHA512

      e79d785fb93d85ad01175a7309c43a2c5294d5402bad36e5ef9758d4b2c03af6a616271b689b2049695a24a846a00158d2172c55787f5dd2b5b7bc8b0a751de3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776257.exe
      Filesize

      353KB

      MD5

      28c7e291e5985b356a7333e926193f1f

      SHA1

      97856059f3bd9db78d1edff05da18be3961ad596

      SHA256

      d1cba10b9bf7faed28c9693eeaedef881569414537733215076a483fa402871b

      SHA512

      e79d785fb93d85ad01175a7309c43a2c5294d5402bad36e5ef9758d4b2c03af6a616271b689b2049695a24a846a00158d2172c55787f5dd2b5b7bc8b0a751de3

      Download Submit

    • memory/556-153-0x0000000004E00000-0x00000000053A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/556-154-0x0000000002440000-0x000000000248B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/556-156-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-155-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-157-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-158-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-161-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-159-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-163-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-165-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-167-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-169-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-171-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-173-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-175-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-177-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-179-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-181-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-183-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-185-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-187-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-191-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-189-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-193-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-195-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-197-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-199-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-201-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-203-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-205-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-207-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-209-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-211-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-213-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-215-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-217-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-219-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-221-0x0000000004DB0000-0x0000000004DEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/556-1064-0x0000000005550000-0x0000000005B68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/556-1065-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/556-1066-0x0000000005D30000-0x0000000005D42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/556-1067-0x0000000005D50000-0x0000000005D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/556-1068-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-1070-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-1071-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-1072-0x0000000006040000-0x00000000060A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/556-1073-0x0000000006700000-0x0000000006792000-memory.dmp

      Filesize

      584KB

      Download

    • memory/556-1074-0x0000000006800000-0x00000000069C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/556-1075-0x00000000069D0000-0x0000000006EFC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/556-1076-0x0000000007270000-0x00000000072E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/556-1077-0x0000000007300000-0x0000000007350000-memory.dmp

      Filesize

      320KB

      Download

    • memory/556-1078-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4292-1084-0x0000000000470000-0x00000000004A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4292-1085-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-147-0x0000000000350000-0x000000000035A000-memory.dmp

      Filesize

      40KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.