Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe

  • Size

    537KB

  • MD5

    dd093277d330325f17b6dfbd871a5978

  • SHA1

    0dd63d8e8f354967547b18d9f8b1287fbc2dd387

  • SHA256

    a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303

  • SHA512

    36f8eac1f028a0654dd122b1a4c99cac6886ded26c581907421a502caeb234effa463a92b77492afed00df1e580144d46c5fb14699324f9dfabf3be6e9f10590

  • SSDEEP

    12288:sMr6y90sX+IMHVhpKX5QNTz28I7Lz61ShnwLyLc:Gy5OhpYKNTm7yCwLgc

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe
    "C:\Users\Admin\AppData\Local\Temp\a2de5d8b8a7d94afcb2306580b0457719fe376ec3d51691da87527476fe5f303.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1636
          4⤵
          • Program crash
          PID:4844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2004 -ip 2004
    1⤵
      PID:1500

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exe
      Filesize

      175KB

      MD5

      108a4e38f44183679ef854dba2f70db0

      SHA1

      af791f8c9c24ad4bfecf5e8e211d0850e48460d6

      SHA256

      704491a698e542b47d3027e05f272589f87274b17059fa719ab1edd810ca8425

      SHA512

      da05eacf72d1cef0c4b6c52fc40cf674b9ee8af710d8259457684bff6df5342283ae5605a6a08fc30b8b186176d62121d8c999035c2c5d43a3be91ef8c245df9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr104805.exe
      Filesize

      175KB

      MD5

      108a4e38f44183679ef854dba2f70db0

      SHA1

      af791f8c9c24ad4bfecf5e8e211d0850e48460d6

      SHA256

      704491a698e542b47d3027e05f272589f87274b17059fa719ab1edd810ca8425

      SHA512

      da05eacf72d1cef0c4b6c52fc40cf674b9ee8af710d8259457684bff6df5342283ae5605a6a08fc30b8b186176d62121d8c999035c2c5d43a3be91ef8c245df9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exe
      Filesize

      394KB

      MD5

      9827d53ef0e504a7eac4641e371707d2

      SHA1

      6fdbb93879e2103703688eaf384f04d9c5c076f9

      SHA256

      28d306963084391bb507cb09ebcbef4dd16ce85cd410828827b0bc01ae4da4c0

      SHA512

      92d08f77fe95e95fa67af5207b812352da6372190e1a45a98fde7af6137f35b4236ae6f28de6c7e84a9e1fda4c1c6d5f114dc7a6231390a9717e91ac37f70916

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKK5821.exe
      Filesize

      394KB

      MD5

      9827d53ef0e504a7eac4641e371707d2

      SHA1

      6fdbb93879e2103703688eaf384f04d9c5c076f9

      SHA256

      28d306963084391bb507cb09ebcbef4dd16ce85cd410828827b0bc01ae4da4c0

      SHA512

      92d08f77fe95e95fa67af5207b812352da6372190e1a45a98fde7af6137f35b4236ae6f28de6c7e84a9e1fda4c1c6d5f114dc7a6231390a9717e91ac37f70916

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exe
      Filesize

      13KB

      MD5

      31a98cf3f4bab812175b9e47683f6c0c

      SHA1

      a8babf91edc245bb2736f087105f546732eab145

      SHA256

      45b161f07233c7ca1102a61ef0ed5369de7e7894ac049a997792dfe5a56fb97b

      SHA512

      ebe6763f0e2e6c2543529572f5c043b032d7dade023de77093fd4ec8c1d42fc20a27a188821ada50eacda039a1cc4271b7da3fa53a8e2c4c6cc5e0ae35b4c20e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr158618.exe
      Filesize

      13KB

      MD5

      31a98cf3f4bab812175b9e47683f6c0c

      SHA1

      a8babf91edc245bb2736f087105f546732eab145

      SHA256

      45b161f07233c7ca1102a61ef0ed5369de7e7894ac049a997792dfe5a56fb97b

      SHA512

      ebe6763f0e2e6c2543529572f5c043b032d7dade023de77093fd4ec8c1d42fc20a27a188821ada50eacda039a1cc4271b7da3fa53a8e2c4c6cc5e0ae35b4c20e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exe
      Filesize

      353KB

      MD5

      f3a7c5b23c114a19ab41de8a5c6fb867

      SHA1

      789c4d88c49d4c6868a4984b9adddc52fe708472

      SHA256

      14ec403b545f89b29101a4f9603ea577b20c6a71c98c1cd6de526840432ccadd

      SHA512

      9fa1cc71f337ac1da68d630ebc6d0264486ce8ac95c1ec5005f0cbf4e94ef080e2775b10a92a82a389991e96d803a13e00cb97ad246e4bdf76c6885500e79c5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku215130.exe
      Filesize

      353KB

      MD5

      f3a7c5b23c114a19ab41de8a5c6fb867

      SHA1

      789c4d88c49d4c6868a4984b9adddc52fe708472

      SHA256

      14ec403b545f89b29101a4f9603ea577b20c6a71c98c1cd6de526840432ccadd

      SHA512

      9fa1cc71f337ac1da68d630ebc6d0264486ce8ac95c1ec5005f0cbf4e94ef080e2775b10a92a82a389991e96d803a13e00cb97ad246e4bdf76c6885500e79c5a

      Download Submit

    • memory/1324-147-0x00000000007F0000-0x00000000007FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2004-153-0x00000000024C0000-0x000000000250B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2004-154-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-155-0x0000000004E20000-0x00000000053C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2004-156-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-157-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-159-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-161-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-163-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-162-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-165-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-167-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-169-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-171-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-173-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-175-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-177-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-179-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-181-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-183-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-185-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-187-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-191-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-193-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-189-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-195-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-197-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-199-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-201-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-203-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-205-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-207-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-209-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-211-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-213-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-215-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-217-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-219-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-221-0x0000000002A90000-0x0000000002ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2004-1064-0x0000000005410000-0x0000000005A28000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2004-1065-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2004-1066-0x0000000005BF0000-0x0000000005C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2004-1067-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-1068-0x0000000005C10000-0x0000000005C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2004-1070-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-1071-0x0000000005F00000-0x0000000005F92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2004-1072-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2004-1073-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-1074-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-1075-0x00000000067C0000-0x0000000006982000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2004-1076-0x00000000069A0000-0x0000000006ECC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2004-1077-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-1078-0x0000000007010000-0x0000000007086000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2004-1079-0x0000000007090000-0x00000000070E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2016-1085-0x0000000000FD0000-0x0000000001002000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2016-1086-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

      Filesize

      64KB

      Download