Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86489bbc98dbc75db70aa76557027e893dd85a7b53f538f8c41281cb3475254b.exe

  • Size

    536KB

  • MD5

    3f51ef96a0e45e54705191e435cc35a8

  • SHA1

    d1486f9f785a3033277314d5a24d6729112bd4e3

  • SHA256

    86489bbc98dbc75db70aa76557027e893dd85a7b53f538f8c41281cb3475254b

  • SHA512

    7a335682bb4e5984dc2dee7c57e4615657c011b441941e702377e98be46c1174c4e04939f978f06d777cf6186a787aa5d8ff93220b204b3607c30eef8f6a78d6

  • SSDEEP

    12288:tMruy90I/SA93FE3EhyDQNbzeHScLEl0TeWMk:XyT3FdyQNbJcC0dH

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86489bbc98dbc75db70aa76557027e893dd85a7b53f538f8c41281cb3475254b.exe
    "C:\Users\Admin\AppData\Local\Temp\86489bbc98dbc75db70aa76557027e893dd85a7b53f538f8c41281cb3475254b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiB9791.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiB9791.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr041762.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr041762.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku073245.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku073245.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1360
          4⤵
          • Program crash
          PID:1876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr965445.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr965445.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2472 -ip 2472
    1⤵
      PID:1376

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr965445.exe
      Filesize

      175KB

      MD5

      d27a7f290deb6580892af177bd22c808

      SHA1

      f43d00b8513001127ed103ae93e31317f90c6751

      SHA256

      d51e90103f2b8e5cd5aced604d1778fbfc0560c46ded50e9c06829d098f24927

      SHA512

      7d9f90b18ede6f89708408dcb43e493add83517ee68a76fb129628c149974ec23a724ad7ded79c358ddd18a02f7ed2a6c6d169a877e9e5ca75633d4345bdf2b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr965445.exe
      Filesize

      175KB

      MD5

      d27a7f290deb6580892af177bd22c808

      SHA1

      f43d00b8513001127ed103ae93e31317f90c6751

      SHA256

      d51e90103f2b8e5cd5aced604d1778fbfc0560c46ded50e9c06829d098f24927

      SHA512

      7d9f90b18ede6f89708408dcb43e493add83517ee68a76fb129628c149974ec23a724ad7ded79c358ddd18a02f7ed2a6c6d169a877e9e5ca75633d4345bdf2b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiB9791.exe
      Filesize

      394KB

      MD5

      0d561247d4530e3ab57af36c3e17eb01

      SHA1

      93f517503b430e8d4bd977488c60db523f4f01b3

      SHA256

      1ab327a8f9fbd8125181951a998473473404154dcea1a7c5be39c3e028ae4712

      SHA512

      ea472b6aa40252f24ddaff6ccf4c1ebc7d1d737652d9d7a58f622dd11995b9a04b8cef53fd4a6a25dafeeef98236c9ab6f6eb68f49abf65ee31ccba9cdea9b60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiB9791.exe
      Filesize

      394KB

      MD5

      0d561247d4530e3ab57af36c3e17eb01

      SHA1

      93f517503b430e8d4bd977488c60db523f4f01b3

      SHA256

      1ab327a8f9fbd8125181951a998473473404154dcea1a7c5be39c3e028ae4712

      SHA512

      ea472b6aa40252f24ddaff6ccf4c1ebc7d1d737652d9d7a58f622dd11995b9a04b8cef53fd4a6a25dafeeef98236c9ab6f6eb68f49abf65ee31ccba9cdea9b60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr041762.exe
      Filesize

      13KB

      MD5

      4b6a1a2c1d47814b8d2cb15acdc2388b

      SHA1

      9b18a65e7ab6c4ee38bc438a6acc53ec5eb1353b

      SHA256

      8dba03ec5b19f7c241ed425a0c706952f55f6e83df7728f16822ba21d7477a3e

      SHA512

      328436785d1366d1e8e24e9ede70e2dc81987442d388cef8a9335cc2f4f8bee5e789c5e296c25b6495225c8356afb85b522a651f88005e369778d88e2bb14256

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr041762.exe
      Filesize

      13KB

      MD5

      4b6a1a2c1d47814b8d2cb15acdc2388b

      SHA1

      9b18a65e7ab6c4ee38bc438a6acc53ec5eb1353b

      SHA256

      8dba03ec5b19f7c241ed425a0c706952f55f6e83df7728f16822ba21d7477a3e

      SHA512

      328436785d1366d1e8e24e9ede70e2dc81987442d388cef8a9335cc2f4f8bee5e789c5e296c25b6495225c8356afb85b522a651f88005e369778d88e2bb14256

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku073245.exe
      Filesize

      353KB

      MD5

      6c5bf9d27765e855788aed9283ebe2ae

      SHA1

      d168df1a11b5534fd54317410f05501b49ee032e

      SHA256

      074364c7c5e7a3338df29f1030d08690a5a74f3467b6fc03fd8e411cdf6db77a

      SHA512

      deece57637e27d7fe7b191bb9254a7a98e25ee2a4e99a6ac4db6d65af4bef1bb64efcea2c86c6a3e9b4a39a1c679583d91c98cd5634ea31b492c8d2a2153371e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku073245.exe
      Filesize

      353KB

      MD5

      6c5bf9d27765e855788aed9283ebe2ae

      SHA1

      d168df1a11b5534fd54317410f05501b49ee032e

      SHA256

      074364c7c5e7a3338df29f1030d08690a5a74f3467b6fc03fd8e411cdf6db77a

      SHA512

      deece57637e27d7fe7b191bb9254a7a98e25ee2a4e99a6ac4db6d65af4bef1bb64efcea2c86c6a3e9b4a39a1c679583d91c98cd5634ea31b492c8d2a2153371e

      Download Submit

    • memory/1128-147-0x0000000000C80000-0x0000000000C8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1800-1085-0x0000000000800000-0x0000000000832000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1800-1086-0x0000000005460000-0x0000000005470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-185-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-197-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-155-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-156-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-157-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-158-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-159-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-161-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-163-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-165-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-167-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-169-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-171-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-173-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-175-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-177-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-179-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-181-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-183-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-153-0x0000000004E10000-0x00000000053B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2472-187-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-189-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-191-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-193-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-195-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-154-0x0000000000BF0000-0x0000000000C3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2472-199-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-201-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-205-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-203-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-207-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-209-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-211-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-213-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-215-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-217-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-219-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-221-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-1064-0x0000000005550000-0x0000000005B68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2472-1065-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2472-1066-0x0000000005D30000-0x0000000005D42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2472-1067-0x0000000005D50000-0x0000000005D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2472-1068-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-1070-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-1071-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-1072-0x0000000006040000-0x00000000060D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2472-1073-0x00000000060E0000-0x0000000006146000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2472-1074-0x00000000067E0000-0x0000000006856000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2472-1075-0x0000000006870000-0x00000000068C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2472-1076-0x0000000004E00000-0x0000000004E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-1077-0x0000000006D60000-0x0000000006F22000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2472-1078-0x0000000006F30000-0x000000000745C000-memory.dmp

      Filesize

      5.2MB

      Download