Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1de84a4a3b54cdf20bdcdaa05ef785f628536c302302db8430529a8dc20d6de6.exe

  • Size

    537KB

  • MD5

    74df1d10e0a2edb8eb8fb12a140508d1

  • SHA1

    99b578e09980d4d70d383709d8b5eaa01b551b58

  • SHA256

    1de84a4a3b54cdf20bdcdaa05ef785f628536c302302db8430529a8dc20d6de6

  • SHA512

    8fa145eebd8fca953c64051c9408793e40bc7179fe6362fbbe53d8b43635c53e05c8a742e283b81f0ed4618349b30b75f4e637e5f274479d6578e25864bd4cd7

  • SSDEEP

    12288:7MrPy90eRQSkD0TzYFJyU3SHRw+vNFAuNgv:oypRDy0TzCJyfxwMlgv

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de84a4a3b54cdf20bdcdaa05ef785f628536c302302db8430529a8dc20d6de6.exe
    "C:\Users\Admin\AppData\Local\Temp\1de84a4a3b54cdf20bdcdaa05ef785f628536c302302db8430529a8dc20d6de6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimB6878.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimB6878.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732791.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732791.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku992175.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku992175.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1860
          4⤵
          • Program crash
          PID:4124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr480870.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr480870.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2868 -ip 2868
    1⤵
      PID:4772

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr480870.exe
      Filesize

      176KB

      MD5

      1df2b1229bf72cdc0d648bad263de4ee

      SHA1

      d7172fd421134b848874aa9892c21616d4e0e517

      SHA256

      cffb334c2265e3c1fb54642985eb5f156a60385c169300b5dda08c9ea8f62f6d

      SHA512

      8a1c1ef3744c009395e25be6ab491e4758081f46896c916ddd91b5c8f97cdd3d6fd875e815aec8eeef023160302e7d36675608c32e8fe9bc7953b6c1ce98ce14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr480870.exe
      Filesize

      176KB

      MD5

      1df2b1229bf72cdc0d648bad263de4ee

      SHA1

      d7172fd421134b848874aa9892c21616d4e0e517

      SHA256

      cffb334c2265e3c1fb54642985eb5f156a60385c169300b5dda08c9ea8f62f6d

      SHA512

      8a1c1ef3744c009395e25be6ab491e4758081f46896c916ddd91b5c8f97cdd3d6fd875e815aec8eeef023160302e7d36675608c32e8fe9bc7953b6c1ce98ce14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimB6878.exe
      Filesize

      395KB

      MD5

      a9e41029d38b1752553b940f30289d2b

      SHA1

      4865d2b5650df7f6d704e58ef3b2afc39c3bf27f

      SHA256

      b0642e4f7affec93b35367291c9d0edc21c4b4dadce465c38b25b678255ae274

      SHA512

      63abccc4c06dc6e7b46f79e1d5233f772d20c4de8ff7b84f247747b28f739609520a89576ad31fbb132cac56f08afa2c541ee408f6f8aabcacdbe8f16c83e05e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimB6878.exe
      Filesize

      395KB

      MD5

      a9e41029d38b1752553b940f30289d2b

      SHA1

      4865d2b5650df7f6d704e58ef3b2afc39c3bf27f

      SHA256

      b0642e4f7affec93b35367291c9d0edc21c4b4dadce465c38b25b678255ae274

      SHA512

      63abccc4c06dc6e7b46f79e1d5233f772d20c4de8ff7b84f247747b28f739609520a89576ad31fbb132cac56f08afa2c541ee408f6f8aabcacdbe8f16c83e05e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732791.exe
      Filesize

      14KB

      MD5

      fbbeeaf452b2aaf056d99b857152652c

      SHA1

      2266a11e07d641a5905671629b42ccf096af393f

      SHA256

      03ef53e9764d4355cfb393f08661a6fa10a93c34f8c998c385e69909e6761bbf

      SHA512

      a9ad955c68ebf4a237ef003c5bb35608fd1a2605ebeb07ae81a60e0064b5565457cecef837c3990a1e77e63976cd53e0d5bec7df2180548b444a153fcabd10b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr732791.exe
      Filesize

      14KB

      MD5

      fbbeeaf452b2aaf056d99b857152652c

      SHA1

      2266a11e07d641a5905671629b42ccf096af393f

      SHA256

      03ef53e9764d4355cfb393f08661a6fa10a93c34f8c998c385e69909e6761bbf

      SHA512

      a9ad955c68ebf4a237ef003c5bb35608fd1a2605ebeb07ae81a60e0064b5565457cecef837c3990a1e77e63976cd53e0d5bec7df2180548b444a153fcabd10b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku992175.exe
      Filesize

      352KB

      MD5

      2fde78b0da2668a9a43afe672503c036

      SHA1

      071172e4c18667afb2c12b176ece808c52d1a8de

      SHA256

      a6fd475231c243066546b4c08813da52a93d30960d91869082006c074c83a81b

      SHA512

      43ac36ff41832745dc534f0612a20dbafd0e5abb3f5964d679e6a166bac2deb1c80460d3186161dd68d5ecf71b3b08c2ddba59eddce73c91130e3feb24533cf4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku992175.exe
      Filesize

      352KB

      MD5

      2fde78b0da2668a9a43afe672503c036

      SHA1

      071172e4c18667afb2c12b176ece808c52d1a8de

      SHA256

      a6fd475231c243066546b4c08813da52a93d30960d91869082006c074c83a81b

      SHA512

      43ac36ff41832745dc534f0612a20dbafd0e5abb3f5964d679e6a166bac2deb1c80460d3186161dd68d5ecf71b3b08c2ddba59eddce73c91130e3feb24533cf4

      Download Submit

    • memory/2868-153-0x0000000004F40000-0x00000000054E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2868-154-0x0000000000970000-0x00000000009BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2868-155-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-156-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-157-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-158-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-161-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-159-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-163-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-165-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-167-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-169-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-171-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-173-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-175-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-177-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-179-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-181-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-183-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-185-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-187-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-189-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-191-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-193-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-195-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-197-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-199-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-201-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-203-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-205-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-207-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-209-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-211-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-213-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-215-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-217-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-219-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-221-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2868-1064-0x00000000055F0000-0x0000000005C08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2868-1065-0x0000000005C10000-0x0000000005D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2868-1066-0x0000000005D30000-0x0000000005D42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2868-1067-0x0000000005D50000-0x0000000005D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2868-1068-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-1070-0x0000000006040000-0x00000000060D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2868-1071-0x00000000060E0000-0x0000000006146000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2868-1072-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-1073-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-1074-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2868-1075-0x0000000006910000-0x0000000006AD2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2868-1076-0x0000000006AE0000-0x000000000700C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2868-1077-0x00000000073D0000-0x0000000007446000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2868-1078-0x0000000007450000-0x00000000074A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2868-1079-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4448-147-0x0000000000230000-0x000000000023A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4496-1085-0x0000000000E10000-0x0000000000E42000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4496-1086-0x0000000005A50000-0x0000000005A60000-memory.dmp

      Filesize

      64KB

      Download