Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18c8890a0790d0bf85e1090ce81faa07488743045b6663e8e1ee681114d9e737.exe

  • Size

    522KB

  • MD5

    9cfb9d1071fc46b3560748ab3b711285

  • SHA1

    8f00593ea47f8dba5072fd246292a5bc612f32c6

  • SHA256

    18c8890a0790d0bf85e1090ce81faa07488743045b6663e8e1ee681114d9e737

  • SHA512

    0e8d958e4b1a39b2a29e9668116d1ae5a51726373fef3854d8f859b801ff6be3d3a4c2c5c65e8640ef778e05e44cd17269c6dc144b10d5f8d7dd4a913ae42758

  • SSDEEP

    12288:jMrty90ljvNtQGGvSxVK6q0PmHJRtSAlbTyzYrSP:KyujvNtQGhxI6q0Pgz1TyzdP

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c8890a0790d0bf85e1090ce81faa07488743045b6663e8e1ee681114d9e737.exe
    "C:\Users\Admin\AppData\Local\Temp\18c8890a0790d0bf85e1090ce81faa07488743045b6663e8e1ee681114d9e737.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuR5542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuR5542.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr303256.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr303256.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku547453.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku547453.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1332
          4⤵
          • Program crash
          PID:1276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr886411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr886411.exe
      2⤵
      • Executes dropped EXE
      PID:4400
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2844 -ip 2844
    1⤵
      PID:4560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr886411.exe
      Filesize

      176KB

      MD5

      b103e3c00b6fc01803501daf7f16a04e

      SHA1

      a7fd0b847ca501f3fbd1c021158f6c06ef0a5ee8

      SHA256

      96b6caf238aeaddb269402c7c6920fb1a9f62e242ca14370d265e0ecc6c23ce3

      SHA512

      4cf5d70361239d0764a859b4ff4e2dc5d33c94dd2da618c1ca5f894fd623273e0a8a93bce2fb881825042806bc230dfe8348db7ecbaf9a28b6cd29577992a284

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuR5542.exe
      Filesize

      379KB

      MD5

      edb2f0860442acab778307b41bb891b5

      SHA1

      0ffe3c59d631f31084a2646d0d5cd4dd29fbd6da

      SHA256

      73943be20e501038ebd112a60c44040bd6e880efba55e12ee8598f7f4dedcaed

      SHA512

      65c342be3c82990fee71997607961b3514afe56d6bb66fbe0022c287f206a97f7f45744654b2741751d1742db0d6dd5bd33a90d7e991762dd4eb712733e69083

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuR5542.exe
      Filesize

      379KB

      MD5

      edb2f0860442acab778307b41bb891b5

      SHA1

      0ffe3c59d631f31084a2646d0d5cd4dd29fbd6da

      SHA256

      73943be20e501038ebd112a60c44040bd6e880efba55e12ee8598f7f4dedcaed

      SHA512

      65c342be3c82990fee71997607961b3514afe56d6bb66fbe0022c287f206a97f7f45744654b2741751d1742db0d6dd5bd33a90d7e991762dd4eb712733e69083

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr303256.exe
      Filesize

      14KB

      MD5

      94099b28a1a6b974ca178f8265524172

      SHA1

      310b0d5d4cacbeef4ce7f79b1a17ecf1715ec89b

      SHA256

      06dca6cf47bb5b83a6001b08b64142b9d7c6164ffe9f72cfaed1de408d343e62

      SHA512

      222f32c3f7e74ee44b04d16dcf343e7c74389abc15ddd1401cd62796bf750bbef3962ed5cf552e9b69fb47aeb38d7a59d7f56a4084074243189c2bf543f38fcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr303256.exe
      Filesize

      14KB

      MD5

      94099b28a1a6b974ca178f8265524172

      SHA1

      310b0d5d4cacbeef4ce7f79b1a17ecf1715ec89b

      SHA256

      06dca6cf47bb5b83a6001b08b64142b9d7c6164ffe9f72cfaed1de408d343e62

      SHA512

      222f32c3f7e74ee44b04d16dcf343e7c74389abc15ddd1401cd62796bf750bbef3962ed5cf552e9b69fb47aeb38d7a59d7f56a4084074243189c2bf543f38fcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku547453.exe
      Filesize

      295KB

      MD5

      9d2d55413148acb1fb50862aa88dd399

      SHA1

      819c22e729e5da3c58a00fbffadf1335729b0a86

      SHA256

      ea53b858a7ad946c3cc0be6cc812179a7e4d4da3c147699a525113c88f208cc5

      SHA512

      6f8122ee6a24c1e08462561fe9af69ed54cf55f2ecefadc7e78cdd1d4d846e1edba88b049536b17efff6ed1f853bd7233a16323ef7832bc4da99c5cbc5074b59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku547453.exe
      Filesize

      295KB

      MD5

      9d2d55413148acb1fb50862aa88dd399

      SHA1

      819c22e729e5da3c58a00fbffadf1335729b0a86

      SHA256

      ea53b858a7ad946c3cc0be6cc812179a7e4d4da3c147699a525113c88f208cc5

      SHA512

      6f8122ee6a24c1e08462561fe9af69ed54cf55f2ecefadc7e78cdd1d4d846e1edba88b049536b17efff6ed1f853bd7233a16323ef7832bc4da99c5cbc5074b59

      Download Submit

    • memory/2072-147-0x0000000000010000-0x000000000001A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2844-153-0x0000000000610000-0x000000000065B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2844-154-0x0000000004E60000-0x0000000005404000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2844-155-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-156-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-158-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-160-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-162-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-164-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-166-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-169-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-172-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-173-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-171-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-175-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-168-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-177-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-179-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-181-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-183-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-185-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-187-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-189-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-191-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-193-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-195-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-197-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-199-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-201-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-203-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-205-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-207-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-209-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-211-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-213-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-215-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-217-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-219-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-221-0x00000000027A0000-0x00000000027DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2844-1064-0x0000000005410000-0x0000000005A28000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2844-1065-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2844-1066-0x0000000004E00000-0x0000000004E12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2844-1067-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1068-0x0000000005A30000-0x0000000005A6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2844-1070-0x0000000005CF0000-0x0000000005D56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2844-1071-0x00000000063A0000-0x0000000006432000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2844-1072-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1074-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1073-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1075-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1076-0x00000000065B0000-0x0000000006626000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2844-1077-0x0000000006640000-0x0000000006690000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2844-1078-0x0000000006810000-0x00000000069D2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2844-1079-0x00000000069E0000-0x0000000006F0C000-memory.dmp

      Filesize

      5.2MB

      Download