Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/05/2023, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe

  • Size

    566KB

  • MD5

    417506a7d99eb6b7e08667a2e42a4568

  • SHA1

    f338f6a5d2a1eb66effd8c799b4aead5d96a8c29

  • SHA256

    099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809

  • SHA512

    099973cb02835cf9d73fb12e1a03a97c59de1fb66c46c9de5fd7409537f87e9e09181c2a4441590c296c70775e4fb84e0f1b4f70265549e88634af35feeb14cf

  • SSDEEP

    12288:kMrTy90VDzI7Zk1tUqlG3Rd/WKHX2C7OzjY9:fy0zI7ZkkJT/WdCt9

Score
10/10
redlinedarmdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe
    "C:\Users\Admin\AppData\Local\Temp\099cb9c1363c3e6efec1b9eb9f1e4a2681a7adb4d88b966d32026ab2dcb2e809.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 616
        3⤵
        • Program crash
        PID:3560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 696
        3⤵
        • Program crash
        PID:3980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 836
        3⤵
        • Program crash
        PID:3724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 844
        3⤵
        • Program crash
        PID:3684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 872
        3⤵
        • Program crash
        PID:340
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 848
        3⤵
        • Program crash
        PID:228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1128
        3⤵
        • Program crash
        PID:1256
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1152
        3⤵
        • Program crash
        PID:2428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1180
        3⤵
        • Program crash
        PID:3296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exe
    Filesize

    268KB

    MD5

    d48f3c9103f4936284248ccdd29c0d3c

    SHA1

    87246492bb7e7385bd472e0120398f16eae2fc50

    SHA256

    76792c8abdc345ba6147fa23d58a23ffbba4e442b9a9969819806d7d6b07bc1a

    SHA512

    eddd48e28ac3a0eadb0ebf441ca513cfb9bc4fff07ba7353bae0416d8eabc90a2625268d46fc466f5e4492a5f58239036548d592b3550e82ff80af96da9eb380

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6723470.exe
    Filesize

    268KB

    MD5

    d48f3c9103f4936284248ccdd29c0d3c

    SHA1

    87246492bb7e7385bd472e0120398f16eae2fc50

    SHA256

    76792c8abdc345ba6147fa23d58a23ffbba4e442b9a9969819806d7d6b07bc1a

    SHA512

    eddd48e28ac3a0eadb0ebf441ca513cfb9bc4fff07ba7353bae0416d8eabc90a2625268d46fc466f5e4492a5f58239036548d592b3550e82ff80af96da9eb380

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exe
    Filesize

    307KB

    MD5

    61de670f06cf13f0b881ffc5635a737f

    SHA1

    d1cda566865b6a2db5230b6fce7b166b4e52e360

    SHA256

    4a5005e7064cf4eebb18c63fd71e68b571ea70ff1fbb85d6fe48d0960317d198

    SHA512

    646403e498c08f64e456bd89b7cc8e898ab872bb075019ac6c64b1cf59eecc705cd536c5a371e687c663abef7186f288d85afebd1aab8fdb87ff510fcdfd44ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8051432.exe
    Filesize

    307KB

    MD5

    61de670f06cf13f0b881ffc5635a737f

    SHA1

    d1cda566865b6a2db5230b6fce7b166b4e52e360

    SHA256

    4a5005e7064cf4eebb18c63fd71e68b571ea70ff1fbb85d6fe48d0960317d198

    SHA512

    646403e498c08f64e456bd89b7cc8e898ab872bb075019ac6c64b1cf59eecc705cd536c5a371e687c663abef7186f288d85afebd1aab8fdb87ff510fcdfd44ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exe
    Filesize

    168KB

    MD5

    762b3d6e795e9cc5ac86aff217a6b7b2

    SHA1

    9e1e73cc2982198bd4a2863e565cb4362a6ca90c

    SHA256

    df67db6fb21a3b0d13fe1b15e0b90383e35cb2ee0c7b2232e67b49a0656a718d

    SHA512

    f70f4875940409329658734c41c973c8cc80295cb4ba65244c5475d484b8dee185a55dedddc415f26495d05d227a956b142827af976edc3e2c041909a4616e4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3015004.exe
    Filesize

    168KB

    MD5

    762b3d6e795e9cc5ac86aff217a6b7b2

    SHA1

    9e1e73cc2982198bd4a2863e565cb4362a6ca90c

    SHA256

    df67db6fb21a3b0d13fe1b15e0b90383e35cb2ee0c7b2232e67b49a0656a718d

    SHA512

    f70f4875940409329658734c41c973c8cc80295cb4ba65244c5475d484b8dee185a55dedddc415f26495d05d227a956b142827af976edc3e2c041909a4616e4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exe
    Filesize

    178KB

    MD5

    d79f7557142419e9ea6fccc0b386d869

    SHA1

    9d75c99c3538adc831f3cace4a0b4319c5a78c2b

    SHA256

    b755974ed8a0cbc51e04501f5a6b752803dac2068471eb133f9f4219c36907f3

    SHA512

    412e433a29780f2ae9d1c484124e137f84787ad29fd8c779f976ff131b68bb0e479673972145e3501ad27d7f60a1e9f2382ddcbe311a45e63dc0237799c06a8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2539626.exe
    Filesize

    178KB

    MD5

    d79f7557142419e9ea6fccc0b386d869

    SHA1

    9d75c99c3538adc831f3cace4a0b4319c5a78c2b

    SHA256

    b755974ed8a0cbc51e04501f5a6b752803dac2068471eb133f9f4219c36907f3

    SHA512

    412e433a29780f2ae9d1c484124e137f84787ad29fd8c779f976ff131b68bb0e479673972145e3501ad27d7f60a1e9f2382ddcbe311a45e63dc0237799c06a8a

    Download Submit

  • memory/396-175-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-180-0x0000000002510000-0x0000000002520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/396-183-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-184-0x0000000002510000-0x0000000002520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/396-186-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-179-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-182-0x0000000002510000-0x0000000002520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/396-177-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-173-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-171-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-169-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-167-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-165-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-154-0x00000000022A0000-0x00000000022BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/396-155-0x00000000024C0000-0x00000000024D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/396-156-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-157-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-159-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-161-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-163-0x00000000024C0000-0x00000000024D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2052-192-0x00000000006D0000-0x0000000000705000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2052-193-0x0000000000400000-0x00000000006C4000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3960-140-0x0000000004990000-0x00000000049CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3960-144-0x0000000004F00000-0x0000000004F92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3960-147-0x0000000005AB0000-0x0000000005B00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3960-137-0x0000000005150000-0x0000000005756000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3960-146-0x0000000006170000-0x000000000666E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3960-145-0x0000000004E60000-0x0000000004EC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3960-138-0x0000000004C50000-0x0000000004D5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3960-148-0x0000000006670000-0x0000000006832000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3960-143-0x0000000004DE0000-0x0000000004E56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3960-142-0x0000000004A30000-0x0000000004A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-141-0x00000000049D0000-0x0000000004A1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3960-136-0x0000000002460000-0x0000000002466000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3960-135-0x0000000000100000-0x0000000000130000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3960-149-0x00000000083F0000-0x000000000891C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3960-139-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download