Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2023, 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07c3c82edd5569661f983566b2208bf3c4e263e20c44c3ce27634c8db10f1d8e.exe

  • Size

    479KB

  • MD5

    c97c8971d5d18e8a914b3f5e00bd6eb5

  • SHA1

    e6b8196b368efc9b1ca0886a53c41bf0a8d3111b

  • SHA256

    07c3c82edd5569661f983566b2208bf3c4e263e20c44c3ce27634c8db10f1d8e

  • SHA512

    7ffb2153c1506246bd13e02232c3e2c3c7788ef51167c4c2924ad9fa02ec9c79f4205d0031429053417f21a9c12f5ad1e1700e50bfcb01b01327be3f8a645c2d

  • SSDEEP

    12288:gMrby90AhiWSk+tmeEBBRzf85GBEfNn1Unx6Du9d6:ryBwHkx+5fn18x3d6

Score
10/10
redlinedonadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dona

C2

217.196.96.101:4132

Attributes
  • auth_value

    9fbb198992bbc83a84ab1f21384813e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07c3c82edd5569661f983566b2208bf3c4e263e20c44c3ce27634c8db10f1d8e.exe
    "C:\Users\Admin\AppData\Local\Temp\07c3c82edd5569661f983566b2208bf3c4e263e20c44c3ce27634c8db10f1d8e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6315117.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6315117.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2731584.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2731584.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6375686.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6375686.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1478422.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1478422.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:372
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1336
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:3332
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:2788
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:340
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:2660
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:2748
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      PID:3744
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:2140
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:1972
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:2384

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1478422.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1478422.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6315117.exe
                Filesize

                307KB

                MD5

                fe35dcb9a401453be09fda899c2c0d4e

                SHA1

                9d4a67a60ccee947b79bd37030d25429c6450412

                SHA256

                7706f573cb7115bff5217c915c6f48c8556131718a612cedb90ae9c970e13240

                SHA512

                770df72f80e86a2d0c2ba0c128e8791f08deeddfb5907965d7add1919cb24bc7248eec795019a4d76d2d7c04d8300bf2797dc813774d2bf27f37b01ee5bbb3d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6315117.exe
                Filesize

                307KB

                MD5

                fe35dcb9a401453be09fda899c2c0d4e

                SHA1

                9d4a67a60ccee947b79bd37030d25429c6450412

                SHA256

                7706f573cb7115bff5217c915c6f48c8556131718a612cedb90ae9c970e13240

                SHA512

                770df72f80e86a2d0c2ba0c128e8791f08deeddfb5907965d7add1919cb24bc7248eec795019a4d76d2d7c04d8300bf2797dc813774d2bf27f37b01ee5bbb3d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2731584.exe
                Filesize

                179KB

                MD5

                3daa4e791107df7947a96d5aaedef9e6

                SHA1

                e3b5938c05371c89dd4fef16f95dd92f2bc9a58c

                SHA256

                a8498b29d3c7e29a9d7ee176c903fa01ed129de3719fac89482c126ff6d74b77

                SHA512

                4a45dcf03b22dd04338577effa8a81c10a211cf7f86af2c0e8d36d99ceaea1217a21c4179578cdedf8a34d84ee5871270c210436c6b9c1fab0eeae227d80f0eb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2731584.exe
                Filesize

                179KB

                MD5

                3daa4e791107df7947a96d5aaedef9e6

                SHA1

                e3b5938c05371c89dd4fef16f95dd92f2bc9a58c

                SHA256

                a8498b29d3c7e29a9d7ee176c903fa01ed129de3719fac89482c126ff6d74b77

                SHA512

                4a45dcf03b22dd04338577effa8a81c10a211cf7f86af2c0e8d36d99ceaea1217a21c4179578cdedf8a34d84ee5871270c210436c6b9c1fab0eeae227d80f0eb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6375686.exe
                Filesize

                168KB

                MD5

                4becba14a5004a15e5c0cd04975d3442

                SHA1

                db60be955678fbe7763ee8f5bbeb3f1d61f381c2

                SHA256

                5fd3b2232c4f378cf4a1e4748a9165f4af7aa801adcd9f260bf0bef146a65dd6

                SHA512

                e509ac20b4e43301df023fa5f017b33c3c34008c4112cb3abc75fd96479ba1a627df1c381ace6229ea797b4789f6ebb2dcbf6820f4080a1e7547b3775407f285

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6375686.exe
                Filesize

                168KB

                MD5

                4becba14a5004a15e5c0cd04975d3442

                SHA1

                db60be955678fbe7763ee8f5bbeb3f1d61f381c2

                SHA256

                5fd3b2232c4f378cf4a1e4748a9165f4af7aa801adcd9f260bf0bef146a65dd6

                SHA512

                e509ac20b4e43301df023fa5f017b33c3c34008c4112cb3abc75fd96479ba1a627df1c381ace6229ea797b4789f6ebb2dcbf6820f4080a1e7547b3775407f285

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                210KB

                MD5

                230e702c489479031dc14f914a0952b9

                SHA1

                56bc69f8a18b1fe9b02c57e44a987e8f60f22011

                SHA256

                f7e6ae2b7d0f197718468bddb19be7684f9991b5f4ecdecc368c9f286bd38df5

                SHA512

                b014f14e377e21c7230774c8f616c950a602a1dbbfcb6e05aa7911c114567bb4dc43c68ce42e9426c9df36cca4f5cca38efe06bcbe8aff693625f40029150e8f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                Filesize

                162B

                MD5

                1b7c22a214949975556626d7217e9a39

                SHA1

                d01c97e2944166ed23e47e4a62ff471ab8fa031f

                SHA256

                340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                SHA512

                ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                Download Submit

              • memory/2600-191-0x000000000BF70000-0x000000000C132000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2600-190-0x000000000B4D0000-0x000000000B520000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2600-193-0x0000000004F00000-0x0000000004F10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2600-192-0x000000000C670000-0x000000000CB9C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/2600-189-0x000000000A850000-0x000000000A8B6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2600-188-0x000000000A8F0000-0x000000000A982000-memory.dmp

                Filesize

                584KB

                Download

              • memory/2600-181-0x00000000005B0000-0x00000000005E0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2600-182-0x000000000AAB0000-0x000000000B0C8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2600-183-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2600-184-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2600-185-0x0000000004F00000-0x0000000004F10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2600-186-0x000000000A4D0000-0x000000000A50C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2600-187-0x000000000A7D0000-0x000000000A846000-memory.dmp

                Filesize

                472KB

                Download

              • memory/4904-160-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-158-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-172-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-166-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-176-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-174-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-164-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-162-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-170-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-156-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-168-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-154-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-152-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-150-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-149-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4904-148-0x0000000004A40000-0x0000000004FE4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4904-147-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

                Download