Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2023, 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6145f5d46faf2809cec9819624191c3740236e08e093c55ab3f4014ccc68828.exe

  • Size

    305KB

  • MD5

    fee4f2a8613a28fada7ebefdb5b211cc

  • SHA1

    4bc57126c80ff053d2fbad7bd4d0a23943364b43

  • SHA256

    d6145f5d46faf2809cec9819624191c3740236e08e093c55ab3f4014ccc68828

  • SHA512

    df883368a59c19e787f704ed8c593b3fb24547f62257903455f2bee5008b908af3bfca0ed1f51ec6baf243719d268abf62d7b131c13232bee9c30260b337efdf

  • SSDEEP

    6144:K6y+bnr+Pp0yN90QEQS/DXfmp3udzQTBmLqtlqcGQf3ot:CMrfy90fbXfBWTRsc3At

Score
10/10
redlinedolzevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dolz

C2

77.91.68.253:41783

Attributes
  • auth_value

    91a052e7685b96dcfc2defe95d9affb8

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6145f5d46faf2809cec9819624191c3740236e08e093c55ab3f4014ccc68828.exe
    "C:\Users\Admin\AppData\Local\Temp\d6145f5d46faf2809cec9819624191c3740236e08e093c55ab3f4014ccc68828.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3273790.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3273790.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2969267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2969267.exe
      2⤵
      • Executes dropped EXE
      PID:4416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3273790.exe
    Filesize

    184KB

    MD5

    4c94e0df16c58143287479c74f3e54e7

    SHA1

    f93129b20ac587e95b91f611d4c58b3005b140a9

    SHA256

    c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

    SHA512

    72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3273790.exe
    Filesize

    184KB

    MD5

    4c94e0df16c58143287479c74f3e54e7

    SHA1

    f93129b20ac587e95b91f611d4c58b3005b140a9

    SHA256

    c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

    SHA512

    72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2969267.exe
    Filesize

    145KB

    MD5

    c4586a7f23b2576679fdcccac16ac23b

    SHA1

    bab5e37bb9f59f1008becc1552c626ba58ff66aa

    SHA256

    f39c64b94f2f044b7444deb39b82aace41cc3e299171381ebedb22d7f3c879ff

    SHA512

    d12fedcc6467aac6dcc14885ab23ffcfc5d9d4890a0c790fdc399ffca832a79dfebb2078bdb295749474edad8bb221bb9c62024dd00b3f2d5482d5bc50379f58

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2969267.exe
    Filesize

    145KB

    MD5

    c4586a7f23b2576679fdcccac16ac23b

    SHA1

    bab5e37bb9f59f1008becc1552c626ba58ff66aa

    SHA256

    f39c64b94f2f044b7444deb39b82aace41cc3e299171381ebedb22d7f3c879ff

    SHA512

    d12fedcc6467aac6dcc14885ab23ffcfc5d9d4890a0c790fdc399ffca832a79dfebb2078bdb295749474edad8bb221bb9c62024dd00b3f2d5482d5bc50379f58

    Download Submit

  • memory/2080-148-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-166-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-144-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-146-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-142-0x0000000004A20000-0x0000000004A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-150-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-152-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-154-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-156-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-158-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-160-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-162-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-164-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-143-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-168-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-170-0x0000000002510000-0x0000000002526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2080-171-0x0000000004A20000-0x0000000004A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-172-0x0000000004A20000-0x0000000004A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-173-0x0000000004A20000-0x0000000004A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-141-0x0000000004A20000-0x0000000004A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-140-0x0000000004A30000-0x0000000004FD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4416-178-0x00000000004D0000-0x00000000004FA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4416-179-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4416-180-0x0000000004F70000-0x000000000507A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4416-181-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4416-182-0x0000000004F00000-0x0000000004F3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4416-183-0x0000000005180000-0x0000000005190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4416-184-0x0000000005180000-0x0000000005190000-memory.dmp

    Filesize

    64KB

    Download