Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2023, 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b21817044d76f9017b81ad9f335c4800a18a0ced805ae79dbec64f98c18d86da.exe

  • Size

    718KB

  • MD5

    80e8e7557049a1602e6b5a7cbaf5a356

  • SHA1

    3fa3a3a65523b3870f65100724c324e79580f23d

  • SHA256

    b21817044d76f9017b81ad9f335c4800a18a0ced805ae79dbec64f98c18d86da

  • SHA512

    b1b477cadbcd26608c6ed2b866de10f591a5fd21d0d2cd7f72e8b28441364f9fc5ed4eaa9d888b4cea3938594a6f952ae2d67ba9ae0b18d5392fc23847cb3b4f

  • SSDEEP

    12288:kMrwy90o5MjjDAPLpXgR6TBp1aj7KeerrMGHPsus2XuDoVaCi6W9lYIy3K0iC303:UytADAPLpC6F3rr30usYu0RW9l1yaNb3

Score
10/10
redlinedoxadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

doxa

C2

83.97.73.129:19068

Attributes
  • auth_value

    8cf5ba009458c73b014353d79d8422c6

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21817044d76f9017b81ad9f335c4800a18a0ced805ae79dbec64f98c18d86da.exe
    "C:\Users\Admin\AppData\Local\Temp\b21817044d76f9017b81ad9f335c4800a18a0ced805ae79dbec64f98c18d86da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9321828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9321828.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9627811.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9627811.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0027692.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0027692.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2836947.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2836947.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4688
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4740
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 140
              6⤵
              • Program crash
              PID:4360
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2647332.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2647332.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2958617.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2958617.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:332
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4688 -ip 4688
    1⤵
      PID:4992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9321828.exe
      Filesize

      523KB

      MD5

      fd19716235e34625bc02c54640b3bbe2

      SHA1

      a2052806311ec1dd81230ec2da521e6d18ee32ad

      SHA256

      47ed0865b53f756c88471c065d71c6fa13b12b050024194f02fbc480fae53f96

      SHA512

      cc2a2fbcbf32f4447f556ac0296515c870653b32c12c8bba34cca76e3a9799c8fd019b4f35afb4c78c4d7cecc35aceae5ece1a7ebe905a62d34aaf382bec3309

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9321828.exe
      Filesize

      523KB

      MD5

      fd19716235e34625bc02c54640b3bbe2

      SHA1

      a2052806311ec1dd81230ec2da521e6d18ee32ad

      SHA256

      47ed0865b53f756c88471c065d71c6fa13b12b050024194f02fbc480fae53f96

      SHA512

      cc2a2fbcbf32f4447f556ac0296515c870653b32c12c8bba34cca76e3a9799c8fd019b4f35afb4c78c4d7cecc35aceae5ece1a7ebe905a62d34aaf382bec3309

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9627811.exe
      Filesize

      352KB

      MD5

      e45041c602dee01b3a96478a351ab96f

      SHA1

      5daf50a850f66ada145d5df92ad4d797569baa84

      SHA256

      d383d692d9e6a2c7c2ea526539e24d032f9dd4d4afc069878f97263203c3579c

      SHA512

      848c9589499c9a07151d027ff171d9fd184743f5c2b2fb2f1b056a319e6f86d2163c38e3a3ed03a124caf2d354439ce771c4c90d04910b4f252e98930156f3bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9627811.exe
      Filesize

      352KB

      MD5

      e45041c602dee01b3a96478a351ab96f

      SHA1

      5daf50a850f66ada145d5df92ad4d797569baa84

      SHA256

      d383d692d9e6a2c7c2ea526539e24d032f9dd4d4afc069878f97263203c3579c

      SHA512

      848c9589499c9a07151d027ff171d9fd184743f5c2b2fb2f1b056a319e6f86d2163c38e3a3ed03a124caf2d354439ce771c4c90d04910b4f252e98930156f3bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2958617.exe
      Filesize

      172KB

      MD5

      b0d48403cb0456c067ffc297e03097f1

      SHA1

      0fd778476a207d664975178fb6cf05c126838fd4

      SHA256

      b83c73f28721a75aebbc302273245b2001fce17caf5c1ab1707cd5ae8a042737

      SHA512

      2e8dee0f48be88b82cff707bfd48de222f613231ec9ce4e7657895b5124da4f679dfd1274290ad26cb4ed43846b9215c892ac33fbf1e3e28342f91d1e51ad674

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2958617.exe
      Filesize

      172KB

      MD5

      b0d48403cb0456c067ffc297e03097f1

      SHA1

      0fd778476a207d664975178fb6cf05c126838fd4

      SHA256

      b83c73f28721a75aebbc302273245b2001fce17caf5c1ab1707cd5ae8a042737

      SHA512

      2e8dee0f48be88b82cff707bfd48de222f613231ec9ce4e7657895b5124da4f679dfd1274290ad26cb4ed43846b9215c892ac33fbf1e3e28342f91d1e51ad674

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0027692.exe
      Filesize

      196KB

      MD5

      e70939478f7ffe2ea1ce3eeafb3d55f0

      SHA1

      27f61e70f30c32809d22a7b8288ef51843af46d8

      SHA256

      93838c13d66ef14e5dd00951008e8eefd2ffcc442920c1f120b193d7054946de

      SHA512

      f66e24892f9840aaeeeed99c81a5319725f6302dd9c7bc24e9eaff646c889c5226c1a93e04d648d576996290b69a6091cf0e5e651656f339dc43b5bee2deee02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0027692.exe
      Filesize

      196KB

      MD5

      e70939478f7ffe2ea1ce3eeafb3d55f0

      SHA1

      27f61e70f30c32809d22a7b8288ef51843af46d8

      SHA256

      93838c13d66ef14e5dd00951008e8eefd2ffcc442920c1f120b193d7054946de

      SHA512

      f66e24892f9840aaeeeed99c81a5319725f6302dd9c7bc24e9eaff646c889c5226c1a93e04d648d576996290b69a6091cf0e5e651656f339dc43b5bee2deee02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2836947.exe
      Filesize

      100KB

      MD5

      29588e0c17806cfb5d47192cb2e08c3e

      SHA1

      70ae8cf40c3941f8b0099d0879816905a941078a

      SHA256

      9d732bc31668f46e22de2ef7da219c0804df1580192b7576f8f6d0ba32284607

      SHA512

      8ea42e4ea77cab511c4353caebdebef3d184921aa414e180f46a3ea4c2dfeb671a1bf3b164cb534ebda5fb0dfac1a4eb6fd4f009f021843857cdce7efdaab89f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2836947.exe
      Filesize

      100KB

      MD5

      29588e0c17806cfb5d47192cb2e08c3e

      SHA1

      70ae8cf40c3941f8b0099d0879816905a941078a

      SHA256

      9d732bc31668f46e22de2ef7da219c0804df1580192b7576f8f6d0ba32284607

      SHA512

      8ea42e4ea77cab511c4353caebdebef3d184921aa414e180f46a3ea4c2dfeb671a1bf3b164cb534ebda5fb0dfac1a4eb6fd4f009f021843857cdce7efdaab89f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2647332.exe
      Filesize

      11KB

      MD5

      a5569b37458871722ce0ff1f5e954903

      SHA1

      a5675df2a5c6056b17247679d2521f0a3304a46c

      SHA256

      e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

      SHA512

      ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2647332.exe
      Filesize

      11KB

      MD5

      a5569b37458871722ce0ff1f5e954903

      SHA1

      a5675df2a5c6056b17247679d2521f0a3304a46c

      SHA256

      e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

      SHA512

      ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

      Download Submit

    • memory/332-176-0x00000000002B0000-0x00000000002E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/332-181-0x0000000004B40000-0x0000000004B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/332-189-0x0000000004B40000-0x0000000004B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/332-177-0x000000000A6F0000-0x000000000AD08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/332-178-0x000000000A230000-0x000000000A33A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/332-179-0x000000000A170000-0x000000000A182000-memory.dmp

      Filesize

      72KB

      Download

    • memory/332-180-0x000000000A1D0000-0x000000000A20C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/332-188-0x000000000B300000-0x000000000B350000-memory.dmp

      Filesize

      320KB

      Download

    • memory/332-182-0x000000000A4E0000-0x000000000A556000-memory.dmp

      Filesize

      472KB

      Download

    • memory/332-183-0x000000000ADB0000-0x000000000AE42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/332-184-0x000000000B400000-0x000000000B9A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/332-185-0x000000000AD10000-0x000000000AD76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/332-186-0x000000000B9B0000-0x000000000BB72000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/332-187-0x000000000C0B0000-0x000000000C5DC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1464-170-0x00000000009D0000-0x00000000009DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4740-162-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download