Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/07/2023, 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe

  • Size

    1.5MB

  • MD5

    c9f56ff9bcae67e1879fdaa22980cb85

  • SHA1

    aa932f270120aef9484c0fa76829c464ccf8d418

  • SHA256

    f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899

  • SHA512

    70fb16a1be69c0ecc0a7a88a29b0a85402ce3f69cafdf9f74171342715f228ccb2abb55a1988f6e96ab81cc80e02dfd1a7e484c8d88133c62bc19e579faacece

  • SSDEEP

    24576:vyulD1s1/VtJmCwl3ZqvUZOjQgtqEfsVcbrH+d5h69S08FKrLYJmyBM1tj1LB:6ulD6rtM4MZOjLqsSE9S0G6EA

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe
    "C:\Users\Admin\AppData\Local\Temp\f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3268
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:428
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3948
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exe
          4⤵
          • Executes dropped EXE
          PID:4960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    957779c42144282d8cd83192b8fbc7cf

    SHA1

    de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

    SHA256

    0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

    SHA512

    f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exe
    Filesize

    1.4MB

    MD5

    8d85b8b2e212ba0e9e8a49067877452b

    SHA1

    ed625b66ce1220aa5b0884d68494f9416166a70e

    SHA256

    00904074fb3a4a78fd37e015f87a3bcad4184fc06c0029a22e31fa531a7e31a6

    SHA512

    ec0fa132c3ec2fbc035647cfbf241f4a25cd692b33a917ec3919c652a671d9cad502f4947f4e84ef59731dc8d6517d77ddc03ac3636b02749c1855769fc17f57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exe
    Filesize

    1.4MB

    MD5

    8d85b8b2e212ba0e9e8a49067877452b

    SHA1

    ed625b66ce1220aa5b0884d68494f9416166a70e

    SHA256

    00904074fb3a4a78fd37e015f87a3bcad4184fc06c0029a22e31fa531a7e31a6

    SHA512

    ec0fa132c3ec2fbc035647cfbf241f4a25cd692b33a917ec3919c652a671d9cad502f4947f4e84ef59731dc8d6517d77ddc03ac3636b02749c1855769fc17f57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exe
    Filesize

    1.3MB

    MD5

    9cb2e9b47afa7c77d82f6bb32a4033aa

    SHA1

    d22331ad5865e21eeedcdcf47e5b98083821def6

    SHA256

    3cea5fa13b50064b7a4cfb3f43dd8895ca049d942757d528bf4219251ae0a55f

    SHA512

    34c80d26ea3708777c9dbec639cae6175802d34134b5399ece201cb2a1e45146b8ca1277fdb0197a7f29f8dd596c7dd6c30ed4257a85d8d2119fd417046348d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exe
    Filesize

    1.3MB

    MD5

    9cb2e9b47afa7c77d82f6bb32a4033aa

    SHA1

    d22331ad5865e21eeedcdcf47e5b98083821def6

    SHA256

    3cea5fa13b50064b7a4cfb3f43dd8895ca049d942757d528bf4219251ae0a55f

    SHA512

    34c80d26ea3708777c9dbec639cae6175802d34134b5399ece201cb2a1e45146b8ca1277fdb0197a7f29f8dd596c7dd6c30ed4257a85d8d2119fd417046348d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exe
    Filesize

    729KB

    MD5

    cee8283e74d3a3e2384b04557427a292

    SHA1

    6f2e16817c318d53833f6cd2d5be07f7832d9b60

    SHA256

    243f870c131c275a0e0af27e7db43dac7b5f65749d0cb4a20f7f2cb6e754db8a

    SHA512

    d847dfc6d580cb28815b23a0e4f6a626ee5567fb6267a3919c57da23486de87db67704fb5c2447f05b0d7189aac885884d4607ef108101b31e4d13ae81002963

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exe
    Filesize

    729KB

    MD5

    cee8283e74d3a3e2384b04557427a292

    SHA1

    6f2e16817c318d53833f6cd2d5be07f7832d9b60

    SHA256

    243f870c131c275a0e0af27e7db43dac7b5f65749d0cb4a20f7f2cb6e754db8a

    SHA512

    d847dfc6d580cb28815b23a0e4f6a626ee5567fb6267a3919c57da23486de87db67704fb5c2447f05b0d7189aac885884d4607ef108101b31e4d13ae81002963

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exe
    Filesize

    638KB

    MD5

    f594634eba6570dd1bf9c658f0c90fc0

    SHA1

    8ee1c41342e1f36c4ddee2c4aee827a52361b5d1

    SHA256

    58d89a6d3ba719378403f81582a301017d20fe4a172303f70891c89b4b62ffd8

    SHA512

    0ea306ae700b0392363b622f6a52ea4bd94801ce9e092592cc7c13497d9e978abe4f8398ad320aa1c2f02b669b8707a1e8ad94f434bbdb653ffdf8b6afd4d328

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exe
    Filesize

    638KB

    MD5

    f594634eba6570dd1bf9c658f0c90fc0

    SHA1

    8ee1c41342e1f36c4ddee2c4aee827a52361b5d1

    SHA256

    58d89a6d3ba719378403f81582a301017d20fe4a172303f70891c89b4b62ffd8

    SHA512

    0ea306ae700b0392363b622f6a52ea4bd94801ce9e092592cc7c13497d9e978abe4f8398ad320aa1c2f02b669b8707a1e8ad94f434bbdb653ffdf8b6afd4d328

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exe
    Filesize

    568KB

    MD5

    6eb993ed91252b889ebb2116805ee313

    SHA1

    49af4bd3586db7afd502ee7b6840aaca72cb932f

    SHA256

    683777470df68fde0136522d31d649e27d7079f3e6c88eeb8061cbd31c60385a

    SHA512

    53e4e4e6d10715bb4ce9e919196cd1a74981c201d239cc95295ffac75705c8e2ee1435917ac8bdfab54e84d9aeb5045dab9d3a6053399b17f4cc8c9966a2d54c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exe
    Filesize

    568KB

    MD5

    6eb993ed91252b889ebb2116805ee313

    SHA1

    49af4bd3586db7afd502ee7b6840aaca72cb932f

    SHA256

    683777470df68fde0136522d31d649e27d7079f3e6c88eeb8061cbd31c60385a

    SHA512

    53e4e4e6d10715bb4ce9e919196cd1a74981c201d239cc95295ffac75705c8e2ee1435917ac8bdfab54e84d9aeb5045dab9d3a6053399b17f4cc8c9966a2d54c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/428-157-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/428-154-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/428-153-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/428-149-0x00000000001E0000-0x00000000001EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/428-148-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3948-161-0x0000000000A10000-0x0000000000A1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3948-162-0x00007FFFF9EE0000-0x00007FFFFA8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3948-164-0x00007FFFF9EE0000-0x00007FFFFA8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4960-169-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4960-168-0x0000000000580000-0x00000000005B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4960-175-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4960-174-0x00000000023F0000-0x00000000023F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4960-176-0x0000000004C40000-0x0000000005246000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4960-177-0x0000000005250000-0x000000000535A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4960-178-0x00000000049B0000-0x00000000049C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4960-179-0x00000000049D0000-0x0000000004A0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4960-180-0x00000000053B0000-0x00000000053FB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4960-181-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download