Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff6e66003ed52c6be563ba7a8d6470735770135863e7ea3e6950b9883bdfc4bb.exe

  • Size

    388KB

  • MD5

    c7aabe1fbaa80e3159dbb6ef29396860

  • SHA1

    696e24c28afa08e6d1bd9b6745f4bff3846986c5

  • SHA256

    ff6e66003ed52c6be563ba7a8d6470735770135863e7ea3e6950b9883bdfc4bb

  • SHA512

    a5a84e0e8898937b0e8c285502717f157eac848d2bb35c8353d2b262c50892f86ea31d2209f188000846375d45872fdff238edb66d53ddba1372a50c5aba7a78

  • SSDEEP

    6144:KGy+bnr+wp0yN90QEawwwbwgaNmRAwcuQ9Ckz5o4QdUSI92P9JVyqMjD:OMroy908obwBsVm9CkzO4QdS9S9yz3

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff6e66003ed52c6be563ba7a8d6470735770135863e7ea3e6950b9883bdfc4bb.exe
    "C:\Users\Admin\AppData\Local\Temp\ff6e66003ed52c6be563ba7a8d6470735770135863e7ea3e6950b9883bdfc4bb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4566425.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4566425.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5519354.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5519354.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1873559.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1873559.exe
        3⤵
        • Executes dropped EXE
        PID:4888
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4566425.exe
    Filesize

    206KB

    MD5

    e92c953feb592ca494417cde1bcd7c96

    SHA1

    0b096e0544202b86febeaa2728a2f8629b6d81dc

    SHA256

    a9de4215188f8068550f7b8dad2d8fa16b0b0955d8334484595a7c7380a5877f

    SHA512

    ed642642e8e53efd01c3df4d0dd7a560c14bb2db60a24747d3f90ed91f58dc31216c2cbba56f63cceeb1f5bd83c37cad83438621fed3ed7ac893fe4971fd1af3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4566425.exe
    Filesize

    206KB

    MD5

    e92c953feb592ca494417cde1bcd7c96

    SHA1

    0b096e0544202b86febeaa2728a2f8629b6d81dc

    SHA256

    a9de4215188f8068550f7b8dad2d8fa16b0b0955d8334484595a7c7380a5877f

    SHA512

    ed642642e8e53efd01c3df4d0dd7a560c14bb2db60a24747d3f90ed91f58dc31216c2cbba56f63cceeb1f5bd83c37cad83438621fed3ed7ac893fe4971fd1af3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5519354.exe
    Filesize

    13KB

    MD5

    8821bd681adff271e2fe02785473b27f

    SHA1

    a657d6d4f82fdbf6b8898a62181fcd6f7c714835

    SHA256

    cdf3eb8d7ee92a665753e1ce8f8080a60f4c4c3d53baf6e59ea6977333bf16e6

    SHA512

    dd3e6157f8b368b798875254b2d218fbd3b7f810f7ff081a499f2ea5ccf21570a8b54dc4ffecb863c2cc930105c9cd065e5a032c236f402c9f9273174f90b011

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5519354.exe
    Filesize

    13KB

    MD5

    8821bd681adff271e2fe02785473b27f

    SHA1

    a657d6d4f82fdbf6b8898a62181fcd6f7c714835

    SHA256

    cdf3eb8d7ee92a665753e1ce8f8080a60f4c4c3d53baf6e59ea6977333bf16e6

    SHA512

    dd3e6157f8b368b798875254b2d218fbd3b7f810f7ff081a499f2ea5ccf21570a8b54dc4ffecb863c2cc930105c9cd065e5a032c236f402c9f9273174f90b011

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1873559.exe
    Filesize

    174KB

    MD5

    426e751b2f5357bc5286538b7cbad031

    SHA1

    6a6fb6f32b215ceec0bd84c9f5efa9c2a404efaf

    SHA256

    7229f2d05ef3b6b70184b91f0e52d4ee0c77f99ba4fa058b9fd32abb19c75229

    SHA512

    21d9903ae0b4fa7648e0e71b56610c08e5e39de95da986b5031bb4a198ea54375923c05b12f8b7da7dfc77f868c2b6969445b5999f92917c3972159a4b4517d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1873559.exe
    Filesize

    174KB

    MD5

    426e751b2f5357bc5286538b7cbad031

    SHA1

    6a6fb6f32b215ceec0bd84c9f5efa9c2a404efaf

    SHA256

    7229f2d05ef3b6b70184b91f0e52d4ee0c77f99ba4fa058b9fd32abb19c75229

    SHA512

    21d9903ae0b4fa7648e0e71b56610c08e5e39de95da986b5031bb4a198ea54375923c05b12f8b7da7dfc77f868c2b6969445b5999f92917c3972159a4b4517d0

    Download Submit

  • memory/216-147-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/216-150-0x00007FFA1A8B0000-0x00007FFA1B371000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/216-148-0x00007FFA1A8B0000-0x00007FFA1B371000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4888-154-0x00000000000E0000-0x0000000000110000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4888-155-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-156-0x0000000005010000-0x0000000005628000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4888-157-0x0000000004B30000-0x0000000004C3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4888-158-0x00000000048E0000-0x00000000048F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4888-159-0x0000000004A70000-0x0000000004A82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4888-160-0x0000000004AD0000-0x0000000004B0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4888-161-0x0000000074A70000-0x0000000075220000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4888-162-0x00000000048E0000-0x00000000048F0000-memory.dmp

    Filesize

    64KB

    Download