Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fee1eb5968e3ced545781f6ad295bf012a14306e0ad1b5393f88146436ecf7c1.exe

  • Size

    389KB

  • MD5

    aea66679bedcf753c13e13d8b210d83e

  • SHA1

    8c565f552097ebf3589a0343cd2e1372492c7edd

  • SHA256

    fee1eb5968e3ced545781f6ad295bf012a14306e0ad1b5393f88146436ecf7c1

  • SHA512

    b9d0cf08768b626bd1879f78adc74228e3d4f6bbe870dc42d4a829decd77721af38c7d49bc2513a3fa7ec80e606d8550460a0120ee861d0d0767d7b0d903ad07

  • SSDEEP

    6144:K/y+bnr+/p0yN90QEqxXVwV6Zz9Xr7vh259GZYX8cIa8otBj+cP7F7ak:BMr3y90YxlNzh5OF8wj9FN

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fee1eb5968e3ced545781f6ad295bf012a14306e0ad1b5393f88146436ecf7c1.exe
    "C:\Users\Admin\AppData\Local\Temp\fee1eb5968e3ced545781f6ad295bf012a14306e0ad1b5393f88146436ecf7c1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239763.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239763.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5308189.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5308189.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5966000.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5966000.exe
        3⤵
        • Executes dropped EXE
        PID:2604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239763.exe
    Filesize

    206KB

    MD5

    d20a962deaffa35b184a0a2ff637320f

    SHA1

    13e59193c83c236c34464fcf86420bcfc1e67389

    SHA256

    a6d10a0ab3351893463944e65f476128ea55bc2dde47b87b2159d34d8e51419d

    SHA512

    c587a19b852e62afc2a1e94d35d0b4a5ef6ec56d27ae8c366f599bcbb640503fba937d3ec4c96f5eebc2c9c5f78854828ee70b22b5de5965e123e6155d5940c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239763.exe
    Filesize

    206KB

    MD5

    d20a962deaffa35b184a0a2ff637320f

    SHA1

    13e59193c83c236c34464fcf86420bcfc1e67389

    SHA256

    a6d10a0ab3351893463944e65f476128ea55bc2dde47b87b2159d34d8e51419d

    SHA512

    c587a19b852e62afc2a1e94d35d0b4a5ef6ec56d27ae8c366f599bcbb640503fba937d3ec4c96f5eebc2c9c5f78854828ee70b22b5de5965e123e6155d5940c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5308189.exe
    Filesize

    13KB

    MD5

    c0ef296003c1a399aab119b5b787156d

    SHA1

    ce451d5e60d649d8cf78ae15ba7035bb14316f26

    SHA256

    5ad1e1e32f6142244ccac95e65976af46700f600678e13fd31eb6c2333deca78

    SHA512

    7a2d89ca6dd36e09b820d8cb04e18742e76f405620821d8e670d56afeb9b3b6258025d8e384f650775feefe62e3239ee605d0851433674dd89edd2159f21e53a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5308189.exe
    Filesize

    13KB

    MD5

    c0ef296003c1a399aab119b5b787156d

    SHA1

    ce451d5e60d649d8cf78ae15ba7035bb14316f26

    SHA256

    5ad1e1e32f6142244ccac95e65976af46700f600678e13fd31eb6c2333deca78

    SHA512

    7a2d89ca6dd36e09b820d8cb04e18742e76f405620821d8e670d56afeb9b3b6258025d8e384f650775feefe62e3239ee605d0851433674dd89edd2159f21e53a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5966000.exe
    Filesize

    174KB

    MD5

    c842d295a9da1ed85ea5b924c7709b2d

    SHA1

    79b640631d52cc4a8deda4cf7851188b52f5de85

    SHA256

    3caf0eb3982e9cb4b01f6cb789fac56edd99572e49050f8a53361f670079872b

    SHA512

    2594fba7798c1156bf6cdc70c5ecac63809519c435f27f99d1f67dbd2b85bcc7a71b01f0ae62b5ca2389141333349ff3c5e4f397467ebbb070dab517edf461ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5966000.exe
    Filesize

    174KB

    MD5

    c842d295a9da1ed85ea5b924c7709b2d

    SHA1

    79b640631d52cc4a8deda4cf7851188b52f5de85

    SHA256

    3caf0eb3982e9cb4b01f6cb789fac56edd99572e49050f8a53361f670079872b

    SHA512

    2594fba7798c1156bf6cdc70c5ecac63809519c435f27f99d1f67dbd2b85bcc7a71b01f0ae62b5ca2389141333349ff3c5e4f397467ebbb070dab517edf461ff

    Download Submit

  • memory/2604-157-0x0000000005A50000-0x0000000005B5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2604-154-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2604-155-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2604-156-0x0000000005F60000-0x0000000006578000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2604-158-0x00000000031E0000-0x00000000031F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2604-159-0x0000000005990000-0x00000000059A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2604-160-0x00000000059F0000-0x0000000005A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2604-161-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2604-162-0x00000000031E0000-0x00000000031F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-150-0x00007FFC1DED0000-0x00007FFC1E991000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4892-148-0x00007FFC1DED0000-0x00007FFC1E991000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4892-147-0x0000000000510000-0x000000000051A000-memory.dmp

    Filesize

    40KB

    Download