Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe

  • Size

    388KB

  • MD5

    081aa34584ccf14cfe7e13204c3c51ce

  • SHA1

    853ea4a09b55ae78fa0c8ead9d9ff38bfdc8dd39

  • SHA256

    a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11

  • SHA512

    5ef75468409d0da8e731927d17d6dc65ddc817cf8a70a6d467e84bfa731bf243a716981107613f58c2db5d53f89bd16942de136ff3b5878f1fe0e67aa8f77779

  • SSDEEP

    12288:IMrFy90ClQpjbsg8gC31HQ1F0bvmDJJlG:Ny6dsg8zvvkJo

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe
    "C:\Users\Admin\AppData\Local\Temp\a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exe
        3⤵
        • Executes dropped EXE
        PID:4620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exe
    Filesize

    206KB

    MD5

    e66a7d78e129e941c0073100b0cc2a12

    SHA1

    473caa3fac41462a03d91f87fdb609ad2d3ccfb5

    SHA256

    872cfba06ef9d824fd152905bcc6ea266af2e22e67979db8a0d84fdd02056ef3

    SHA512

    7a495862c1e4a5a388eba3eaa781c2dff9492a761d3e13a51abbeb9d6b7e6c3e67c4029a0b40bd1e6f77270bd2fbca8b71973c9ee64125701ac123b7d03be971

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exe
    Filesize

    206KB

    MD5

    e66a7d78e129e941c0073100b0cc2a12

    SHA1

    473caa3fac41462a03d91f87fdb609ad2d3ccfb5

    SHA256

    872cfba06ef9d824fd152905bcc6ea266af2e22e67979db8a0d84fdd02056ef3

    SHA512

    7a495862c1e4a5a388eba3eaa781c2dff9492a761d3e13a51abbeb9d6b7e6c3e67c4029a0b40bd1e6f77270bd2fbca8b71973c9ee64125701ac123b7d03be971

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exe
    Filesize

    13KB

    MD5

    b6a88159b05b2697b7c46e34d9c187a5

    SHA1

    ae52f547a3d318e23e4d2507fc67bf5bb35fe11a

    SHA256

    49ce2312bf7089f4789a87d689a9712896f4395ec2f6f5b88a802d3870444ace

    SHA512

    e15365d74ede0ad9ec7d58e0142b5db6d107a8732426f9662cf0698b3a692c8f01e041ceda638b06629b2c236d5baa39d8df72d5b5ee377f1945fc4d9021c978

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exe
    Filesize

    13KB

    MD5

    b6a88159b05b2697b7c46e34d9c187a5

    SHA1

    ae52f547a3d318e23e4d2507fc67bf5bb35fe11a

    SHA256

    49ce2312bf7089f4789a87d689a9712896f4395ec2f6f5b88a802d3870444ace

    SHA512

    e15365d74ede0ad9ec7d58e0142b5db6d107a8732426f9662cf0698b3a692c8f01e041ceda638b06629b2c236d5baa39d8df72d5b5ee377f1945fc4d9021c978

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exe
    Filesize

    174KB

    MD5

    fb1f78e07132a06bdc6132701d28d1f0

    SHA1

    169d4f7210cfd0791694aefa39374e1e937432e9

    SHA256

    2453a67b936cecb382f72ffb87719c5acdc2d884169737b59981540dfcd1e251

    SHA512

    b899751f2642d6631869c78d52d0b6acb8b89853780e8b939508995c15044b4341f36be37e4643280efee695d7ca5a320d805586086f20c9e387d5003b2afd53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exe
    Filesize

    174KB

    MD5

    fb1f78e07132a06bdc6132701d28d1f0

    SHA1

    169d4f7210cfd0791694aefa39374e1e937432e9

    SHA256

    2453a67b936cecb382f72ffb87719c5acdc2d884169737b59981540dfcd1e251

    SHA512

    b899751f2642d6631869c78d52d0b6acb8b89853780e8b939508995c15044b4341f36be37e4643280efee695d7ca5a320d805586086f20c9e387d5003b2afd53

    Download Submit

  • memory/4620-157-0x000000000AC60000-0x000000000B278000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4620-155-0x0000000074BC0000-0x0000000075370000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-156-0x0000000000830000-0x0000000000860000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4620-158-0x000000000A7E0000-0x000000000A8EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4620-159-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-160-0x000000000A720000-0x000000000A732000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4620-161-0x000000000A780000-0x000000000A7BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4620-162-0x0000000074BC0000-0x0000000075370000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4620-163-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-151-0x00007FFEE76D0000-0x00007FFEE8191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-149-0x00007FFEE76D0000-0x00007FFEE8191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-148-0x00007FFEE76D0000-0x00007FFEE8191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-147-0x0000000000F20000-0x0000000000F2A000-memory.dmp

    Filesize

    40KB

    Download