Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7e2c45eb1b73a2805d5f7f87a6084e7870c2fc828000896467813103779f9cb.exe

  • Size

    388KB

  • MD5

    81acafe2d5baa9e8f69a52d7970dd740

  • SHA1

    041f80993c89ae768cd772e96f4ac878f3fe5fe1

  • SHA256

    f7e2c45eb1b73a2805d5f7f87a6084e7870c2fc828000896467813103779f9cb

  • SHA512

    5dc9df4a2d924363ce63a5fca294cf07b7b030c6c7aa56850c1eb7d11f1e1151e6808bbfd071a1f07fa210255dddeda2441732a90767d8e133de1b5e9332b979

  • SSDEEP

    6144:KPy+bnr+Zp0yN90QE4hTCNupNfJDKmvR8GkqjESBBMy9yYHslPvc:ZMrxy90HcJDKmmHRS0Qbuvc

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7e2c45eb1b73a2805d5f7f87a6084e7870c2fc828000896467813103779f9cb.exe
    "C:\Users\Admin\AppData\Local\Temp\f7e2c45eb1b73a2805d5f7f87a6084e7870c2fc828000896467813103779f9cb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4289071.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4289071.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4729972.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4729972.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3280
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5206607.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5206607.exe
        3⤵
        • Executes dropped EXE
        PID:4944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4289071.exe
    Filesize

    206KB

    MD5

    140c31656c945076d109d15e253c7e08

    SHA1

    fa00cabf710a120e995c5557b9e184fd80232492

    SHA256

    c50f1efb76bf61fba7d3b69996a4b6b7f0c3136074ad1ee38ea447542135997a

    SHA512

    b6a2587c0f7f02ca6157809defb9fb5d939940001c1496a95fc63a058bb525c9139bbe675ee10a7a5ba006f609bc524dc8a4fac58f14451f2f8eba8f056c114e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4289071.exe
    Filesize

    206KB

    MD5

    140c31656c945076d109d15e253c7e08

    SHA1

    fa00cabf710a120e995c5557b9e184fd80232492

    SHA256

    c50f1efb76bf61fba7d3b69996a4b6b7f0c3136074ad1ee38ea447542135997a

    SHA512

    b6a2587c0f7f02ca6157809defb9fb5d939940001c1496a95fc63a058bb525c9139bbe675ee10a7a5ba006f609bc524dc8a4fac58f14451f2f8eba8f056c114e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4729972.exe
    Filesize

    13KB

    MD5

    07880433cf5ec67a682064b05f0617ef

    SHA1

    5763c2194843da8fee6c6fda9cb33176496cae75

    SHA256

    fc044dec4a2a9277ff74f5c4b174956a0a31e571ea41d4d6c676802819387cfa

    SHA512

    581c61173185ad8f9445a733ce68379841578040cc11406ea78e616804aebc406534fc0b5b5b3d1dd29029ef107ba7ac274ef4b77bcf366b40fa960856d18e9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4729972.exe
    Filesize

    13KB

    MD5

    07880433cf5ec67a682064b05f0617ef

    SHA1

    5763c2194843da8fee6c6fda9cb33176496cae75

    SHA256

    fc044dec4a2a9277ff74f5c4b174956a0a31e571ea41d4d6c676802819387cfa

    SHA512

    581c61173185ad8f9445a733ce68379841578040cc11406ea78e616804aebc406534fc0b5b5b3d1dd29029ef107ba7ac274ef4b77bcf366b40fa960856d18e9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5206607.exe
    Filesize

    175KB

    MD5

    b32d79e4ff4118d3fe58b72cdaa96cce

    SHA1

    7f90a7a1e3149e0ce3aae91960d2569aef0b44dc

    SHA256

    c04fa1f2923cfb1a8de4909af36c71a70e8e7fce1fb15f1b21da1833fe6f10a3

    SHA512

    be42ec78f8aa246d73d731de54e26fb5e1b8d128ca7ca8c594bac198d615437f5e7fd236c89b8697d82840aaca58943408c4b1a792105362f0773ff80ac96fbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5206607.exe
    Filesize

    175KB

    MD5

    b32d79e4ff4118d3fe58b72cdaa96cce

    SHA1

    7f90a7a1e3149e0ce3aae91960d2569aef0b44dc

    SHA256

    c04fa1f2923cfb1a8de4909af36c71a70e8e7fce1fb15f1b21da1833fe6f10a3

    SHA512

    be42ec78f8aa246d73d731de54e26fb5e1b8d128ca7ca8c594bac198d615437f5e7fd236c89b8697d82840aaca58943408c4b1a792105362f0773ff80ac96fbe

    Download Submit

  • memory/3280-147-0x0000000000D00000-0x0000000000D0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3280-150-0x00007FFD200E0000-0x00007FFD20BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3280-148-0x00007FFD200E0000-0x00007FFD20BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4944-154-0x00000000005B0000-0x00000000005E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4944-155-0x00000000744F0000-0x0000000074CA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4944-156-0x00000000056D0000-0x0000000005CE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4944-157-0x00000000051C0000-0x00000000052CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4944-159-0x00000000050A0000-0x00000000050B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-158-0x0000000005070000-0x0000000005082000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4944-160-0x00000000050F0000-0x000000000512C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4944-161-0x00000000744F0000-0x0000000074CA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4944-162-0x00000000050A0000-0x00000000050B0000-memory.dmp

    Filesize

    64KB

    Download