Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/07/2023, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c17a7b0af9751e9ab09b9f310ced898ffaaabac1b27cba0eacf98ff1e9e8221f.exe

  • Size

    389KB

  • MD5

    01e3a8c5b6c3afac4de6f92c0d3a7c25

  • SHA1

    18e4d2253bed0870dfe7a0748f870669da38d135

  • SHA256

    c17a7b0af9751e9ab09b9f310ced898ffaaabac1b27cba0eacf98ff1e9e8221f

  • SHA512

    8cc4b13224fc0e0d2b8ae51dd69bbcc5a81d587169c5d11c8aa85ffa1e81ed32ef0f1f8bf61699b9b9013f0c49afe19a11260cec20fdc2a7a4c80229fd8831ee

  • SSDEEP

    6144:K4y+bnr+Lp0yN90QEeDXB3hT7oRYIjDn5n0xEvm6SsgUExhhxSQQJx6AF6r:cMrXy908Db7ShWEvm6SDfhxSQYF6r

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c17a7b0af9751e9ab09b9f310ced898ffaaabac1b27cba0eacf98ff1e9e8221f.exe
    "C:\Users\Admin\AppData\Local\Temp\c17a7b0af9751e9ab09b9f310ced898ffaaabac1b27cba0eacf98ff1e9e8221f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5303535.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5303535.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0524550.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0524550.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5694036.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5694036.exe
        3⤵
        • Executes dropped EXE
        PID:2452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5303535.exe
    Filesize

    206KB

    MD5

    ecc1a5905fd886150b04cd19d97b73e1

    SHA1

    782bd0c0f916dcafb0647a522e3b6defcc30692b

    SHA256

    98a8b3b9a7bc400da02c65699ea55b3ec5e29100ec5a8caef4e73255ce978790

    SHA512

    2a18faf1c95a7c96e36f82da66d750b565a83b90201efe710f8005d7f1168ac5e8caec64afddd7335f2e2994eec361d8dd310a31fabfbe064f5ab278920f75b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5303535.exe
    Filesize

    206KB

    MD5

    ecc1a5905fd886150b04cd19d97b73e1

    SHA1

    782bd0c0f916dcafb0647a522e3b6defcc30692b

    SHA256

    98a8b3b9a7bc400da02c65699ea55b3ec5e29100ec5a8caef4e73255ce978790

    SHA512

    2a18faf1c95a7c96e36f82da66d750b565a83b90201efe710f8005d7f1168ac5e8caec64afddd7335f2e2994eec361d8dd310a31fabfbe064f5ab278920f75b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0524550.exe
    Filesize

    14KB

    MD5

    03e8422d98728d6d615ebf69effb2a99

    SHA1

    0a6b795fd1937d4822f88d9eb63ffd045832f857

    SHA256

    7587c3810ddf28c777c44d57044ae877294f73e2c82dbf0cab1dbe2989b3439b

    SHA512

    8fa5c3360d26705adb3264a20e88dfb1f8a9c32a5a1fd5366e084e2b375cce86ace59dd6d0396ceb85384b12b5833abcda9e4d353528e2eea2956c68ae3a1234

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0524550.exe
    Filesize

    14KB

    MD5

    03e8422d98728d6d615ebf69effb2a99

    SHA1

    0a6b795fd1937d4822f88d9eb63ffd045832f857

    SHA256

    7587c3810ddf28c777c44d57044ae877294f73e2c82dbf0cab1dbe2989b3439b

    SHA512

    8fa5c3360d26705adb3264a20e88dfb1f8a9c32a5a1fd5366e084e2b375cce86ace59dd6d0396ceb85384b12b5833abcda9e4d353528e2eea2956c68ae3a1234

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5694036.exe
    Filesize

    173KB

    MD5

    c1fd520d62711a87d0ebf6dcce48a043

    SHA1

    432951a1c16c53c138813135e6d7b9f232e692c6

    SHA256

    4c804195d6452dd15acc577e7112584385abd152bad32d76c62d3e061cb10df4

    SHA512

    2f6154baafa5d2b02cbacbd3392a11bb4d380154464cc2f133ce88df9244e9bdd1cc3de18731b79b8b23021cf7ebe21edba1062ea8b66a86526220e8776270d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5694036.exe
    Filesize

    173KB

    MD5

    c1fd520d62711a87d0ebf6dcce48a043

    SHA1

    432951a1c16c53c138813135e6d7b9f232e692c6

    SHA256

    4c804195d6452dd15acc577e7112584385abd152bad32d76c62d3e061cb10df4

    SHA512

    2f6154baafa5d2b02cbacbd3392a11bb4d380154464cc2f133ce88df9244e9bdd1cc3de18731b79b8b23021cf7ebe21edba1062ea8b66a86526220e8776270d4

    Download Submit

  • memory/2452-145-0x000000000B280000-0x000000000B886000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2452-142-0x0000000000F30000-0x0000000000F60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2452-143-0x0000000073830000-0x0000000073F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2452-144-0x00000000031B0000-0x00000000031B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2452-146-0x000000000AD80000-0x000000000AE8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2452-147-0x000000000AC70000-0x000000000AC82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2452-148-0x000000000ACD0000-0x000000000AD0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2452-149-0x000000000AD20000-0x000000000AD6B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2452-150-0x0000000073830000-0x0000000073F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4512-138-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4512-136-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4512-135-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

    Download