Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/07/2023, 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ba92c4c1427104fa0a351a9c495d3b489750af658ebaf00f2cb482d2945715c.exe

  • Size

    389KB

  • MD5

    26a312d79214d0a1f7ae79436fc0d08c

  • SHA1

    8b1e66d7fcde8f1bc3878ad8ef0485c84c33c462

  • SHA256

    4ba92c4c1427104fa0a351a9c495d3b489750af658ebaf00f2cb482d2945715c

  • SHA512

    583c51ff82d8d79d8a303d6b5a5b3719957723f50ce6714a177b476109ca3897ee02d41ee6ca1482af08feeaea2a6f5050bb6e963019013766926e0184ec6280

  • SSDEEP

    12288:cMrby90e+K7Y/p/io1Y7FcHeeFb3T3VJN3:ny4ywx1RJFb3T3F3

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ba92c4c1427104fa0a351a9c495d3b489750af658ebaf00f2cb482d2945715c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba92c4c1427104fa0a351a9c495d3b489750af658ebaf00f2cb482d2945715c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8546138.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8546138.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6098295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6098295.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1858301.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1858301.exe
        3⤵
        • Executes dropped EXE
        PID:3208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8546138.exe
    Filesize

    206KB

    MD5

    ae8171d4ceeccb31cfc5a81f7f6b18cc

    SHA1

    e3b12665b5c094d9064338813d76c1a3c914f50f

    SHA256

    18f8de130880dd59e51b486a8ea2487b8a028aa60b7c41d3c0352d2427601929

    SHA512

    2968e5e900994064358d6fe1617c522c95c1097f6fa0a635b76ea03dc50a44b8b330d4d17aff535085f11b4ba0b7bfc635fcbc89f1078631f925816547fa0244

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8546138.exe
    Filesize

    206KB

    MD5

    ae8171d4ceeccb31cfc5a81f7f6b18cc

    SHA1

    e3b12665b5c094d9064338813d76c1a3c914f50f

    SHA256

    18f8de130880dd59e51b486a8ea2487b8a028aa60b7c41d3c0352d2427601929

    SHA512

    2968e5e900994064358d6fe1617c522c95c1097f6fa0a635b76ea03dc50a44b8b330d4d17aff535085f11b4ba0b7bfc635fcbc89f1078631f925816547fa0244

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6098295.exe
    Filesize

    14KB

    MD5

    aad32d51a7adb50e4cee54baf0a112df

    SHA1

    fd52cb62827ee09db360875cbea94a20efa2a792

    SHA256

    7292144f018561c2dfa55a58a349d82f84c3aa1c4018a15d8bd8d189d85909fe

    SHA512

    e2611c53e36b7b94e3b703b584dfe657694e3ca50a1167056f39b5f71cf04e7fc4d09e60cf4489e55beb3bc857cf72125a2b01db8c5e7944a72afe964a8b095a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6098295.exe
    Filesize

    14KB

    MD5

    aad32d51a7adb50e4cee54baf0a112df

    SHA1

    fd52cb62827ee09db360875cbea94a20efa2a792

    SHA256

    7292144f018561c2dfa55a58a349d82f84c3aa1c4018a15d8bd8d189d85909fe

    SHA512

    e2611c53e36b7b94e3b703b584dfe657694e3ca50a1167056f39b5f71cf04e7fc4d09e60cf4489e55beb3bc857cf72125a2b01db8c5e7944a72afe964a8b095a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1858301.exe
    Filesize

    173KB

    MD5

    b79bc9c40058c1b36908c70e95f1ae75

    SHA1

    8a9f315fb2b7360a5410bd2e38ef5a24fda9e99b

    SHA256

    b26c26781f1afd3a6cbc41ff11875738acc31dc954447b92d6cf07514195cce7

    SHA512

    57ad7c3a82ebd392090fb9c8086aadfc14890e977b6e0923a171e18f4cfcf92c78c682f4058ef267301fcbd62b566e02af5cfaa36bb2d49f0adbf1a6049310e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1858301.exe
    Filesize

    173KB

    MD5

    b79bc9c40058c1b36908c70e95f1ae75

    SHA1

    8a9f315fb2b7360a5410bd2e38ef5a24fda9e99b

    SHA256

    b26c26781f1afd3a6cbc41ff11875738acc31dc954447b92d6cf07514195cce7

    SHA512

    57ad7c3a82ebd392090fb9c8086aadfc14890e977b6e0923a171e18f4cfcf92c78c682f4058ef267301fcbd62b566e02af5cfaa36bb2d49f0adbf1a6049310e3

    Download Submit

  • memory/2932-134-0x00000000003B0000-0x00000000003BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2932-137-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2932-135-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3208-142-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3208-141-0x0000000000510000-0x0000000000540000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3208-143-0x0000000007160000-0x0000000007166000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3208-144-0x000000000A790000-0x000000000AD96000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3208-145-0x000000000A320000-0x000000000A42A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3208-146-0x000000000A250000-0x000000000A262000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3208-147-0x000000000A2B0000-0x000000000A2EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3208-148-0x000000000A430000-0x000000000A47B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3208-149-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download