Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/07/2023, 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bcd94db81bd2698ee6d67b7bec899446b4f0ccccf86529e49ddf23813a4cceb.exe

  • Size

    389KB

  • MD5

    280dde7a6c19b5aec29ef5fda4f3f0d9

  • SHA1

    2e53178911a7ebca43f3cf8b66ddd7d4fcee5da1

  • SHA256

    7bcd94db81bd2698ee6d67b7bec899446b4f0ccccf86529e49ddf23813a4cceb

  • SHA512

    8d7acee8e30490166cbddfe989a282fa41b24e07e51460bfe268a8f2903a141a59fd9636561c821f425fef36cdabc4fab4bd7c292fe2a194fd68ccc76bab5d65

  • SSDEEP

    6144:KJy+bnr+Dp0yN90QEEw7u+T7ERYjvDOt8zG2nUToVHRhTqDV8imd/Yeq15yV:3Mr3y90i67+EqKzxnU2QkdAeq15+

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bcd94db81bd2698ee6d67b7bec899446b4f0ccccf86529e49ddf23813a4cceb.exe
    "C:\Users\Admin\AppData\Local\Temp\7bcd94db81bd2698ee6d67b7bec899446b4f0ccccf86529e49ddf23813a4cceb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0703514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0703514.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1953217.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1953217.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1681565.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1681565.exe
        3⤵
        • Executes dropped EXE
        PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0703514.exe
    Filesize

    206KB

    MD5

    6d2d3da68f2b66710731b8fe1c53cf34

    SHA1

    e9b79ee85616d9eacd4db19fb5e13ab21e4f1ff4

    SHA256

    d8ace7de1be6b2e6a1938e21981a52ad19f98086646f7206419cfe8ad622b128

    SHA512

    044ee770675fa38b6e109fb43ce2c8a487511e64481694b920b67a1efa363435620984479664b7ba04e781c6a62f502d9729e89869dd7dac0f4e92673b708287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0703514.exe
    Filesize

    206KB

    MD5

    6d2d3da68f2b66710731b8fe1c53cf34

    SHA1

    e9b79ee85616d9eacd4db19fb5e13ab21e4f1ff4

    SHA256

    d8ace7de1be6b2e6a1938e21981a52ad19f98086646f7206419cfe8ad622b128

    SHA512

    044ee770675fa38b6e109fb43ce2c8a487511e64481694b920b67a1efa363435620984479664b7ba04e781c6a62f502d9729e89869dd7dac0f4e92673b708287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1953217.exe
    Filesize

    13KB

    MD5

    47c176aedb0cf8796fc844bedd325b45

    SHA1

    c647ed6b21e4fea0e7ee26e4e27cc8e22230669b

    SHA256

    b1296d1026a21aa4d5b9267196fa0cec0ac29d432f41011fd4ffca385b3379c0

    SHA512

    96c0fbfea8ad9b4cdd9e8007ff2d5e84b1fe3d5c80dd679981793839cb8e80f0c3dd91e8f7c2700af19353e4244826dbbf16a02896937984ce7d4acc03b1e120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1953217.exe
    Filesize

    13KB

    MD5

    47c176aedb0cf8796fc844bedd325b45

    SHA1

    c647ed6b21e4fea0e7ee26e4e27cc8e22230669b

    SHA256

    b1296d1026a21aa4d5b9267196fa0cec0ac29d432f41011fd4ffca385b3379c0

    SHA512

    96c0fbfea8ad9b4cdd9e8007ff2d5e84b1fe3d5c80dd679981793839cb8e80f0c3dd91e8f7c2700af19353e4244826dbbf16a02896937984ce7d4acc03b1e120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1681565.exe
    Filesize

    175KB

    MD5

    2c5dae838861e31445130cb3a97f3302

    SHA1

    dea2ea02b746025241c7f6639bf4bba567eabdc1

    SHA256

    9a8684f9e90138da55571647e5445d1af924ea6f6254310cd6e9b9bdb58fbac6

    SHA512

    c51702a8ac7725f09a556d1e64dfd2419b965448858708c93080cd45688808f641c98f2fe881a85b0a337a7accc147c6f07b1a62cae630fbfb8a53b52da69d7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1681565.exe
    Filesize

    175KB

    MD5

    2c5dae838861e31445130cb3a97f3302

    SHA1

    dea2ea02b746025241c7f6639bf4bba567eabdc1

    SHA256

    9a8684f9e90138da55571647e5445d1af924ea6f6254310cd6e9b9bdb58fbac6

    SHA512

    c51702a8ac7725f09a556d1e64dfd2419b965448858708c93080cd45688808f641c98f2fe881a85b0a337a7accc147c6f07b1a62cae630fbfb8a53b52da69d7f

    Download Submit

  • memory/1948-141-0x000000000A900000-0x000000000AF06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1948-138-0x00000000004E0000-0x0000000000510000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1948-139-0x0000000072FE0000-0x00000000736CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1948-140-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-142-0x000000000A440000-0x000000000A54A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-143-0x000000000A360000-0x000000000A372000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1948-144-0x000000000A3C0000-0x000000000A3FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1948-145-0x000000000A550000-0x000000000A59B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1948-146-0x0000000072FE0000-0x00000000736CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2772-134-0x00007FFC81C80000-0x00007FFC8266C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2772-132-0x00007FFC81C80000-0x00007FFC8266C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2772-131-0x00000000005E0000-0x00000000005EA000-memory.dmp

    Filesize

    40KB

    Download