Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/07/2023, 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95d9bb990bb85cdecdc76c11a1b0159b35e3958d6eb7f10d3c58c720da8b29b1.exe

  • Size

    389KB

  • MD5

    9be6610be653d29f1846dfabbb0b9796

  • SHA1

    7f414ffb2c37b21d48d8d7954ae0645328c83d5d

  • SHA256

    95d9bb990bb85cdecdc76c11a1b0159b35e3958d6eb7f10d3c58c720da8b29b1

  • SHA512

    746380c6e289026aeca2ac03a683073ccfb05ae9ff45e0801295540c800d19ceae9363896f6dd0392be2408fbd9ecf71664a2a14c27ba55d3ab06e2b2276ac83

  • SSDEEP

    6144:KIy+bnr+cp0yN90QE2C02lxr2XO93i0H2CtPaxGuWzIlQCYM:IMrUy90h02br2XcNwdAM

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95d9bb990bb85cdecdc76c11a1b0159b35e3958d6eb7f10d3c58c720da8b29b1.exe
    "C:\Users\Admin\AppData\Local\Temp\95d9bb990bb85cdecdc76c11a1b0159b35e3958d6eb7f10d3c58c720da8b29b1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4178457.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4178457.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7893649.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7893649.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6603718.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6603718.exe
        3⤵
        • Executes dropped EXE
        PID:2220

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4178457.exe
    Filesize

    206KB

    MD5

    a1068801ebd5f63c43409882b4aa3791

    SHA1

    8f453d1e257375077fac1f5d5186af404ed0ea4e

    SHA256

    351981d94a339206067d6d228f087863da73af88be381adb814791c153cf9c30

    SHA512

    70f00d9c07aa5d29848163fba19bc3086bd1b53a5b34cb67d10efd4c5ef1632544b47754a7ea2f5b178481641efe4d91b90ee1281081de2c39ab84216290eafc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4178457.exe
    Filesize

    206KB

    MD5

    a1068801ebd5f63c43409882b4aa3791

    SHA1

    8f453d1e257375077fac1f5d5186af404ed0ea4e

    SHA256

    351981d94a339206067d6d228f087863da73af88be381adb814791c153cf9c30

    SHA512

    70f00d9c07aa5d29848163fba19bc3086bd1b53a5b34cb67d10efd4c5ef1632544b47754a7ea2f5b178481641efe4d91b90ee1281081de2c39ab84216290eafc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7893649.exe
    Filesize

    14KB

    MD5

    acde166044219d07750b97cbd3316c66

    SHA1

    632d9878bb3f44c2cf07cde5098f007dbbfa4807

    SHA256

    e08605ee7aeb7c5371d1fac385ecc595f8bcca263d43747a8c51555570e0945b

    SHA512

    44c6d00f5f770ecd3501ad66ca800e12fe763c21144b4c4c266af5328a00192cc77db8e4ecbfb33f41005ae5b12e5329fb221346c91f81496d88bd440de54efc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7893649.exe
    Filesize

    14KB

    MD5

    acde166044219d07750b97cbd3316c66

    SHA1

    632d9878bb3f44c2cf07cde5098f007dbbfa4807

    SHA256

    e08605ee7aeb7c5371d1fac385ecc595f8bcca263d43747a8c51555570e0945b

    SHA512

    44c6d00f5f770ecd3501ad66ca800e12fe763c21144b4c4c266af5328a00192cc77db8e4ecbfb33f41005ae5b12e5329fb221346c91f81496d88bd440de54efc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6603718.exe
    Filesize

    172KB

    MD5

    bde770ed1c0c17312c8ae46b31b42269

    SHA1

    a746e1acf178780abaf664b2c76d5a0ec1bee304

    SHA256

    063d3fd28c75eb719e3db09deab446cef4f56ff584667ac14a4a6be62a4a524c

    SHA512

    4900000c09eaeabd183e3a5f02a667b58b7faad9ecf733e5d1639dae71735ea29662decfdfa3ec1fd2dd207787ea70579e6074ae7057f18bc43efb288ed7d6a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6603718.exe
    Filesize

    172KB

    MD5

    bde770ed1c0c17312c8ae46b31b42269

    SHA1

    a746e1acf178780abaf664b2c76d5a0ec1bee304

    SHA256

    063d3fd28c75eb719e3db09deab446cef4f56ff584667ac14a4a6be62a4a524c

    SHA512

    4900000c09eaeabd183e3a5f02a667b58b7faad9ecf733e5d1639dae71735ea29662decfdfa3ec1fd2dd207787ea70579e6074ae7057f18bc43efb288ed7d6a3

    Download Submit

  • memory/2220-141-0x00000000055B0000-0x0000000005BB6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2220-138-0x00000000736B0000-0x0000000073D9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-139-0x0000000000690000-0x00000000006C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2220-140-0x0000000002880000-0x0000000002886000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2220-142-0x00000000050B0000-0x00000000051BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2220-143-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2220-144-0x0000000005020000-0x000000000505E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2220-145-0x0000000005060000-0x00000000050AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2220-146-0x00000000736B0000-0x0000000073D9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3964-134-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3964-132-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3964-131-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

    Filesize

    40KB

    Download