Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2023, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    023336483f6affe46a0faa30c6dea5dd7f1090b346af5655e61c8bbce02a42ab.exe

  • Size

    389KB

  • MD5

    10a8a4be5b6f6644696f6e204b567388

  • SHA1

    3d8ba77c381c1b2fe8c760446a92166e6b90a415

  • SHA256

    023336483f6affe46a0faa30c6dea5dd7f1090b346af5655e61c8bbce02a42ab

  • SHA512

    f7557a3c891c2af00d9664938673a692e86ae6c67e7c2c669b22bcd18450c5fc65035c8fc448fb2250a47b43762193d0799a0fb586ea13c3ec95ebba33e5a262

  • SSDEEP

    6144:KOy+bnr+Lp0yN90QEwf/AirvTU07jytXLQwW4JZdlWNWywjZ4x8jFDSmjZJ:iMrny90zirUdtrWwZdlYw28jxSsZJ

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\023336483f6affe46a0faa30c6dea5dd7f1090b346af5655e61c8bbce02a42ab.exe
    "C:\Users\Admin\AppData\Local\Temp\023336483f6affe46a0faa30c6dea5dd7f1090b346af5655e61c8bbce02a42ab.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7868915.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7868915.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6104690.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6104690.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0376993.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0376993.exe
        3⤵
        • Executes dropped EXE
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7868915.exe
    Filesize

    206KB

    MD5

    ecb8e4d2197ed18f7c0233047fbd8a44

    SHA1

    bb080d190cd4466754d0f1b17f925a30bf2f5776

    SHA256

    d4f282afede4072216b5d2cf0020ec4f9d21037b435fe4b9b3124efcb5da41d1

    SHA512

    b73adb8b3f3794ed06a62955f3658c7da248044ecbfb90e1d2b08c5d08d541a166df0e586e6dde6a964d48aa9a68dacd6278f3cde575cda794d62c5d88f39b1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7868915.exe
    Filesize

    206KB

    MD5

    ecb8e4d2197ed18f7c0233047fbd8a44

    SHA1

    bb080d190cd4466754d0f1b17f925a30bf2f5776

    SHA256

    d4f282afede4072216b5d2cf0020ec4f9d21037b435fe4b9b3124efcb5da41d1

    SHA512

    b73adb8b3f3794ed06a62955f3658c7da248044ecbfb90e1d2b08c5d08d541a166df0e586e6dde6a964d48aa9a68dacd6278f3cde575cda794d62c5d88f39b1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6104690.exe
    Filesize

    15KB

    MD5

    9721707d1c4f8a05e6bacc23a38036b2

    SHA1

    f0eebc15cda33a65ae70a54215e831a645e39eaf

    SHA256

    e186adaf253266151e0b3bc3bf4673f86325e867ee2bac70b502aec5d686cf37

    SHA512

    dda8ff8f7c36e9ce8098eb6628c349c05f8124013619d457633d813d586f26ad49e22b499442b423477452e3cc803f1ca65a75f6fca17c4e4ea17792a98a6cc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6104690.exe
    Filesize

    15KB

    MD5

    9721707d1c4f8a05e6bacc23a38036b2

    SHA1

    f0eebc15cda33a65ae70a54215e831a645e39eaf

    SHA256

    e186adaf253266151e0b3bc3bf4673f86325e867ee2bac70b502aec5d686cf37

    SHA512

    dda8ff8f7c36e9ce8098eb6628c349c05f8124013619d457633d813d586f26ad49e22b499442b423477452e3cc803f1ca65a75f6fca17c4e4ea17792a98a6cc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0376993.exe
    Filesize

    174KB

    MD5

    cedec7c88254bedf818ce36fc5e1fb75

    SHA1

    dbd2ec208c10755f540640cf18aa3e72556babcc

    SHA256

    0d72b7ae232dd313898c2270009b479b8c642b1798ad53f761a45ab41b0f2621

    SHA512

    75699e31c014dc4e33001af5d41d0c96ea7118fe18af6af05eeeeb8832874bb464549ac62aa2611685beb3128caafcd12048a51b2e28209a534d2c9b61c71e2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0376993.exe
    Filesize

    174KB

    MD5

    cedec7c88254bedf818ce36fc5e1fb75

    SHA1

    dbd2ec208c10755f540640cf18aa3e72556babcc

    SHA256

    0d72b7ae232dd313898c2270009b479b8c642b1798ad53f761a45ab41b0f2621

    SHA512

    75699e31c014dc4e33001af5d41d0c96ea7118fe18af6af05eeeeb8832874bb464549ac62aa2611685beb3128caafcd12048a51b2e28209a534d2c9b61c71e2c

    Download Submit

  • memory/2092-157-0x000000000A100000-0x000000000A20A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2092-154-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2092-155-0x00000000742D0000-0x0000000074A80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2092-156-0x000000000A580000-0x000000000AB98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2092-158-0x00000000048F0000-0x0000000004900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2092-159-0x000000000A040000-0x000000000A052000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2092-160-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2092-161-0x00000000742D0000-0x0000000074A80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2092-162-0x00000000048F0000-0x0000000004900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2532-150-0x00007FFAD44F0000-0x00007FFAD4FB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2532-148-0x00007FFAD44F0000-0x00007FFAD4FB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2532-147-0x00000000003A0000-0x00000000003AA000-memory.dmp

    Filesize

    40KB

    Download