Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/07/2023, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6dfe59487fc254d427c4823222eed73da683b2e489bc75ed795a3261bfad59f.exe

  • Size

    388KB

  • MD5

    50112052b12c1ce1e60a2ad10dd4502d

  • SHA1

    a9246fb56ad73a54a6d045c804bccf4f2771599d

  • SHA256

    a6dfe59487fc254d427c4823222eed73da683b2e489bc75ed795a3261bfad59f

  • SHA512

    8583488fc3ac9c17b93b9e966cc8c87615e5ffa1f79b503c8252f611ddf6780643540c1f55618f410a0589770bd2ae404b10b8e5c718df16dbe915e7c4be4d40

  • SSDEEP

    6144:KFy+bnr+5p0yN90QE3lyTl+ADXP9AkJi/asxFYY0ZPCb:/Mrdy90lmLXP9AkJuaZYFb

Score
10/10
healerredlinegromdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes
  • auth_value

    9ec3129bff410b89097d656d7abc33dc

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6dfe59487fc254d427c4823222eed73da683b2e489bc75ed795a3261bfad59f.exe
    "C:\Users\Admin\AppData\Local\Temp\a6dfe59487fc254d427c4823222eed73da683b2e489bc75ed795a3261bfad59f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8578497.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8578497.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3544762.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3544762.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9345878.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9345878.exe
        3⤵
        • Executes dropped EXE
        PID:1840
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8578497.exe
    Filesize

    206KB

    MD5

    ca02cbcc3e9cbe88c43ba3b59a26735f

    SHA1

    2aae5dfe1bc662021ede6065f4bd6d86ac3c023f

    SHA256

    b7ed2418c959b7cc724dfec44ded9163d8fab66206eddf9695a280f6dd630190

    SHA512

    620f8e17f66e2461f0b2669d4187fcb4cd47ce35bd3631b9e7054b00548c2cbbe6cc5e0544dc6e27a380d08d3cc34988aaac0222ee92ddd10d5e0b0319451dad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8578497.exe
    Filesize

    206KB

    MD5

    ca02cbcc3e9cbe88c43ba3b59a26735f

    SHA1

    2aae5dfe1bc662021ede6065f4bd6d86ac3c023f

    SHA256

    b7ed2418c959b7cc724dfec44ded9163d8fab66206eddf9695a280f6dd630190

    SHA512

    620f8e17f66e2461f0b2669d4187fcb4cd47ce35bd3631b9e7054b00548c2cbbe6cc5e0544dc6e27a380d08d3cc34988aaac0222ee92ddd10d5e0b0319451dad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3544762.exe
    Filesize

    15KB

    MD5

    a296a7498439253b21570e0153a5f7e3

    SHA1

    3acc15a0559a48e834801dd849f97839bd35b050

    SHA256

    dd7644b76a429c345f32f750117c3d65153503b418d03fe781b622f7babcb6c4

    SHA512

    06a25cd21edcac78a97cc4ee31da5f0abe98472489079136d74519bc7d1249d47033343f27b2bb9835cd837ad3d47fc266d88a8d62269f0dd47354502229404d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3544762.exe
    Filesize

    15KB

    MD5

    a296a7498439253b21570e0153a5f7e3

    SHA1

    3acc15a0559a48e834801dd849f97839bd35b050

    SHA256

    dd7644b76a429c345f32f750117c3d65153503b418d03fe781b622f7babcb6c4

    SHA512

    06a25cd21edcac78a97cc4ee31da5f0abe98472489079136d74519bc7d1249d47033343f27b2bb9835cd837ad3d47fc266d88a8d62269f0dd47354502229404d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9345878.exe
    Filesize

    172KB

    MD5

    bed043095af8a9d7ad5b985aa9c21ece

    SHA1

    584c8081af0aa97888efba293cd62c4e7d402056

    SHA256

    ea7c92fa26a3affe4152796a56a31a2991a3fee01b85ddf3c862682b590eaa47

    SHA512

    23b7cee07518e7f362085ae0d0641a8e5fda8154fa217424419c078883fcf6bdb9206ede56b75ed8e29e691b870f4acbeb06c8e87a9c1fcd501c9cbfd548936c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9345878.exe
    Filesize

    172KB

    MD5

    bed043095af8a9d7ad5b985aa9c21ece

    SHA1

    584c8081af0aa97888efba293cd62c4e7d402056

    SHA256

    ea7c92fa26a3affe4152796a56a31a2991a3fee01b85ddf3c862682b590eaa47

    SHA512

    23b7cee07518e7f362085ae0d0641a8e5fda8154fa217424419c078883fcf6bdb9206ede56b75ed8e29e691b870f4acbeb06c8e87a9c1fcd501c9cbfd548936c

    Download Submit

  • memory/1840-157-0x000000000A560000-0x000000000A66A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1840-154-0x00000000006D0000-0x0000000000700000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1840-155-0x0000000074110000-0x00000000748C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1840-156-0x000000000AA70000-0x000000000B088000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1840-158-0x00000000050C0000-0x00000000050D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1840-159-0x000000000A480000-0x000000000A492000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1840-160-0x000000000A4E0000-0x000000000A51C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1840-161-0x0000000074110000-0x00000000748C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1840-162-0x00000000050C0000-0x00000000050D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2796-150-0x00007FFCB9450000-0x00007FFCB9F11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2796-148-0x00007FFCB9450000-0x00007FFCB9F11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2796-147-0x0000000000070000-0x000000000007A000-memory.dmp

    Filesize

    40KB

    Download