Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/07/2023, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce0d8e42ed3929f16f4c9f9c4451ef452097a1afb75b79b95964d8ef0fcdb675.exe

  • Size

    388KB

  • MD5

    dc02f4846020e43ca21d8c5a48f43503

  • SHA1

    387a16e086b8d3268af79d736360723dbe3ff8ee

  • SHA256

    ce0d8e42ed3929f16f4c9f9c4451ef452097a1afb75b79b95964d8ef0fcdb675

  • SHA512

    d5deb7d4daf5f4fb2f7deae0705c380a54198f10e22590e772c3bfe98e27d9139a95e380c1e8fc0440df79414055546a1243b8ba757026377a661932d6948ca5

  • SSDEEP

    6144:Kby+bnr+rp0yN90QEOnXIxi4+YQDAfpjahkQjHidvz2d9RctdQD7Xe:JMrHy90UXShzQD1kEH0vidfctdA7u

Score
10/10
healerredlinegromdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes
  • auth_value

    9ec3129bff410b89097d656d7abc33dc

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce0d8e42ed3929f16f4c9f9c4451ef452097a1afb75b79b95964d8ef0fcdb675.exe
    "C:\Users\Admin\AppData\Local\Temp\ce0d8e42ed3929f16f4c9f9c4451ef452097a1afb75b79b95964d8ef0fcdb675.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5239745.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5239745.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9219542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9219542.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9427201.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9427201.exe
        3⤵
        • Executes dropped EXE
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5239745.exe
    Filesize

    206KB

    MD5

    fe2f1d6252a4749075b76948d5d2329c

    SHA1

    03cf9a3f5c98a3755f9679921c7b4ead2651bdf0

    SHA256

    966a94d5935a9a9772c0c00b70c7bd04e941cfc534d7c98efc99b7474a72917e

    SHA512

    079d8ebb0bb0badc319d110b7a1ea6ee252a2a102cff27ee1d9caa7a830c4312a7e2a5ed093ca157c2652e0c48198a1c7c21867fbba727edd1f1b36547bcae13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5239745.exe
    Filesize

    206KB

    MD5

    fe2f1d6252a4749075b76948d5d2329c

    SHA1

    03cf9a3f5c98a3755f9679921c7b4ead2651bdf0

    SHA256

    966a94d5935a9a9772c0c00b70c7bd04e941cfc534d7c98efc99b7474a72917e

    SHA512

    079d8ebb0bb0badc319d110b7a1ea6ee252a2a102cff27ee1d9caa7a830c4312a7e2a5ed093ca157c2652e0c48198a1c7c21867fbba727edd1f1b36547bcae13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9219542.exe
    Filesize

    16KB

    MD5

    596e04282e3a029549517d998b641bc9

    SHA1

    37695102540deddbc8f076ebf9e593cafad73ad3

    SHA256

    c6d07a2afcc66999fbbac2811e4906479d1a335885a55ea1b875659d870bc064

    SHA512

    0310991ddf36481d80a44c3d6ab2bcd984ba96e2ecc4c7fda34617866d759c348b2b533c065c15de2f482028a0d4bbcf731a4bc428fbbceeea95d11ec4f32c5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9219542.exe
    Filesize

    16KB

    MD5

    596e04282e3a029549517d998b641bc9

    SHA1

    37695102540deddbc8f076ebf9e593cafad73ad3

    SHA256

    c6d07a2afcc66999fbbac2811e4906479d1a335885a55ea1b875659d870bc064

    SHA512

    0310991ddf36481d80a44c3d6ab2bcd984ba96e2ecc4c7fda34617866d759c348b2b533c065c15de2f482028a0d4bbcf731a4bc428fbbceeea95d11ec4f32c5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9427201.exe
    Filesize

    172KB

    MD5

    280e3d90429c5c8d55a789259f8fa871

    SHA1

    2e9cfc0588c66d9cd26439a08220477a143c150e

    SHA256

    b9cfa34b4f4b6a23100877dba2cf134a4bd996e0d758e91087fa6a108ad6ba74

    SHA512

    85a4ab17c5a15d5ca72d3946f6a8d970636eeaa3633d3c23f53662dd42e38ac0dbf7d4d9579228810de63adfa7e0540ea9aeff0cdba7c7cf7567952e83dd5679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9427201.exe
    Filesize

    172KB

    MD5

    280e3d90429c5c8d55a789259f8fa871

    SHA1

    2e9cfc0588c66d9cd26439a08220477a143c150e

    SHA256

    b9cfa34b4f4b6a23100877dba2cf134a4bd996e0d758e91087fa6a108ad6ba74

    SHA512

    85a4ab17c5a15d5ca72d3946f6a8d970636eeaa3633d3c23f53662dd42e38ac0dbf7d4d9579228810de63adfa7e0540ea9aeff0cdba7c7cf7567952e83dd5679

    Download Submit

  • memory/1948-141-0x000000000A620000-0x000000000AC26000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1948-138-0x0000000072FE0000-0x00000000736CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1948-139-0x00000000001E0000-0x0000000000210000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1948-140-0x0000000002470000-0x0000000002476000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-142-0x000000000A130000-0x000000000A23A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-143-0x000000000A060000-0x000000000A072000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1948-144-0x000000000A0C0000-0x000000000A0FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1948-145-0x000000000A240000-0x000000000A28B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1948-146-0x0000000072FE0000-0x00000000736CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2772-134-0x00007FFC81C80000-0x00007FFC8266C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2772-132-0x00007FFC81C80000-0x00007FFC8266C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2772-131-0x0000000000150000-0x000000000015A000-memory.dmp

    Filesize

    40KB

    Download