Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20230831-en
  • resource tags

    arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/09/2023, 12:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe

  • Size

    938KB

  • MD5

    5c42ddfbd1f00c0929eaca384250bdea

  • SHA1

    3b806394a6f7a960383ad1caef17c5ec16150738

  • SHA256

    344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099

  • SHA512

    cbcd9f0652874908c4d9482ce93605eae0cba5516aa42b662ca34fc5aa6e2dfab4751f85a0dbb555e51d5e24c2659048cb2aa73014b669750deee541d797307c

  • SSDEEP

    24576:Ey94NXa0aCop02lw8HQSQpWzglbuYhK9:TOg7DfFHK44yL

Score
10/10
redlinenarikevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

narik

C2

77.91.124.82:19071

Attributes
  • auth_value

    07924f5ef90576eb64faea857b8ba3e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe
    "C:\Users\Admin\AppData\Local\Temp\344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:192
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4632
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4940
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4328
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
              6⤵
              • Executes dropped EXE
              PID:4616
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
            5⤵
            • Executes dropped EXE
            PID:3540

Network

  • flag-ru
    POST
    http://193.233.254.61/loghub/master
    b9796465.exe
    Remote address:
    193.233.254.61:80
    Request
    POST /loghub/master HTTP/1.1
    Content-Type: multipart/form-data; boundary=iBEPK4dDcQAV4CAfzkrl
    Content-Length: 209
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
    Host: 193.233.254.61
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Sat, 02 Sep 2023 12:19:27 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 8
    Connection: keep-alive
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    Referrer-Policy: same-origin
  • flag-us
    DNS
    61.254.233.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.254.233.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    f.f.f.f.f.c.6.0.e.0.1.e.e.e.0.7.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    f.f.f.f.f.c.6.0.e.0.1.e.e.e.0.7.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.141.123.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.141.123.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    38.148.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    38.148.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 193.233.254.61:80
    http://193.233.254.61/loghub/master
    http
    b9796465.exe
    751 B
     436 B
     6
    4

    HTTP Request

    POST http://193.233.254.61/loghub/master

    HTTP Response

    200
  • 77.91.124.82:19071
    c0914482.exe
    156 B
     3
  • 77.91.124.82:19071
    c0914482.exe
    156 B
     3
  • 77.91.124.82:19071
    c0914482.exe
    156 B
     3
  • 77.91.124.82:19071
    c0914482.exe
    156 B
     3
  • 77.91.124.82:19071
    c0914482.exe
    156 B
     3
  • 77.91.124.82:19071
    c0914482.exe
    52 B
     1
  • 8.8.8.8:53
    61.254.233.193.in-addr.arpa
    dns
    73 B
     128 B
     1
    1

    DNS Request

    61.254.233.193.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    f.f.f.f.f.c.6.0.e.0.1.e.e.e.0.7.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    f.f.f.f.f.c.6.0.e.0.1.e.e.e.0.7.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

  • 8.8.8.8:53
    233.141.123.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    233.141.123.20.in-addr.arpa

  • 8.8.8.8:53
    38.148.119.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    38.148.119.40.in-addr.arpa

  • 8.8.8.8:53
    4.173.189.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
    Filesize

    832KB

    MD5

    41f3fb3a3878363a96b0f1914ace1bb0

    SHA1

    5830ec1cf9f741ddfed3d9e4de89574f5347b0e4

    SHA256

    684b468f2909c94cac74ad541f24753241bfe3c2e5981a682b27ecab5140de20

    SHA512

    0ee6a45cc9416dd31e4b2c9f343e04198d5bedd98a929d2b4c098c7a0ef148a64e5d1c1151af53a12e0d15c7e8e21ce35cfee149b7567e5cfd0b87672dd20bbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
    Filesize

    832KB

    MD5

    41f3fb3a3878363a96b0f1914ace1bb0

    SHA1

    5830ec1cf9f741ddfed3d9e4de89574f5347b0e4

    SHA256

    684b468f2909c94cac74ad541f24753241bfe3c2e5981a682b27ecab5140de20

    SHA512

    0ee6a45cc9416dd31e4b2c9f343e04198d5bedd98a929d2b4c098c7a0ef148a64e5d1c1151af53a12e0d15c7e8e21ce35cfee149b7567e5cfd0b87672dd20bbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
    Filesize

    606KB

    MD5

    aa493106b6dcacd5b58881762c8c7984

    SHA1

    291796bcdf5ff1d3422d2ed5b9af831cd196c366

    SHA256

    536dc40269043bbfb5e0cb422770eee5533b2d3bd09178366884ea851e993ba1

    SHA512

    a9094915a1b1730c27ecdbe7c9e58815dac1af92f9114f73fc4f5dc0e8dd6aeb05f347dee8fffe0fddd23c8440e951d3bc5614c965f18bf8ede76a35fea28c33

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
    Filesize

    606KB

    MD5

    aa493106b6dcacd5b58881762c8c7984

    SHA1

    291796bcdf5ff1d3422d2ed5b9af831cd196c366

    SHA256

    536dc40269043bbfb5e0cb422770eee5533b2d3bd09178366884ea851e993ba1

    SHA512

    a9094915a1b1730c27ecdbe7c9e58815dac1af92f9114f73fc4f5dc0e8dd6aeb05f347dee8fffe0fddd23c8440e951d3bc5614c965f18bf8ede76a35fea28c33

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
    Filesize

    482KB

    MD5

    c85e165089285f38c564c65c43bd6b5b

    SHA1

    3077cf2cdf68ff3e36ec3c5ba75ee55161ee7d23

    SHA256

    6c3992fa0a76da88f51f851fc51957d28831e20cc82b80e904ccd44e5b7eaa19

    SHA512

    12de3fe402cbea57229609339f929d32d157af732a7f128ad5a1a4910da8f5e88fba53282bdd3c3bf02843ee7b64a8c0dd3d6957f7e71985d2fc2f8990449201

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
    Filesize

    482KB

    MD5

    c85e165089285f38c564c65c43bd6b5b

    SHA1

    3077cf2cdf68ff3e36ec3c5ba75ee55161ee7d23

    SHA256

    6c3992fa0a76da88f51f851fc51957d28831e20cc82b80e904ccd44e5b7eaa19

    SHA512

    12de3fe402cbea57229609339f929d32d157af732a7f128ad5a1a4910da8f5e88fba53282bdd3c3bf02843ee7b64a8c0dd3d6957f7e71985d2fc2f8990449201

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
    Filesize

    174KB

    MD5

    5eb0acbbfc29c2bb2d9081ef9641007a

    SHA1

    6457a36bbc94b7a0c865ef65f1fb7756ada7f1f1

    SHA256

    458246bda04e0983317dceb479c54e87221d7cbef3d89e16bbbb6d9c6646580b

    SHA512

    294d3e5b20a7003bfbc9eb43feb42b7d13e324004c094e54db3653725babbb1ae6b7a0f897e2b1c200069a02aa5dd8466eaf1abb9a4c8c13550a48737924933c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
    Filesize

    174KB

    MD5

    5eb0acbbfc29c2bb2d9081ef9641007a

    SHA1

    6457a36bbc94b7a0c865ef65f1fb7756ada7f1f1

    SHA256

    458246bda04e0983317dceb479c54e87221d7cbef3d89e16bbbb6d9c6646580b

    SHA512

    294d3e5b20a7003bfbc9eb43feb42b7d13e324004c094e54db3653725babbb1ae6b7a0f897e2b1c200069a02aa5dd8466eaf1abb9a4c8c13550a48737924933c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
    Filesize

    325KB

    MD5

    07d6dd5e0af387eee03c6525276c1bac

    SHA1

    abe1e095703e3748b428db7dbd310d668a16ae68

    SHA256

    9e631122a64c7f76ef991ef51fbf9c0766c5dc074ca911b8c934bf395d7870a1

    SHA512

    d6723b98523cf0641d833750e400e9e658f5ec608eccbb13a14efb25c366cdb55bbb329a463c86682824f4e9f2de9f2d39f3d9ec6284b3ff12aa6035d85bf09d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
    Filesize

    325KB

    MD5

    07d6dd5e0af387eee03c6525276c1bac

    SHA1

    abe1e095703e3748b428db7dbd310d668a16ae68

    SHA256

    9e631122a64c7f76ef991ef51fbf9c0766c5dc074ca911b8c934bf395d7870a1

    SHA512

    d6723b98523cf0641d833750e400e9e658f5ec608eccbb13a14efb25c366cdb55bbb329a463c86682824f4e9f2de9f2d39f3d9ec6284b3ff12aa6035d85bf09d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
    Filesize

    184KB

    MD5

    9d499a0732e47cc9734b7885d11c5f86

    SHA1

    d4de0315ccf3be1f87804a37e3ace9951dea2d58

    SHA256

    9687504646ab230ef5db78a6727661569a0434f1a7aa0935c25556cf02831ce3

    SHA512

    63f6ea37dea8f5391643d22e540ee80667488e82ef302a7f4f7346eebba939ff2bdc98405bac41934a4b9eb259392ef00febe75457151cd9eb08f54d49881cba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
    Filesize

    184KB

    MD5

    9d499a0732e47cc9734b7885d11c5f86

    SHA1

    d4de0315ccf3be1f87804a37e3ace9951dea2d58

    SHA256

    9687504646ab230ef5db78a6727661569a0434f1a7aa0935c25556cf02831ce3

    SHA512

    63f6ea37dea8f5391643d22e540ee80667488e82ef302a7f4f7346eebba939ff2bdc98405bac41934a4b9eb259392ef00febe75457151cd9eb08f54d49881cba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
    Filesize

    141KB

    MD5

    fd5d73de2f7390f3752daf3c1bb48356

    SHA1

    b3074147888cdf682a96b55be4d92e44dcf86bef

    SHA256

    922c41c73fbf6777a005d7ccd0fe9921c6bb6fcdcedbe7504cb760171d38b18b

    SHA512

    ef5b3296c661e4c1ca9d0ea0d1f4ebfdf5caa07912ea910330653c5315f1db56743a07f2f36f1ab32e7c72337e8a2f9917563b46f001f349cf48a63bdfb8bcbd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
    Filesize

    141KB

    MD5

    fd5d73de2f7390f3752daf3c1bb48356

    SHA1

    b3074147888cdf682a96b55be4d92e44dcf86bef

    SHA256

    922c41c73fbf6777a005d7ccd0fe9921c6bb6fcdcedbe7504cb760171d38b18b

    SHA512

    ef5b3296c661e4c1ca9d0ea0d1f4ebfdf5caa07912ea910330653c5315f1db56743a07f2f36f1ab32e7c72337e8a2f9917563b46f001f349cf48a63bdfb8bcbd

    Download Submit

  • memory/3540-84-0x0000000072E60000-0x000000007354E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3540-80-0x0000000009F30000-0x000000000A03A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3540-79-0x000000000A3C0000-0x000000000A9C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3540-78-0x0000000002350000-0x0000000002356000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3540-77-0x0000000072E60000-0x000000007354E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3540-76-0x0000000000120000-0x0000000000150000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3540-81-0x0000000009E60000-0x0000000009E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3540-82-0x0000000009EC0000-0x0000000009EFE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3540-83-0x000000000A040000-0x000000000A08B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4328-36-0x00000000023E0000-0x00000000023FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4328-58-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-60-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-62-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-64-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-66-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-67-0x0000000072DE0000-0x00000000734CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4328-69-0x0000000072DE0000-0x00000000734CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4328-56-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-54-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-52-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-50-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-48-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-46-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-44-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-42-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-40-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-39-0x0000000004A70000-0x0000000004A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4328-38-0x0000000004A70000-0x0000000004A8C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4328-37-0x0000000004BF0000-0x00000000050EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4328-35-0x0000000072DE0000-0x00000000734CE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.