Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2023, 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe

  • Size

    1.1MB

  • MD5

    d7b87eeedb079ef8ecefdbe3b35ba3f0

  • SHA1

    510b4f732541dc7e9de573b905d4caa06037c5e2

  • SHA256

    3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf

  • SHA512

    65274041ddf2ead4af7e1b87848ba7d4708fff97c383c7b7277b7d629b35cb3a6b8b328d13aa807e7c1856d3ca8dcae5af51b67d65cecbdef5b99800863d6e13

  • SSDEEP

    24576:YyypR8zly/ndgziz1gXy5ksWJwdJKgsJl6fYKp1:fypAQnbgX2kt6fYo

Score
10/10
privateloaderredlineriseprohordacollectioninfostealerloaderpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exe
    Filesize

    1.1MB

    MD5

    242a70c0c3dd2517105474e3847eaa41

    SHA1

    6aa4cadbea1d20343bbe5098442259c4fa5b0183

    SHA256

    3076e8c8112dc433f56d855a74fd0e0a580919ceb18483d487572f1a5a82ce8a

    SHA512

    8a4e7f5ae407c89f2cbf4a3c2b5098c42062cdff4a8609de37d9297aa75ac84af0947a7250e705db4d841666f90596271f5bfaf64386c3425a6bfdc70576ad04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exe
    Filesize

    1.1MB

    MD5

    242a70c0c3dd2517105474e3847eaa41

    SHA1

    6aa4cadbea1d20343bbe5098442259c4fa5b0183

    SHA256

    3076e8c8112dc433f56d855a74fd0e0a580919ceb18483d487572f1a5a82ce8a

    SHA512

    8a4e7f5ae407c89f2cbf4a3c2b5098c42062cdff4a8609de37d9297aa75ac84af0947a7250e705db4d841666f90596271f5bfaf64386c3425a6bfdc70576ad04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exe
    Filesize

    2.4MB

    MD5

    97cae72c322ece1665723d35726c61b7

    SHA1

    33fa26314a155951e0a6235bce1e30ac8bd39bda

    SHA256

    0e2b28cd6e46f898e0a8ae9cb38d970c26a6fd4c7147ed3eb93206daade5a46c

    SHA512

    ccc6290ed89ee117ae9de11bbc8a18e6a06448d6a8a57738730e31c432a2c032f430c47acd5f36c3dbcbd5e976e96ecd4dbd6b09218c99161ebb8462cd8916c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exe
    Filesize

    2.4MB

    MD5

    97cae72c322ece1665723d35726c61b7

    SHA1

    33fa26314a155951e0a6235bce1e30ac8bd39bda

    SHA256

    0e2b28cd6e46f898e0a8ae9cb38d970c26a6fd4c7147ed3eb93206daade5a46c

    SHA512

    ccc6290ed89ee117ae9de11bbc8a18e6a06448d6a8a57738730e31c432a2c032f430c47acd5f36c3dbcbd5e976e96ecd4dbd6b09218c99161ebb8462cd8916c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tempCMSeR_hMkxNfbdg\information.txt
    Filesize

    3KB

    MD5

    ee3add0d19b08ab7e5d920010c87de0e

    SHA1

    fd5284226248764195d36cd5015ea7247474a4ff

    SHA256

    5dfcdc15223f39309b66060c524aaec6278c707fb528da6c86ca1919b1848933

    SHA512

    d8d7496eee26499770f2614422276f01c6b6c3b91754ce4aef4a28126b3cdc9163dc5cd433ac81f38c9dacb57ba8397735fbcca514b1d961c459c67016cb12bf

    Download Submit

  • memory/3416-81-0x0000000007FB0000-0x0000000008016000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3416-18-0x0000000007620000-0x0000000007632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3416-13-0x0000000007370000-0x0000000007402000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3416-14-0x0000000007540000-0x0000000007550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-15-0x0000000007550000-0x000000000755A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3416-16-0x0000000008450000-0x0000000008A68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3416-17-0x0000000007E30000-0x0000000007F3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3416-11-0x0000000074390000-0x0000000074B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3416-19-0x0000000007680000-0x00000000076BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3416-115-0x0000000074390000-0x0000000074B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3416-21-0x00000000076E0000-0x000000000772C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3416-113-0x0000000002790000-0x00000000027E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3416-112-0x0000000009670000-0x0000000009B9C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3416-111-0x0000000008F70000-0x0000000009132000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3416-7-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3416-12-0x0000000007880000-0x0000000007E24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4772-27-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-38-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-39-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-28-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-83-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-82-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-88-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-99-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-26-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-25-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-23-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-22-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-20-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4772-116-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download