Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

8db980d91b...18.exe

windows7-x64

10

8db980d91b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2023, 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8db980d91bda0fe2a070c2618.exe

  • Size

    538KB

  • MD5

    0a6b3eb000b952d128586d34fd30426e

  • SHA1

    356351c1a03eb4635181be92810bc44f60a676e4

  • SHA256

    8db980d91bda0fe2a070c2618ea67f048334805d49fa5c7a1428f46f89e1b56a

  • SHA512

    c107d747b396227530223c8ccd774e91d1f8dcb518f822394e870066f8640a9e9b2347d6665fe2bd20188ebefd6230c6c765cecd3f1620baab26081d149106aa

  • SSDEEP

    6144:5Y15rR4hzwJB4INWQBS1ZpgINmiE9UO7o0FCpWUCDgTkpv4aKvuc2fSJam6wdUIx:5YF4iz4INWQBS/h3ZG/jv5KR2azZih

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8db980d91bda0fe2a070c2618.exe
    "C:\Users\Admin\AppData\Local\Temp\8db980d91bda0fe2a070c2618.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exe
        3⤵
        • Executes dropped EXE
        PID:3184

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exe
    Filesize

    261KB

    MD5

    cb0c35004c805640a337da72ebe2030a

    SHA1

    cc1ed6e754bb890b3ce7c8407608fb8b8293e743

    SHA256

    26e1b5dc0c6ccfb77c538bd2da023c7f1aa0a0b4b6d837c9da20195b7d3c358c

    SHA512

    74dc68a176542e11f4bc3845c98f4b62992c2c61453e0e8983ec0374cd225f9c05c1e61b150f867deb52561fbb9de439b264f95a1fe9b85d30979d004ee0938d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exe
    Filesize

    261KB

    MD5

    cb0c35004c805640a337da72ebe2030a

    SHA1

    cc1ed6e754bb890b3ce7c8407608fb8b8293e743

    SHA256

    26e1b5dc0c6ccfb77c538bd2da023c7f1aa0a0b4b6d837c9da20195b7d3c358c

    SHA512

    74dc68a176542e11f4bc3845c98f4b62992c2c61453e0e8983ec0374cd225f9c05c1e61b150f867deb52561fbb9de439b264f95a1fe9b85d30979d004ee0938d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exe
    Filesize

    104KB

    MD5

    28ff84de4fbd58f9af457275278b05ea

    SHA1

    0696f91332febf09dd84d514d963c50e9aae658e

    SHA256

    b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e

    SHA512

    7e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exe
    Filesize

    104KB

    MD5

    28ff84de4fbd58f9af457275278b05ea

    SHA1

    0696f91332febf09dd84d514d963c50e9aae658e

    SHA256

    b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e

    SHA512

    7e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exe
    Filesize

    265KB

    MD5

    56f3c2c2f988d066b0a6af876fe2369c

    SHA1

    c41b87d444e61749c7e502cf23323cec0704f455

    SHA256

    6e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d

    SHA512

    3f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exe
    Filesize

    265KB

    MD5

    56f3c2c2f988d066b0a6af876fe2369c

    SHA1

    c41b87d444e61749c7e502cf23323cec0704f455

    SHA256

    6e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d

    SHA512

    3f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a

    Download Submit

  • memory/1132-133-0x00000000021D0000-0x0000000002244000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2348-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3184-162-0x0000000001E20000-0x0000000001E50000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3184-167-0x0000000009F90000-0x000000000A5A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3184-168-0x000000000A610000-0x000000000A71A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3184-169-0x000000000A750000-0x000000000A762000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3184-170-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3184-171-0x000000000A770000-0x000000000A7AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3184-172-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download