Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
8db980d91bda0fe2a070c2618.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
8db980d91bda0fe2a070c2618.exe
Resource
win10v2004-20230703-en
General
-
Target
8db980d91bda0fe2a070c2618.exe
-
Size
538KB
-
MD5
0a6b3eb000b952d128586d34fd30426e
-
SHA1
356351c1a03eb4635181be92810bc44f60a676e4
-
SHA256
8db980d91bda0fe2a070c2618ea67f048334805d49fa5c7a1428f46f89e1b56a
-
SHA512
c107d747b396227530223c8ccd774e91d1f8dcb518f822394e870066f8640a9e9b2347d6665fe2bd20188ebefd6230c6c765cecd3f1620baab26081d149106aa
-
SSDEEP
6144:5Y15rR4hzwJB4INWQBS1ZpgINmiE9UO7o0FCpWUCDgTkpv4aKvuc2fSJam6wdUIx:5YF4iz4INWQBS/h3ZG/jv5KR2azZih
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/2348-153-0x00000000001F0000-0x00000000001FA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k5488530.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1512 y3733283.exe 2348 k5488530.exe 3184 l2253694.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k5488530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k5488530.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8db980d91bda0fe2a070c2618.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8db980d91bda0fe2a070c2618.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y3733283.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3733283.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 k5488530.exe 2348 k5488530.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 k5488530.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1132 wrote to memory of 1512 1132 8db980d91bda0fe2a070c2618.exe 84 PID 1132 wrote to memory of 1512 1132 8db980d91bda0fe2a070c2618.exe 84 PID 1132 wrote to memory of 1512 1132 8db980d91bda0fe2a070c2618.exe 84 PID 1512 wrote to memory of 2348 1512 y3733283.exe 85 PID 1512 wrote to memory of 2348 1512 y3733283.exe 85 PID 1512 wrote to memory of 2348 1512 y3733283.exe 85 PID 1512 wrote to memory of 3184 1512 y3733283.exe 87 PID 1512 wrote to memory of 3184 1512 y3733283.exe 87 PID 1512 wrote to memory of 3184 1512 y3733283.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db980d91bda0fe2a070c2618.exe"C:\Users\Admin\AppData\Local\Temp\8db980d91bda0fe2a070c2618.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3733283.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5488530.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2253694.exe3⤵
- Executes dropped EXE
PID:3184
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
261KB
MD5cb0c35004c805640a337da72ebe2030a
SHA1cc1ed6e754bb890b3ce7c8407608fb8b8293e743
SHA25626e1b5dc0c6ccfb77c538bd2da023c7f1aa0a0b4b6d837c9da20195b7d3c358c
SHA51274dc68a176542e11f4bc3845c98f4b62992c2c61453e0e8983ec0374cd225f9c05c1e61b150f867deb52561fbb9de439b264f95a1fe9b85d30979d004ee0938d
-
Filesize
261KB
MD5cb0c35004c805640a337da72ebe2030a
SHA1cc1ed6e754bb890b3ce7c8407608fb8b8293e743
SHA25626e1b5dc0c6ccfb77c538bd2da023c7f1aa0a0b4b6d837c9da20195b7d3c358c
SHA51274dc68a176542e11f4bc3845c98f4b62992c2c61453e0e8983ec0374cd225f9c05c1e61b150f867deb52561fbb9de439b264f95a1fe9b85d30979d004ee0938d
-
Filesize
104KB
MD528ff84de4fbd58f9af457275278b05ea
SHA10696f91332febf09dd84d514d963c50e9aae658e
SHA256b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e
SHA5127e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7
-
Filesize
104KB
MD528ff84de4fbd58f9af457275278b05ea
SHA10696f91332febf09dd84d514d963c50e9aae658e
SHA256b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e
SHA5127e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7
-
Filesize
265KB
MD556f3c2c2f988d066b0a6af876fe2369c
SHA1c41b87d444e61749c7e502cf23323cec0704f455
SHA2566e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d
SHA5123f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a
-
Filesize
265KB
MD556f3c2c2f988d066b0a6af876fe2369c
SHA1c41b87d444e61749c7e502cf23323cec0704f455
SHA2566e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d
SHA5123f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a