Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bf7c2c05d9...36.exe

windows7-x64

10

bf7c2c05d9...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2023, 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf7c2c05d933486717d3ed336.exe

  • Size

    522KB

  • MD5

    bf7c2c05d933486717d3ed3367b3aa74

  • SHA1

    fb4deb60a9f81ce8d8dab70d2faaa24a9e794b3d

  • SHA256

    3bd00d683822dec340705519745286e08cc08af7ea9f6d48732bb45c260db3c4

  • SHA512

    62b95692f4eefafc3d0b0afd05765014fc667b347157dd324010bb887d366bb0063952b1cde6e9c4f179fb6a45e820f5bffa6cf3e91dd248b820fb0cd3740ed4

  • SSDEEP

    12288:wWJufvMaRdnQgzp7qBM8fc41jsfO7B7TMDkmCim:wWJ0vM82gtKEeom7B7TMG

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf7c2c05d933486717d3ed336.exe
    "C:\Users\Admin\AppData\Local\Temp\bf7c2c05d933486717d3ed336.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9557247.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9557247.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8043421.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8043421.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9720053.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9720053.exe
        3⤵
        • Executes dropped EXE
        PID:1056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9557247.exe
    Filesize

    257KB

    MD5

    8a252d4e3636b6d3c07d45c838bb7c42

    SHA1

    33153632f62bd86779bc68272c077f36c84f8660

    SHA256

    85a8d2a1741e7b61845d49bb6ac1bdfbff7a4c171ec68b1fcc9d60f9e173cc80

    SHA512

    81c1fc2863a100f0dd251d0d50f8446af75a2d3358d69906797647af84c93ab2a902dd0717a41c6325cb354886ca0307577dfdc3154d9b96072831bcacc35f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9557247.exe
    Filesize

    257KB

    MD5

    8a252d4e3636b6d3c07d45c838bb7c42

    SHA1

    33153632f62bd86779bc68272c077f36c84f8660

    SHA256

    85a8d2a1741e7b61845d49bb6ac1bdfbff7a4c171ec68b1fcc9d60f9e173cc80

    SHA512

    81c1fc2863a100f0dd251d0d50f8446af75a2d3358d69906797647af84c93ab2a902dd0717a41c6325cb354886ca0307577dfdc3154d9b96072831bcacc35f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8043421.exe
    Filesize

    93KB

    MD5

    19ed7a7d92a08233181282d06f1be84e

    SHA1

    396bd987d8bf834964971aa9fb3d1778ee603a02

    SHA256

    f64dd1f2ac82f6011cee686f784030b9c435b83a8a321455de7e028534792ba8

    SHA512

    caf82a86d6e6cbf5cd096b732bb23d114d38c95ac6b526258e94d6df43b1dd6598f157f06c0bff2188228cc497697d5264bfb7c739aac8b18a591823fc6f62f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8043421.exe
    Filesize

    93KB

    MD5

    19ed7a7d92a08233181282d06f1be84e

    SHA1

    396bd987d8bf834964971aa9fb3d1778ee603a02

    SHA256

    f64dd1f2ac82f6011cee686f784030b9c435b83a8a321455de7e028534792ba8

    SHA512

    caf82a86d6e6cbf5cd096b732bb23d114d38c95ac6b526258e94d6df43b1dd6598f157f06c0bff2188228cc497697d5264bfb7c739aac8b18a591823fc6f62f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9720053.exe
    Filesize

    254KB

    MD5

    414754432f015a16fd920ef48f21722b

    SHA1

    c3f14ccdf493d7c3a17168478d320a30ac07247f

    SHA256

    ed40089661c08b45ea0909917607b7c6e9767f8109745237d373bc988e7a55fa

    SHA512

    2e5cec7d5739bc3317c771d1bd6f0a631f82317b9c44bfade2ae49085583134e6230ca7fb62c8b52c827bff2600b453be697c8ea0b31525273a6b85550b660a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9720053.exe
    Filesize

    254KB

    MD5

    414754432f015a16fd920ef48f21722b

    SHA1

    c3f14ccdf493d7c3a17168478d320a30ac07247f

    SHA256

    ed40089661c08b45ea0909917607b7c6e9767f8109745237d373bc988e7a55fa

    SHA512

    2e5cec7d5739bc3317c771d1bd6f0a631f82317b9c44bfade2ae49085583134e6230ca7fb62c8b52c827bff2600b453be697c8ea0b31525273a6b85550b660a8

    Download Submit

  • memory/1056-162-0x0000000000800000-0x0000000000830000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1056-167-0x0000000009F70000-0x000000000A588000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1056-168-0x000000000A610000-0x000000000A71A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1056-169-0x000000000A750000-0x000000000A762000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1056-170-0x000000000A770000-0x000000000A7AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1056-171-0x0000000002250000-0x0000000002260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1056-172-0x0000000002250000-0x0000000002260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4444-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5088-133-0x0000000000560000-0x00000000005D3000-memory.dmp

    Filesize

    460KB

    Download