Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    274s
  • max time network
    291s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/07/2023, 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe

  • Size

    989KB

  • MD5

    caa77db1d9e91c03420de42d0881b211

  • SHA1

    6adec40078a6253bbd06cbfa728ff4518355ac59

  • SHA256

    400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a

  • SHA512

    aecb982c6ea0b3b875302fe39b0292624660463b57af51e97acf37c735f84f40512de6baec82e8fdfb357defb45a6cae4c9f6210719822e039f5c32bd3b45649

  • SSDEEP

    24576:1yl5k1tfjHfabqFIr8iHlOi6JIni5NWxlOhD:Q/qtrHf7C8oAirnCAxlO

Score
10/10
healerredlinekiradropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
    "C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
          4⤵
          • Executes dropped EXE
          PID:4604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    957779c42144282d8cd83192b8fbc7cf

    SHA1

    de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

    SHA256

    0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

    SHA512

    f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
    Filesize

    864KB

    MD5

    5a4a5f9430f4f3d14865b534f2794e2e

    SHA1

    50a5faf4d0626803833d53ba979275077716b7fc

    SHA256

    c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

    SHA512

    9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
    Filesize

    864KB

    MD5

    5a4a5f9430f4f3d14865b534f2794e2e

    SHA1

    50a5faf4d0626803833d53ba979275077716b7fc

    SHA256

    c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

    SHA512

    9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
    Filesize

    681KB

    MD5

    34d2bcd49671a6011997a5abd32cefc5

    SHA1

    68a491ef05bbbfd178443b9a5e769e77bc46e8bf

    SHA256

    e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

    SHA512

    9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
    Filesize

    681KB

    MD5

    34d2bcd49671a6011997a5abd32cefc5

    SHA1

    68a491ef05bbbfd178443b9a5e769e77bc46e8bf

    SHA256

    e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

    SHA512

    9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
    Filesize

    530KB

    MD5

    a15b1453fa4a1c6745bfcdb865d1df8b

    SHA1

    1c4a12b2820ffb4d0202530847cf11d8422234b1

    SHA256

    2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

    SHA512

    346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
    Filesize

    530KB

    MD5

    a15b1453fa4a1c6745bfcdb865d1df8b

    SHA1

    1c4a12b2820ffb4d0202530847cf11d8422234b1

    SHA256

    2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

    SHA512

    346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
    Filesize

    691KB

    MD5

    a420e82c9d5b88bdd191622b51f2f4c1

    SHA1

    6e0488ccdce614833cb257fb959d0bfe00020677

    SHA256

    de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

    SHA512

    df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
    Filesize

    691KB

    MD5

    a420e82c9d5b88bdd191622b51f2f4c1

    SHA1

    6e0488ccdce614833cb257fb959d0bfe00020677

    SHA256

    de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

    SHA512

    df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

    Download Submit

  • memory/4604-150-0x00000000001D0000-0x0000000000200000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4604-155-0x00000000020F0000-0x00000000020F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4604-156-0x0000000009F40000-0x000000000A546000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4604-157-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4604-158-0x000000000A6F0000-0x000000000A702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4604-159-0x0000000004970000-0x0000000004980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4604-160-0x000000000A710000-0x000000000A74E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4604-161-0x000000000A7C0000-0x000000000A80B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4604-162-0x0000000004970000-0x0000000004980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-141-0x00000000001D0000-0x00000000001DA000-memory.dmp

    Filesize

    40KB

    Download