Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
274s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
11/07/2023, 22:44
Static task
static1
Behavioral task
behavioral1
Sample
400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
Resource
win10-20230703-en
General
-
Target
400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
-
Size
989KB
-
MD5
caa77db1d9e91c03420de42d0881b211
-
SHA1
6adec40078a6253bbd06cbfa728ff4518355ac59
-
SHA256
400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a
-
SHA512
aecb982c6ea0b3b875302fe39b0292624660463b57af51e97acf37c735f84f40512de6baec82e8fdfb357defb45a6cae4c9f6210719822e039f5c32bd3b45649
-
SSDEEP
24576:1yl5k1tfjHfabqFIr8iHlOi6JIni5NWxlOhD:Q/qtrHf7C8oAirnCAxlO
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/4848-141-0x00000000001D0000-0x00000000001DA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6701060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6701060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6701060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6701060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6701060.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 4116 y5860936.exe 4532 y3802276.exe 4848 k6701060.exe 4604 l3477921.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k6701060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k6701060.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5860936.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y3802276.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3802276.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y5860936.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4848 k6701060.exe 4848 k6701060.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4848 k6701060.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2516 wrote to memory of 4116 2516 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe 69 PID 2516 wrote to memory of 4116 2516 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe 69 PID 2516 wrote to memory of 4116 2516 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe 69 PID 4116 wrote to memory of 4532 4116 y5860936.exe 70 PID 4116 wrote to memory of 4532 4116 y5860936.exe 70 PID 4116 wrote to memory of 4532 4116 y5860936.exe 70 PID 4532 wrote to memory of 4848 4532 y3802276.exe 71 PID 4532 wrote to memory of 4848 4532 y3802276.exe 71 PID 4532 wrote to memory of 4848 4532 y3802276.exe 71 PID 4532 wrote to memory of 4604 4532 y3802276.exe 73 PID 4532 wrote to memory of 4604 4532 y3802276.exe 73 PID 4532 wrote to memory of 4604 4532 y3802276.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe"C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe4⤵
- Executes dropped EXE
PID:4604
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
864KB
MD55a4a5f9430f4f3d14865b534f2794e2e
SHA150a5faf4d0626803833d53ba979275077716b7fc
SHA256c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371
SHA5129dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994
-
Filesize
864KB
MD55a4a5f9430f4f3d14865b534f2794e2e
SHA150a5faf4d0626803833d53ba979275077716b7fc
SHA256c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371
SHA5129dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994
-
Filesize
681KB
MD534d2bcd49671a6011997a5abd32cefc5
SHA168a491ef05bbbfd178443b9a5e769e77bc46e8bf
SHA256e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775
SHA5129decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345
-
Filesize
681KB
MD534d2bcd49671a6011997a5abd32cefc5
SHA168a491ef05bbbfd178443b9a5e769e77bc46e8bf
SHA256e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775
SHA5129decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345
-
Filesize
530KB
MD5a15b1453fa4a1c6745bfcdb865d1df8b
SHA11c4a12b2820ffb4d0202530847cf11d8422234b1
SHA2562317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6
SHA512346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867
-
Filesize
530KB
MD5a15b1453fa4a1c6745bfcdb865d1df8b
SHA11c4a12b2820ffb4d0202530847cf11d8422234b1
SHA2562317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6
SHA512346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867
-
Filesize
691KB
MD5a420e82c9d5b88bdd191622b51f2f4c1
SHA16e0488ccdce614833cb257fb959d0bfe00020677
SHA256de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d
SHA512df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10
-
Filesize
691KB
MD5a420e82c9d5b88bdd191622b51f2f4c1
SHA16e0488ccdce614833cb257fb959d0bfe00020677
SHA256de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d
SHA512df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10