Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13/07/2023, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe
Resource
win10-20230703-en
General
-
Target
f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe
-
Size
1.5MB
-
MD5
c9f56ff9bcae67e1879fdaa22980cb85
-
SHA1
aa932f270120aef9484c0fa76829c464ccf8d418
-
SHA256
f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899
-
SHA512
70fb16a1be69c0ecc0a7a88a29b0a85402ce3f69cafdf9f74171342715f228ccb2abb55a1988f6e96ab81cc80e02dfd1a7e484c8d88133c62bc19e579faacece
-
SSDEEP
24576:vyulD1s1/VtJmCwl3ZqvUZOjQgtqEfsVcbrH+d5h69S08FKrLYJmyBM1tj1LB:6ulD6rtM4MZOjLqsSE9S0G6EA
Malware Config
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
resource yara_rule behavioral1/memory/428-148-0x0000000000400000-0x000000000041B000-memory.dmp healer behavioral1/memory/428-149-0x00000000001E0000-0x00000000001EA000-memory.dmp healer behavioral1/files/0x000600000001b007-158.dat healer behavioral1/files/0x000600000001b007-160.dat healer behavioral1/memory/3948-161-0x0000000000A10000-0x0000000000A1A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1912933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1912933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1912933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1912933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1912933.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 4888 v7272286.exe 3268 v5225810.exe 1228 v7711674.exe 428 a7859744.exe 3948 b1912933.exe 4960 c7142436.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7859744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1912933.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7272286.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7272286.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5225810.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5225810.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7711674.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7711674.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 428 a7859744.exe 428 a7859744.exe 3948 b1912933.exe 3948 b1912933.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 428 a7859744.exe Token: SeDebugPrivilege 3948 b1912933.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4888 3708 f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe 70 PID 3708 wrote to memory of 4888 3708 f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe 70 PID 3708 wrote to memory of 4888 3708 f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe 70 PID 4888 wrote to memory of 3268 4888 v7272286.exe 71 PID 4888 wrote to memory of 3268 4888 v7272286.exe 71 PID 4888 wrote to memory of 3268 4888 v7272286.exe 71 PID 3268 wrote to memory of 1228 3268 v5225810.exe 72 PID 3268 wrote to memory of 1228 3268 v5225810.exe 72 PID 3268 wrote to memory of 1228 3268 v5225810.exe 72 PID 1228 wrote to memory of 428 1228 v7711674.exe 73 PID 1228 wrote to memory of 428 1228 v7711674.exe 73 PID 1228 wrote to memory of 428 1228 v7711674.exe 73 PID 1228 wrote to memory of 3948 1228 v7711674.exe 75 PID 1228 wrote to memory of 3948 1228 v7711674.exe 75 PID 3268 wrote to memory of 4960 3268 v5225810.exe 76 PID 3268 wrote to memory of 4960 3268 v5225810.exe 76 PID 3268 wrote to memory of 4960 3268 v5225810.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe"C:\Users\Admin\AppData\Local\Temp\f331a7cf8403c3f7ab788b31f13dde59930c3752513683fec5886026ac1be899.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7272286.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5225810.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7711674.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7859744.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1912933.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7142436.exe4⤵
- Executes dropped EXE
PID:4960
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
1.4MB
MD58d85b8b2e212ba0e9e8a49067877452b
SHA1ed625b66ce1220aa5b0884d68494f9416166a70e
SHA25600904074fb3a4a78fd37e015f87a3bcad4184fc06c0029a22e31fa531a7e31a6
SHA512ec0fa132c3ec2fbc035647cfbf241f4a25cd692b33a917ec3919c652a671d9cad502f4947f4e84ef59731dc8d6517d77ddc03ac3636b02749c1855769fc17f57
-
Filesize
1.4MB
MD58d85b8b2e212ba0e9e8a49067877452b
SHA1ed625b66ce1220aa5b0884d68494f9416166a70e
SHA25600904074fb3a4a78fd37e015f87a3bcad4184fc06c0029a22e31fa531a7e31a6
SHA512ec0fa132c3ec2fbc035647cfbf241f4a25cd692b33a917ec3919c652a671d9cad502f4947f4e84ef59731dc8d6517d77ddc03ac3636b02749c1855769fc17f57
-
Filesize
1.3MB
MD59cb2e9b47afa7c77d82f6bb32a4033aa
SHA1d22331ad5865e21eeedcdcf47e5b98083821def6
SHA2563cea5fa13b50064b7a4cfb3f43dd8895ca049d942757d528bf4219251ae0a55f
SHA51234c80d26ea3708777c9dbec639cae6175802d34134b5399ece201cb2a1e45146b8ca1277fdb0197a7f29f8dd596c7dd6c30ed4257a85d8d2119fd417046348d1
-
Filesize
1.3MB
MD59cb2e9b47afa7c77d82f6bb32a4033aa
SHA1d22331ad5865e21eeedcdcf47e5b98083821def6
SHA2563cea5fa13b50064b7a4cfb3f43dd8895ca049d942757d528bf4219251ae0a55f
SHA51234c80d26ea3708777c9dbec639cae6175802d34134b5399ece201cb2a1e45146b8ca1277fdb0197a7f29f8dd596c7dd6c30ed4257a85d8d2119fd417046348d1
-
Filesize
729KB
MD5cee8283e74d3a3e2384b04557427a292
SHA16f2e16817c318d53833f6cd2d5be07f7832d9b60
SHA256243f870c131c275a0e0af27e7db43dac7b5f65749d0cb4a20f7f2cb6e754db8a
SHA512d847dfc6d580cb28815b23a0e4f6a626ee5567fb6267a3919c57da23486de87db67704fb5c2447f05b0d7189aac885884d4607ef108101b31e4d13ae81002963
-
Filesize
729KB
MD5cee8283e74d3a3e2384b04557427a292
SHA16f2e16817c318d53833f6cd2d5be07f7832d9b60
SHA256243f870c131c275a0e0af27e7db43dac7b5f65749d0cb4a20f7f2cb6e754db8a
SHA512d847dfc6d580cb28815b23a0e4f6a626ee5567fb6267a3919c57da23486de87db67704fb5c2447f05b0d7189aac885884d4607ef108101b31e4d13ae81002963
-
Filesize
638KB
MD5f594634eba6570dd1bf9c658f0c90fc0
SHA18ee1c41342e1f36c4ddee2c4aee827a52361b5d1
SHA25658d89a6d3ba719378403f81582a301017d20fe4a172303f70891c89b4b62ffd8
SHA5120ea306ae700b0392363b622f6a52ea4bd94801ce9e092592cc7c13497d9e978abe4f8398ad320aa1c2f02b669b8707a1e8ad94f434bbdb653ffdf8b6afd4d328
-
Filesize
638KB
MD5f594634eba6570dd1bf9c658f0c90fc0
SHA18ee1c41342e1f36c4ddee2c4aee827a52361b5d1
SHA25658d89a6d3ba719378403f81582a301017d20fe4a172303f70891c89b4b62ffd8
SHA5120ea306ae700b0392363b622f6a52ea4bd94801ce9e092592cc7c13497d9e978abe4f8398ad320aa1c2f02b669b8707a1e8ad94f434bbdb653ffdf8b6afd4d328
-
Filesize
568KB
MD56eb993ed91252b889ebb2116805ee313
SHA149af4bd3586db7afd502ee7b6840aaca72cb932f
SHA256683777470df68fde0136522d31d649e27d7079f3e6c88eeb8061cbd31c60385a
SHA51253e4e4e6d10715bb4ce9e919196cd1a74981c201d239cc95295ffac75705c8e2ee1435917ac8bdfab54e84d9aeb5045dab9d3a6053399b17f4cc8c9966a2d54c
-
Filesize
568KB
MD56eb993ed91252b889ebb2116805ee313
SHA149af4bd3586db7afd502ee7b6840aaca72cb932f
SHA256683777470df68fde0136522d31d649e27d7079f3e6c88eeb8061cbd31c60385a
SHA51253e4e4e6d10715bb4ce9e919196cd1a74981c201d239cc95295ffac75705c8e2ee1435917ac8bdfab54e84d9aeb5045dab9d3a6053399b17f4cc8c9966a2d54c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91