Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe
Resource
win10v2004-20230703-en
General
-
Target
a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe
-
Size
388KB
-
MD5
081aa34584ccf14cfe7e13204c3c51ce
-
SHA1
853ea4a09b55ae78fa0c8ead9d9ff38bfdc8dd39
-
SHA256
a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11
-
SHA512
5ef75468409d0da8e731927d17d6dc65ddc817cf8a70a6d467e84bfa731bf243a716981107613f58c2db5d53f89bd16942de136ff3b5878f1fe0e67aa8f77779
-
SSDEEP
12288:IMrFy90ClQpjbsg8gC31HQ1F0bvmDJJlG:Ny6dsg8zvvkJo
Malware Config
Extracted
redline
roma
77.91.68.56:19071
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00080000000230a7-145.dat healer behavioral1/files/0x00080000000230a7-146.dat healer behavioral1/memory/5008-147-0x0000000000F20000-0x0000000000F2A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p7589776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p7589776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p7589776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p7589776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p7589776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p7589776.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3936 z0403562.exe 5008 p7589776.exe 4620 r1974942.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p7589776.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z0403562.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z0403562.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5008 p7589776.exe 5008 p7589776.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5008 p7589776.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3904 wrote to memory of 3936 3904 a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe 86 PID 3904 wrote to memory of 3936 3904 a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe 86 PID 3904 wrote to memory of 3936 3904 a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe 86 PID 3936 wrote to memory of 5008 3936 z0403562.exe 87 PID 3936 wrote to memory of 5008 3936 z0403562.exe 87 PID 3936 wrote to memory of 4620 3936 z0403562.exe 93 PID 3936 wrote to memory of 4620 3936 z0403562.exe 93 PID 3936 wrote to memory of 4620 3936 z0403562.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe"C:\Users\Admin\AppData\Local\Temp\a7cbd8a4fcf119b7f2c6d0a7610359f61ee21f3102fd82b80cc3dda6d3877a11.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0403562.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7589776.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1974942.exe3⤵
- Executes dropped EXE
PID:4620
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e66a7d78e129e941c0073100b0cc2a12
SHA1473caa3fac41462a03d91f87fdb609ad2d3ccfb5
SHA256872cfba06ef9d824fd152905bcc6ea266af2e22e67979db8a0d84fdd02056ef3
SHA5127a495862c1e4a5a388eba3eaa781c2dff9492a761d3e13a51abbeb9d6b7e6c3e67c4029a0b40bd1e6f77270bd2fbca8b71973c9ee64125701ac123b7d03be971
-
Filesize
206KB
MD5e66a7d78e129e941c0073100b0cc2a12
SHA1473caa3fac41462a03d91f87fdb609ad2d3ccfb5
SHA256872cfba06ef9d824fd152905bcc6ea266af2e22e67979db8a0d84fdd02056ef3
SHA5127a495862c1e4a5a388eba3eaa781c2dff9492a761d3e13a51abbeb9d6b7e6c3e67c4029a0b40bd1e6f77270bd2fbca8b71973c9ee64125701ac123b7d03be971
-
Filesize
13KB
MD5b6a88159b05b2697b7c46e34d9c187a5
SHA1ae52f547a3d318e23e4d2507fc67bf5bb35fe11a
SHA25649ce2312bf7089f4789a87d689a9712896f4395ec2f6f5b88a802d3870444ace
SHA512e15365d74ede0ad9ec7d58e0142b5db6d107a8732426f9662cf0698b3a692c8f01e041ceda638b06629b2c236d5baa39d8df72d5b5ee377f1945fc4d9021c978
-
Filesize
13KB
MD5b6a88159b05b2697b7c46e34d9c187a5
SHA1ae52f547a3d318e23e4d2507fc67bf5bb35fe11a
SHA25649ce2312bf7089f4789a87d689a9712896f4395ec2f6f5b88a802d3870444ace
SHA512e15365d74ede0ad9ec7d58e0142b5db6d107a8732426f9662cf0698b3a692c8f01e041ceda638b06629b2c236d5baa39d8df72d5b5ee377f1945fc4d9021c978
-
Filesize
174KB
MD5fb1f78e07132a06bdc6132701d28d1f0
SHA1169d4f7210cfd0791694aefa39374e1e937432e9
SHA2562453a67b936cecb382f72ffb87719c5acdc2d884169737b59981540dfcd1e251
SHA512b899751f2642d6631869c78d52d0b6acb8b89853780e8b939508995c15044b4341f36be37e4643280efee695d7ca5a320d805586086f20c9e387d5003b2afd53
-
Filesize
174KB
MD5fb1f78e07132a06bdc6132701d28d1f0
SHA1169d4f7210cfd0791694aefa39374e1e937432e9
SHA2562453a67b936cecb382f72ffb87719c5acdc2d884169737b59981540dfcd1e251
SHA512b899751f2642d6631869c78d52d0b6acb8b89853780e8b939508995c15044b4341f36be37e4643280efee695d7ca5a320d805586086f20c9e387d5003b2afd53