Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
20/07/2023, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe
Resource
win10-20230703-en
General
-
Target
d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe
-
Size
389KB
-
MD5
a7b11d69d97cc765f11a42cd44464f05
-
SHA1
5a8f7af21f617e81d3d2f47b76ced3d7edb15681
-
SHA256
d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77
-
SHA512
436e936007def7fb84ed60d0258feb9c053479891d19eb640357ff3853c9987d757b153d26ab8d326776def54c274a8dff24af44da85e44a644aaae5b0607bc0
-
SSDEEP
6144:Kgy+bnr+5p0yN90QEB9k3vBt6mHDQvgB4ikaVIIhX3dMfiHwG6iE0WCzIb0p:EMr5y90Jkfv6mHEvo4ikh8nUij6iPgm
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afe0-129.dat healer behavioral1/files/0x000700000001afe0-130.dat healer behavioral1/memory/4328-131-0x0000000000090000-0x000000000009A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p9279846.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p9279846.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p9279846.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p9279846.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p9279846.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 388 z8510486.exe 4328 p9279846.exe 384 r2366493.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p9279846.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z8510486.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8510486.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4328 p9279846.exe 4328 p9279846.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4328 p9279846.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1928 wrote to memory of 388 1928 d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe 70 PID 1928 wrote to memory of 388 1928 d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe 70 PID 1928 wrote to memory of 388 1928 d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe 70 PID 388 wrote to memory of 4328 388 z8510486.exe 71 PID 388 wrote to memory of 4328 388 z8510486.exe 71 PID 388 wrote to memory of 384 388 z8510486.exe 72 PID 388 wrote to memory of 384 388 z8510486.exe 72 PID 388 wrote to memory of 384 388 z8510486.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe"C:\Users\Admin\AppData\Local\Temp\d7fe1a24eb072e1dbf449007765aa3c151957dfd2493759d63f6c46c8e28ea77.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8510486.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8510486.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9279846.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9279846.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2366493.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2366493.exe3⤵
- Executes dropped EXE
PID:384
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5abef71969f621b096119dde240a98be9
SHA1df40430ba952d5adfad043a7f50b4acd19604440
SHA256917d34dd1e19da9b4f421bdbd3c2122f70c923353b827ace159d30a2a9315d54
SHA51292cddb5de433d023c4c660adffd2095371eb35169e9a9959b11f8f2071d1807815f51f18019c21feb16e5f1bb251d08bec4cb8029b41614bc3469ae85ce443d2
-
Filesize
206KB
MD5abef71969f621b096119dde240a98be9
SHA1df40430ba952d5adfad043a7f50b4acd19604440
SHA256917d34dd1e19da9b4f421bdbd3c2122f70c923353b827ace159d30a2a9315d54
SHA51292cddb5de433d023c4c660adffd2095371eb35169e9a9959b11f8f2071d1807815f51f18019c21feb16e5f1bb251d08bec4cb8029b41614bc3469ae85ce443d2
-
Filesize
15KB
MD5707032d7184f6c1e6a9c408374f3952f
SHA128e1a736574d68b027a1e11d489497dbf8e621d8
SHA256c88a1a24b0e9b2922d01334680defb263bfa6d8d9ae9d838cc0fdf48307b5934
SHA5129a973496d9faa8e014f9664ccda114fe9b0b8f60987ee3cd5fdfb732ff07614a2c113b8cab734cc3393d1fa359b7fc6b0b7327985c9fbe5c8c5f24d9fdeb02f5
-
Filesize
15KB
MD5707032d7184f6c1e6a9c408374f3952f
SHA128e1a736574d68b027a1e11d489497dbf8e621d8
SHA256c88a1a24b0e9b2922d01334680defb263bfa6d8d9ae9d838cc0fdf48307b5934
SHA5129a973496d9faa8e014f9664ccda114fe9b0b8f60987ee3cd5fdfb732ff07614a2c113b8cab734cc3393d1fa359b7fc6b0b7327985c9fbe5c8c5f24d9fdeb02f5
-
Filesize
174KB
MD530bafade03d77b96bddc0e3eaffe81b9
SHA19fb93ef406f4f424baa8c8507c0a37da10b3c8ed
SHA2564eda8ad90040a90c9b8ac30a2b0d43df6026c9630b466777b51234764379c8ca
SHA51227c76dda83ae53c9d5f03e6573176ea976c61ff40c3d5cbf5dab61802c44864e444cd9df5e6a5cb18d437d229a3a84361907b5d31c152d21e827fe13d68b0427
-
Filesize
174KB
MD530bafade03d77b96bddc0e3eaffe81b9
SHA19fb93ef406f4f424baa8c8507c0a37da10b3c8ed
SHA2564eda8ad90040a90c9b8ac30a2b0d43df6026c9630b466777b51234764379c8ca
SHA51227c76dda83ae53c9d5f03e6573176ea976c61ff40c3d5cbf5dab61802c44864e444cd9df5e6a5cb18d437d229a3a84361907b5d31c152d21e827fe13d68b0427